TaoSecurity Blog

Thanks to a Tweet by Peter Singer, I read an article at Forbes titled  Maldrone: Watch Malware That Wants To Spread Its Wings Kill A Drone Mid-Flight . This article is interesting in its own right, but it linked to a late 2013 project by Samy Kamkar called SkyJack . Samy's project links to a video  where he describes software  that enables a Parrot drone to "autonomously seek out, hack, and wirelessly take full control over any other Parrot drones within wireless or flying distance, creating an army of zombie drones under your control." That is all really cool by itself. However, when watching the video, I realized that it incorporates many different elements of IT and security. Samy put many different tools, tactics, and hardware to work in order to accomplish his drone hijack goal. I began to wonder what it would take for someone to follow along and understand each step of the process. I remembered the sorts of questions my leadership team and I used to ask of

Yesterday I testified to the Senate Homeland Security and Government Affairs committee at a hearing on  Protecting America from Cyber Attacks: The Importance of Information Sharing . I'd like to share a few thoughts about the experience. You may find these comments helpful if you are asked to testify, or want to help someone testify, or want to influence the legislative process. This was my fifth appearance at a government hearing. In 2012 I appeared before the U.S.-China Economic and Security Review Commission, and in 2013 I appeared before the Senate Armed Services Committee, the House Committee on Homeland Security, and the House Committee on Foreign Affairs. The process starts with a request from committee staff. They asked if I would be available and willing to testify. If I decide to decline, they would generally not force me to appear. The exception would be some sort of adversarial hearing. On the contrary, this sort of hearing is intended to educate the legislators a

Elements of the Q Model of Attribution, by Thomas Rid and Ben Buchanan Earlier today I Tweeted the following: If you think CEOs & boards don't care about #attribution, you aren't talking to them or working w/them. The 1st question they ask is "who?" I wrote this to convey the reality of incident response at the highest level of an organization. Those who run breached organizations want to know who is responsible for an intrusion. As I wrote in Five Reasons Attribution Matters , your perspective on attribution changes depending on your role in the organization. The question in the title of this blog post is, however, how does one answer the board? It's likely that the board and CEO will be asking the CIO or CISO "who." What should be the response? My recommendation is to respond "how badly do you want to know?" Generally speaking, answering the attribution question is a function of the resources applied to the problem. For e

Longtime TaoSecurity Blog readers are likely to remember me mentioning www.testmyids.com . This is a Web site that returns nothing more than uid=0(root) gid=0(root) groups=0(root) This content triggers a Snort intrusion detection system alert, due to the signature alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; fast_pattern:only; classtype:bad-unknown; sid:2100498; rev:8;) You can see the Web page in Firefox, and the alert in Sguil, below. A visit to this Web site is a quick way to determine if your NSM sensor sees what you expect it to see, assuming you're running a tool that will identify the activity as suspicious. You might just want to ensure your other NSM data records the visit, as well. Site owner Chas Tomlin emailed me today to let me know he's adding some new features to www.testmyids.com . You can read about them in this blog post . For example, you could download a mali

This week, FireEye released a report titled  The Numbers Game: How Many Alerts are too Many to Handle?  FireEye hired IDC to survey "over 500 large enterprises in North America, Latin America, Europe, and Asia" and asked director-level and higher IT security practitioners a variety of questions about how they manage alerts from security tools. In my opinion, the following graphic was the most interesting: As you can see in the far right column, 75% of respondents report reviewing critical alerts in "less than 5 hours." I'm not sure if that is really "less than 6 hours," because the next value is "6-12 hours." In any case, is it sufficient for organizations to have this level of performance for critical alerts? In my last large enterprise job, as director of incident response for General Electric, our CIO demanded 1 hour or less for critical alerts, from time of discovery to time of threat mitigation . This means we had to do more tha

You may have seen in my LinkedIn profile that I'm advising a security startup called Critical Stack . If you use Security Onion or run the Bro network security monitoring platform (NSM), you're ready to try the Critical Stack Intel Client . Bro is not strictly an intrusion detection system that generates alerts, like Snort. Rather, Bro generates a range of NSM data, including session data, transaction data, extracted content data, statistical data, and even alerts -- if you want them. Bro includes an intelligence framework that facilitates integrating various sources into Bro. These sources can include more than just IP addresses. This Bro blog post explains some of the options, which include: Intel::ADDR Intel::URL Intel::SOFTWARE Intel::EMAIL Intel::DOMAIN Intel::USER_NAME Intel::FILE_HASH Intel::FILE_NAME Intel::CERT_HASH This Critical Stack Intel Client makes it easy to subscribe to over 30 threat feeds for the Bro intelligence framework. The screen c

Yesterday Steptoe and Johnson LLP released the 50th edition of their podcast series, titled  Steptoe Cyberlaw Podcast - Interview with David Sanger . Stewart Baker's discussion with New York Times reporter David Sanger (pictured at left) begins at the 20:15 mark. The interview was prompted by the NYT story NSA Breached North Korean Networks Before Sony Attack, Officials Say . I took the following notes for those of you who would like some highlights. Sanger has reported on the national security scene for decades. When he saw President Obama's definitive statement on December 19, 2014 -- " We can confirm that North Korea engaged in this attack [on Sony Pictures Entertainment]. " -- Sanger knew the President must have had solid attribution . He wanted to determine what evidence had convinced the President that the DPRK was responsible for the Sony intrusion. Sanger knew from his reporting on the Obama presidency, including his book Confront and Conceal: Obama'

Are you surprised to learn that the FBI is officially part of the United States Intelligence Community? Did you know there's actually a list? If you visit the Intelligence Community Web site at www.intelligence.gov , you can learn more about the IC. The member agencies page lists all 17 organizations. The FBI didn't always emphasize an intelligence role. The Directorate of Intelligence appeared in 2005 and was part of the National Security Branch, as described here . Now, as shown on the latest organizational chart , Intelligence is a peer with the National Security Branch. Each has its own Executive Assistant Director. NSB currently houses a division for Counterterrorism, a division for Counterintelligence, and directorate for Weapons of Mass Destruction. You may notice that there is a Cyber Divison within a separate branch for "Criminal, Cyber, Response, and Services." If the Bureau continues to stay exceptionally engaged in investigating and countering

On January 7, 2015, FBI Director James Comey spoke to the International Conference on Cyber Security at Fordham University. Part of his remarks addressed controversy over the US government's attribution of North Korea as being responsible for the digital attack on Sony Pictures Entertainment. Near the end of his talk he noted the following: We brought in a red team from all across the intelligence community and said, “Let’s hack at this. What else could be explaining this? What other explanations might there be? What might we be missing? What competing hypothesis might there be? Evaluate possible alternatives. What might we be missing?” And we end up in the same place. I noticed some people in the technical security community expressing confusion about this statement. Isn't a red team a bunch of hackers who exploit vulnerabilities to demonstrate defensive flaws? In this case, "red team" refers to a group performing the actions Director Comey outlined abov

I read the following in the 2009 book Streetlights and Shadows: Searching for the Keys to Adaptive Decision Making by Gary Klein. It reminded me of the myriad ways operational information technology and security processes fail. This is a long excerpt, but it is compelling. == Begin == A commercial airliner isn't supposed to run out of fuel at 41,000 feet. There are too many safeguards, too many redundant systems, too many regulations and checklists. So when that happened to Captain Bob Pearson on July 23, 1983, flying a twin-engine Boeing 767 from Ottawa to Edmonton with 61 passengers, he didn't have any standard flight procedures to fall back on. First the fuel pumps for the left engine quit. Pearson could work around that problem by turning off the pumps, figuring that gravity would feed the engine. The computer showed that he had plenty of fuel for the flight. Then the left engine itself quit. Down to one engine, Pearson made the obvious decision to divert fr

If you've been a TaoSecurity Blog reader for a while, you may remember how the writing and speaking of Edward Tufte changed the way I taught classes and delivered presentations. I wrote about the Tufte class I attended in June 2008 in my post The Best Single Day Class Ever . Since then I've written a few other Tufte posts here. The most recent post, from 2012, was  Netanyahu Channels Tufte at United Nations . I explained how Prime Minister Netanyahu literally drew a red line on a diagram during a speech to the world. Today in my Twitter feed I saw that Edward Tufte himself reTweeted my link to that 2012 story. I am so thrilled that he read it, and presumably knows that his work changed my professional life and how I interact with audiences. Thank you sir. And yes, this does sound like a "fan boy" post. I still recommend you take his one day course , whenever it's offered nearby. I see he will be in the DC area 31 March - 2 April 2015. Tweet

Daniel Miessler just wrote a post about his attitude toward attribution. I'm not going to comment about it, but I wanted to provide the source of the story he mentioned, along with the specific excerpt. It's from Secrets by Daniel Ellsberg. Kevin Drum posted the same excerpt  in 2010, but I'm going to print it here for my reference. As an intro, Ellsberg was working for RAND, and approached Henry Kissinger at a party in 1968. Ellsberg begins:     "Henry, there's something I would like to tell you, for what it's worth, something I wish I had been told years ago. You've been a consultant for a long time, and you've dealt a great deal with top secret information. But you're about to receive a whole slew of special clearances, maybe fifteen or twenty of them, that are higher than top secret.     "I've had a number of these myself, and I've known other people who have just acquired them, and I have a pretty good sense of what the

I listened to a great Webinar by Rick Holland today about digital threat intelligence. During the talk he mentioned the precedent of declassifying satellite imagery as an example of an action the government could take with respect to "proving" DPRK attribution. Rick is a former military intelligence analyst like me, and I've had similar thoughts this week. They were heightened by this speech excerpt from FBI Director James Comey yesterday: [F]olks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now. I decided to look online for events where the US government declassified satellite imagery in order to support a policy decision. I am excluding cases where the government declassified imagery well after the event. I'm including a few cases where satellites

Thanks Adam Segal for posting a link to a fascinating Wall Street Journal piece titled  Sony Hackers May Have Left Deliberate Clues, Expert Says . From the story by Jeyup S. Kwaak: Apparent slip-ups by the hackers of Sony Pictures that have helped convince U.S. investigators the hackers are North Koreans have a precedent, and may even have been deliberate to win domestic kudos , according to a top cybersecurity expert and former senior North Korean official. The head of a group of hacking experts that have analyzed previous suspected North Korean cyberattacks on South Korea said a record of a North Korean Internet address was also left in a 2013 attack on Seoul because a detour through Chinese servers was briefly suspended, exposing the origin of the incursion... Choi Sang-myung, who is also an adviser to Seoul’s cyberwarfare command, said... [w]hile it was impossible to prove whether the hackers left evidence by mistake or on purpose, that they didn’t fully cover their trac

Today, 8 January 2015, is the 12th birthday of  TaoSecurity Blog ! I wrote my  first post  on 8 January 2003 while working as an incident response consultant for Foundstone. Kevin Mandia was my boss. Today I am Chief Security Strategist at  FireEye , still working for Kevin Mandia. (It's a small world.) With 2945 posts published, I am still blogging -- but much less. Why the drop over the years? I "blame" my  @taosecurity  Twitter account. With almost 30,000 followers, easy posting from mobile devices, and greater interactivity, Twitter is an addictive platform. Second, blogging used to be the primary way I could share my ideas with the community. These days, speaking and writing are a big part of my professional duties. I try to track these reports here . Third, time is precious, and blogging often takes a back seat. I'd rather spend time with my family, research my PhD, work with start-ups, collaborate with think tanks, and so on. However, I still plan t

Screen capture from 2 Jan 2015 SCMP This is an amazing story in the South China Morning Post . Typist sentenced to death in China for leaking military secrets Worker said to have sold secrets about centre researching secret weapon to an unnamed foreign intelligence agency A young typist who worked at a Chinese military manufacturer’s research centre that was developing a secret weapons system has been sentenced to death for spying for a foreign intelligence agency, according to a state-run media report. Yu Hongyang, a member of staff at an unnamed research office, was said to have damaged national security by leaking state secrets, the news website of the Global Times newspaper reported. He was caught by the Ministry of State Security for allegedly buying secret information and then selling it in an “extremely severe” case that warranted the death penalty, the report said. The foreign intelligence agency allegedly involved was not named. Yu was employed at the centr