TaoSecurity Blog

On January 7, 2015, FBI Director James Comey spoke to the International Conference on Cyber Security at Fordham University. Part of his remarks addressed controversy over the US government's attribution of North Korea as being responsible for the digital attack on Sony Pictures Entertainment. Near the end of his talk he noted the following: We brought in a red team from all across the intelligence community and said, “Let’s hack at this. What else could be explaining this? What other explanations might there be? What might we be missing? What competing hypothesis might there be? Evaluate possible alternatives. What might we be missing?” And we end up in the same place. I noticed some people in the technical security community expressing confusion about this statement. Isn't a red team a bunch of hackers who exploit vulnerabilities to demonstrate defensive flaws? In this case, "red team" refers to a group performing the actions Director Comey outlined abov...

"I want to detect and respond to intruders but I don't know where to start!" This is a common question. Maybe you have a new security role in an organization, or a new service or business in your current organization, or some other situation where you want to find and stop attackers. However, you have no idea where to begin. Do you have the data you need? If not, what should you add? What do intrusions look like in the data you collect? These questions can be tough to answer from a purely theoretical perspective. I propose the following approach. First, conduct a tabletop exercise where you simulate adversary actions. At each stage of the imagined attack, consider what evidence an intruder might create while taking actions against your systems. For example, if you are trying to determine how to detect and respond to an attack against a Web server, you're almost certainly going to need Web server logs. If you don't currently have access to those logs, y...

While watching the evening news I saw the story Investigation: U.S. borders perilously porous -- Federal investigators easily pass border checks using fake identification . On Wednesday the Government Accountability Office (yes, they changed their name) will release a report on an analog penetration test performed against the US border. What do I mean by that? [GAO] agents successfully entered the United States using fictitious driver's licenses and other bogus documentation through nine land ports of entry on the northern and southern borders. CBP [Customs and Border Protection] officers never questioned the authenticity of the counterfeit documents presented at any of the nine crossings. On three occasions -- in California, Texas, and Arizona -- agents crossed the border on foot. At two of these locations -- Texas and Arizona -- CBP allowed the agents entry into the United States without asking for or inspecting any identification documents. This excerpt is from a draft report...

I learned of this post by Marcus Ranum through commentary by Dave Goldsmith . In brief, I agree with much of what MJR says. However, I think pen testers perform a valuable service. I do not think that it is possible for some modern enterprise code to be fully comprehended by any individual or team of developers or security engineers. If the code cannot be fully understood statically, it must be tested dynamically. A live test will reveal how the system acts when working, and may reveal unanticipated interactions or vulnerabilities. In light of this fact, I think pen testers who unearth these flaws perform a valuable service. If it's not tested, it's not a service. Update: Thanks to Tom's comment below, I changed the attribution to fellow Matasano poster Dave Goldsmith.