TaoSecurity Blog

Last week I attended RSA 2012 in San Francisco. I believe it was my third RSA conference; I noted on my TaoSecurity News page speaking at RSA in 2011 and 2006. This year I spoke at the Executive Security Action Forum on a panel moderated by PayPal CISO Michael Barrett alongside iDefense GM Rick Howard and Lockheed Martin CISO Chandra McMahon. I thought our panel offered value to the audience, as did much of the remainder of the event. Most of the speakers and attendees (about 100 people) appeared to have accepted the message that prevention eventually fails and that modern security is more like a counterintelligence operation than an IT operation. After ESAF (all day Monday) I divided my time among the following: speaking to visitors to the Mandiant booth, discussing security issues with reporters and industry analysts, and walking the RSA exposition floor. I also attended the Wednesday panel where one of our VPs, Grady Summers, explained how to deal with hacktivists. S...

I'm involved in one degree or another with three somewhat academically-oriented conferences this year. I wanted to post notices of the call for papers for each event. First is DFRWS 2010 on 2-4 Aug in Portland, Oregon. I am on the Technical Program Committee but will not attend due to a family conflict. The CFP ends 28 Feb. Next is VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee and plan to attend. The CFP for full papers ends 30 Apr. Last but not least is RAID 2010 on 15-17 Sep in Ottawa, Ontario. I like the fact this conference is held in conjunction with VizSec, so I will probably attend. The CFP ends 4 Apr.

I didn't get to attend Abe Singer's talk Incident Response either, but again I managed to get a copy of his slides. They confirmed what I planned to do with my new company CIRT (fortunately), but I wanted to highlight some elements that I hadn't given much thought until I saw them in Abe's slides. Abe pointed out that it's important to have incident response policies in place prior to an incident. I had always thought in terms of a plan, tools, and team, but not policies. Let me list a few items to explain. Using language Abe secured for his university as a template, I plan to try to gain approval for something like this as a blanket incident detection and response policy at my company: The Director of Incident Response and authorized designees have the authority to take actions necessary to contain, detect, and respond to computer incidents involving company assets. These actions will be consistent with company policies and applicable laws. Please note the ori...

Because I was teaching at USENIX Security this month I didn't get to attend Marcus Ranum's tutorial They Really Are Out to Get You: How to Think About Computer Security . I did manage to read a copy of Marcus' slides. Because he is one of my Three Wise Men of digital security, I thought I would share some of my favorite excerpts. Some of the material paraphrases his slides to improve readability here. Marcus asked how can one make decisions when likelihood of attack, attack consequences, target value, and countermeasure cost are not well understood. His answer helps explain why so many digital security people quote Sun Tzu: The art of war is a problem domain in which successful practitioners have to make critical decisions in the face of similar intangibles. I would add that malicious adversaries are also present in war, but not present in certain other scenarios misapplied to security (like car analogies ) where intelligent adversaries aren't present. Marcus con...

Based on my summaries of the talks I saw on day one and two of Black Hat USA 2007, some of you have called me "depressed" or "negative." I call it realistic and largely historic. Nothing I described was brand new the day I saw it. Most if not all of everything I saw was already discussed in public forums or private groups. Sometimes it takes a live explanation by a real expert to synthesize and demonstrate the technique to make it come to life and help attendees connect the dots. This was certainly the case for me and I expect other people too. I've spent almost my whole career watching defenses fail and then trying to contain and remove the mess. The fact that nothing has reduce my workload during the last decade indicates our approach to this problem is not working. I attend Black Hat so I can get semi-clued-in to attack techniques, and I recommend everyone else who cares about how they are already being abused attend or ask someone who attended to su...

I'm waiting in another airport, so it's time to summarize my second day at Black Hat USA 2007 . (The first day is Black Hat USA 2007 Round-Up Part 1 .) I started the day in Bruce Schneier's keynote. Bruce's talk was interesting but plauged by audio problems (not his fault). Bruce reiterated his ideas of the "security consumer" who asks "is it worth it?" when deciding whether or not to wear a bullet-proof vest when walking out his front door. Bruce seems to have changed his mind about the evils of "security theater," because he said "security is a feeling and a reality," and sometimes security theater is needed to right imbalances between the feeling and the reality. This imbalance can come about when citizens watch television, which impairs their availability heuristic by making rare and catastrophic events seem common and personal. Bruce focused on psychology, stating people, on average, are risk-seeking when facing losses ...

I'm waiting in the airport for my flight home after spending 6 days in Las Vegas at Black Hat USA 2007 . I last attended in 2003 . Put simply I was blown away by the quality of the majority of the talks I saw. I'll summarize the talks and my response. I spent four days teaching TCP/IP Weapons School in two two-day sessions, to a total of 116 students. I think both classes were well-received. The students were some of the sharper ones I've had in class, which is what I hoped for and expected. The first day of teaching I was lucky enough to share lunch with some of my students and Joanna Rutkowska. We discussed covert channels related difficult detection problems. The following are thoughts on the first day of briefings. I spent the majority of the day in the application security track. I sat in Richard Clarke's keynote. He emphasized how what he called "visualization exercises" help decision makers envisage digital risk. I described this phenomenon l...

This morning I delivered a talk at CONFidence 2007 in Krakow, Poland. I'd like to thank Andrzej Targosz and Jacek Artymiak for being the best hosts I've met at any conference. They got me at the airport, took me to dinner (along with dozens of others), and will take me to the airport (at 0430 no less!) tomorrow. I spent a good amount of time with Anton Chuvakin, Daniel Cid, and Stefano Zanero, which was very cool. I'd like to mention two talks. First, I watched Paweł Pokrywka talk about a neat way to discovery layer two LAN topology with crafted ARP packets. Unfortunately, his talk was in Polish and I didn't exactly learn how he does it! I spoke to Paweł briefly before my own talk, and he said he plans to release a paper (in English) and his code (called Etherbat), so I look forward to seeing both. Second, I attended Dinis Cruz's talk on buffer overflows in .NET and ASP.NET. I'm afraid I can't say anything intelligent about his talk. Dinis is a co...

ShmooCon 2007 ended today. Only four talks occurred today (Sunday), and only two of them (Mike Rash, Rob King/Rohlt Dhamankar) really interested me. Therefore, I went to church with my family this morning and took lead on watching the kids afterwards. I plan to watch those two interesting talks once they are released as video downloads. (It takes me 1 1/2 - 2 hours each way into and out of DC via driving and Metro, so I would have spent more time on the road than listening to speakers.) I also left right after Bruce Potter's introductory comments on Friday afternoon. If it hadn't been for the NoVA Sec meeting I scheduled Friday at 1230, I probably would have only attended Saturday's sessions. I heard Avi Rubin's 7 pm keynote was good, and I would have liked to watch Johnny Long's talk. Otherwise I thought spending time with my family was more important. That leaves Saturday. I spent the whole day at ShmooCon, from the first talk to the end of Hack or Halo ...

I'm happy to announce I will be speaking on the Self-Defeating Network on Sunday 13 May 2007 in Krakow, Poland at CONFidence 2007 . I am looking forward to speaking at a conference where no one else thinks my name is especially odd or difficult to pronounce! (Bejtlich is an Eastern European name with roots in present-day Poland, Germany, and probably the Czech Republic.) Please register while the lower rates are still in effect. Thank you.

I mentioned earlier that I was invited to speak at the AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007. I accepted the invitation, and I will probably deliver a short presentation and a longer (half-day or day-long) tutorial. After AusCERT, I plan to teach one or two-day classes in Brisbane and/or Sydney. I will probably teach condensed versions of my training classes Network Security Operations and TCP/IP Weapons School . As I develop the plans for all of these classes I will post details here and at TaoSecurity.com . If you would like me to keep you informed via email please write me: training [at] taosecurity [dot] com. Thank you.

I've been invited to speak at the AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007. I haven't decided if I will accept yet. I'd like to know if any TaoSecurity Blog readers in Australia, New Zealand, or nearby areas would be interested in attending a two (or maybe more) day class either directly before or after my presentation date (which is unknown right now). I would need a location to host the training, in exchange for which I would provide two free seats for the hosting organization. Is anyone interested in attending and/or hosting such a class? Please email training [at] taosecurity.com. I have to accept or decline the AusCERT invitation next week. I am open to suggestions regarding the location of the class (if the Gold Coast is too remote) and the content of the class (Network Security Operations, TCP/IP Weapons School, etc.). Sydney is a possibility since...

It's been three years since I spoke at at SANS conference; I last presented at SANS NIAL in 2003. After some friendly discussions with SANS staff at the recent SANS Log Management Summit , we've arranged for me to present a special event for SANS Cyber Defense Initiative East -- a two evening course called Enterprise Network Instrumentation (ENI). I developed ENI for a private client, but no public class has ever seen the material. I will be presenting ENI for two evenings, 14 and 15 December, 2006, from 6 to 9 pm at the Hilton Washington & Towers in Washington, DC. ENI is all about solving the difficult problems associated with gaining access to network traffic. It seems every book (with a few exceptions ) assumes it's easy to deploy sensors to observe packets. In reality, achieving visibility in modern networks can be extremely difficult. ENI will share recommendations and concrete solutions for the most taxing enterprise network instrumentation issues seen...

I've never been happy with any network security visualization tools, but I was pleased to learn of recent work in this area through the latest USENIX publications. The Security Incident Fusion Tools (SIFT) Research Project at the National Center for Advanced Secure Systems Research (NCASSR) at the University of Illinois at Urbana Champaign (UIUC) looks interesting. USENIX also mentioned Netpy and Netviewer . (Note: updated after helpful blog comment -- thanks Chris.) It sounds like Tom Limoncelli and I argee about security professionalization and engineers of record : Tom then asked, "Are best practices the solution?" He made an analogy between electricians versus electrical engineers: a construction project stops rather than do something "not up to code." He claimed that what's missing from this analogy in IT is an inspector who signs off on a project. I liked seeing more references to the outside world in Brent Chapman's talk about Incident Comm...

Last week I paid for and attended the SANS Log Management Summit . I'd like to share a few thoughts about what I saw. First, I think Alan Paller did a great job as host. He kept the presentations moving and unflinchingly kept to his schedule. Talks started at 8 am, period. I thought his "yellow card" system for questions worked very well. (If you wanted to ask a question, you wrote it on a yellow card. SANS staff collected the cards then handed them to the speaker or Alan, who answered the question.) The system prevented the "speeches" one usually sees in large crowds with open microphones. Alan started the conference by presenting his "faces of cybercrime" presentation, based on his testimony ( .pdf ) in late 2005. He reminded the audience of the advice to learn hacking given by soon-to-be-executed Bali bomber Imam Samudra . Alan claimed at least one organized crime group has moved two hackers to Africa and forced them to compromise targets...

I found another page of notes I took at Techno Security 2006 . These were from Marcus Ranum's talk, and I listen to Marcus. He observed that small vendors tend to sell products designed for sophisticated users, because large companies tend to sell products for unsophisticated users. Which market is bigger? The unsophisticates vastly outnumber the sophisticates. Therefore, start-ups usually chase a very small market and tend to be weak. Marcus said "security ROI is dead" and "legislation has made security a cost." He predicted "we will be competing with legal for money (or working for them) in the next five to ten years." To hammer the point Marcus then said "there never was a security ROI." Amen . For a way forward, Marcus offered two paths. Path A sees multi-level security rising from the ashes. Marcus claimed this is not likely, although papers like The Path to Multi-Level Security in Red Hat Enterprise Linux (.pdf) might beg to...

One of the benefits of paying for this week's SANS Log Management Summit was attending a briefing last week on the latest Cyber Defense Exercise conducted by the NSA . SANS organized a panel with a USAFA cadet, a USNA midshipman, a USMA-grad Army 2LT, and several NSA or ex-NSA representatives, along with their boss, Tony Sager. Although I've known of CDX for several years , this was my first real insight to how these exercises are conducted. The NSA organizer, or "white cell leader," is Bruce Rogers. He explained that competitions can be conducted either as capture-the-flag style events or purely defensive affairs. CDX is purely defensive. When I asked Mr. Rogers if he had spoken to any organizers of other cyber competitions, like those of Def Con or ShmooCon, he said no. Mr. Rogers has 20 white controllers overseeing the exercise, which includes 6 targets (the six defending teams -- USAFA, USNA, USMA, USMMA, AFIT, and NPS). The attackers are split into two gr...

Today I spoke at three Techno Security 2006 events. I started the day discussing enterprise network instrumentation basic and advanced topics. I ended the day on a panel discussion with Russ Rogers, Marcus Ranum, and Johnny Long, moderated by Ron Gula. My wife and daughter and I also shared lunch with Kevin Mandia and Julie Darmstadt, both of whom I worked with at Foundstone. This was my second Techno Security conference. I want to record a few thoughts from this conference, especially after hearing Marcus speak yesterday and after joining today's panel discussion. Yesterday Marcus noted that the security industry is just like the diet industry. People who want to lose weight know they should eat less, eat good food, and exercise regularly. Instead, they constantly seek the latest dieting fad, pill, plan, or program -- and wonder why they don't get the results they want! Marcus spent some time discussing money spent on security. He says we are "spending rocket sci...

This is part 4 of my RSA Conference 2006 wrap-up. I started with part 1 . I'm writing this in Brussels, Belgium, where I'm teaching my Network Security Operations class to a private group. I started my final day of RSA presentations last Thursday by wasting over an hour with Peiter "Mudge" Zatko. I should have walked out during the first fifteen minutes, but my respect for his previous work kept me in my chair. That was a huge mistake. In a haze Mudge rambled (for a quarter of his allotted time) about "The Aristocrat's Joke" while pleading with the audio guy to disable the recording of his talk. Eventually he half-turned his attention to his slides, and struggled to make the point that internal intruders don't launch exploits when they can simply browse sensitive information using native file sharing options. He was also really excited by a paper Vern Paxson published in 2000 about detecting stepping stones, and we heard other historical ti...

This is part 3 of my RSA Conference 2006 wrap-up. I started with part 1 . Before continuing I should mention a few items relating to my previous posts. First, I forgot to say that I enjoyed presenting my talk on Tuesday afternoon. Many attendees stayed to ask questions. I ended up leaving the room about 45 minutes after my briefing ended. Second, Nitesh Dhanjani asked me to mention his O'Reilly articles on Firefox anti-phishing and launching attacks through Tor . Third, in his talk Nitesh referenced his article Googling for Vulnerabilities , which includes a PHP script . He also reminded the crowd of Foundstone's SiteDigger tool. Now, on to new material. I finished Wednesday's briefings by listening to Ira Winkler , a fellow ex-intelligence professional. I highly recommend that those of you who give me grief about "threats" and "vulnerabilities" listen to what Mr. Winkler has to say. First, he distinguishes between those who perform securit...