Jumat, 26 Februari 2010

Some Thoughts on Computer Defense for Small Business

I have written a paper targeted for small business owners: "Some Thoughts on Computer Defense for Small Business"

"The problem of computer security will continue to increase in intensity in the coming years. Geo-political conflict, an increasing wealth divide between North and South in an increasingly networked world, and increasingly sophisticated threats will challenge the most well prepared specialists to secure your network.  The passage of time has only made the following Unix administrator's adage become more true:   “There are two kinds of computer users: those who have lost data and those who will.”  Which part of that data loss cycle is your destiny?" read more

Rabu, 24 Februari 2010

Advanced Persistent Threat IV

SRI's Malware Threat Center has issued version 1.5 of Bot Hunter. Bot Hunter uses a proprietary algorithm with data collection facilities of a customized Snort to determine the botnet communication on Windows hosts and at Unix bastion at the egress of your network.  You can review the data it collects from its honey net.  Here's a picture of it running on Vista:




Update: 02/27/10  And so I had a 1.10 Score. (Below)  Bot Net Hunter reported that a Microsoft IP conducted an outbound scan of 18 IPs. Something to think about...

OUTBOUND SCAN (spp)
    207.46.16.248 (2) (20:05:49.902 PST)   
   event=777:7777005 (2) {udp} E5[bh] Detected moderate malware port scanning of 18 IPs (11 /24s) (# pkts S/M/O/I=0/52/4/0): 137u:52, [] MAC_Src: 00:16:EA:4C:F3:AE

Funny, I had Netmon 3.3  running, but it didn't catch that IP at that time This turned out to be a Microsoft DNS IP:

9:41:51.287 192.168.0.14 80 (0x50) 207.46.16.248 207.46.16.248 msdn.microsoft.akadns.net 00-09-5B-00-F3-DA msdn.microsoft.akadns.net 5599 (0x15DF)


Senin, 22 Februari 2010

Information Security Jobs in GE-CIRT and Other GE Teams

I'm hiring for my team (GE-CIRT) again. The following summarizes open positions:

  1. Information Security Incident Handler (1145304); serious skills required

  2. Information Security Incident Analyst (1147842); intermediate skills required

  3. Information Security Event Analyst (1147849); extreme willingness to learn required

  4. Security Assurance Team Senior Analyst (1147811); intermediate skills required

  5. Security Assurance Team Analyst (1147853); extreme willingness to learn required

  6. Information Security Infrastructure Engineer (1147859); serious Unix and open source system and database administration skills required


Roles 1-3 involve incident detection and response. Roles 4-5 involve threat analysis, Red-Blue teaming, and internal consulting. Role 6 supports team systems. All roles have a bias towards hiring into our beautiful Advanced Manufacturing and Software Technology System in Michigan. I already have five guys working there and expect to have at least a dozen more on our team working there by the end of the year. In some cases I have multiple jobs available. Some of these candidates will report directly to me, while others will report to my senior team leaders.

If you hope to be referred by a GE employee, be sure to have that employee follow the Company referral policy. Do not apply on your own.

If interested in joining GE-CIRT, search for the indicated job numbers at ge.com/careers. I will not answer questions until potential applicants apply to the jobs, and then I will only do so through work channels. Thank you.

In addition to the roles listed above, other security teams in GE are hiring incident analysts with the job numbers listed below.

  • 1148549

  • 1147886

  • 1148555

  • 1142824


Also, GE Research is hiring for the following positions:

  • 1149708: Next Generation IT Security Program Manager

  • 1149697: Infrastructure Security Leader

  • 1149699: Infrastructure Security Architect

  • 1149705: Information Security Incident Response Leader

  • 1125694: Cyber Security Researcher

Sabtu, 20 Februari 2010

Reaction to Cyber Shockwave

I just finished watching Cyber Shockwave, in the form of a two hour CNN rendition of the 16 February 2010 simulation organized by the Bipartisan Policy Center (BPC). The event simulated, in real time, a meeting of the US National Security Council, with former government, military, and security officials role-playing various NSC participants. The simulation was created by former CIA Director General Michael Hayden and the BPC’s National Security Preparedness Group, led by the co-chairs of the 9/11 Commission, Governor Thomas Kean and Congressman Lee Hamilton.

The fake NSC meeting was held in response to a fictitious "cyber attack" against US mobile phones, primarily caused by a malicious program called "March Madness." For more details, read the press releases here, or tune into CNN at 1 am, 8 pm, or 11 pm EST on Sunday, or 1 am EST on Monday.

In this post I'd like to capture a few thoughts.

  • Others have already criticized the technical realism of this exercise. I think that is short-sighted. If you have a problem with the scenario, insert your own version of a major technical problem that affects millions of people. (Then watch others criticize it!) I agree that the participants' understanding of how mobile malware works, propagates, etc. was lacking, but that's realistic! It was important to talk about a mass incident -- any mass incident -- to get policymakers and the public thinking about this problem.

  • I think the real value of the exercise was revealing the planning deficiencies when cyber events are involved. Since this exercise supposedly occurred in the future, I was disappointed to not hear mention of the National Cyber Incident Response Plan, currently in draft. More worrying, I didn't hear a single mention of FEMA or the National Response Framework. One of the laws of incident response is that the worst time to determine how to respond to an incident is during the incident!

  • I was reminded that, during a crisis, time is of the essence. Unfortunately, lack of time works against all of the factors that would help craft a better policy response, such as 1) sufficient understanding of the incident; 2) realistic options for containment; 3) workable recovery methods; 4) clear attribution and location of the adversary; 5) identification of the adversary's motive; 6) support for the public's confidence and safety; and 7) preservation of the means to communicate information to the public, among other factors.

  • I was disturbed but not surprised to see the tension between preserving the Constitution, individual liberties, and property rights, vs "aggressive" action which is "ratified" following Presidential order. I was impressed by the simulated Attorney General's defense of the law despite intimations by some of her colleagues that the President could pretty much do whatever he wanted.

  • On a related note, it sounded like the President has much more power if an attack is determined to be an act of war, but making that determination carries its own risks. For example, don't acts of war require retaliation? If so, how will that happen? At one point the question of "kind-for-kind" retaliation was mentioned, and the simulated Secretary of Defense said Cyber Command could take action.

  • Speaking of action, sufficient attribution was a hot topic. First the team learned that a server linked to the March Madness app was located in Irkutsk, in Russia. The Russian government denied involvement, even to the extent that a server in Russia was even a conduit for the event. At that point, participants wanted to know if Cyber Command could "shut down" the server in Russia, like that was important. That bothered me because it could have been irrelevant as a containment or recovery action! The team also questioned if taking action against the Russian server could be an act of war. Again the AG was helpful, framing the issue in two senses: 1) the Afghanistan scenario, where the US took action against the Taliban following the 9/11 attacks for harboring attackers, and 2) the telecom "common carrier" scenario, which essentially indemnifies carriers for the content on their pipes.

  • Next intelligence sources learned a person in Sudan was involved. As you might expect, options for finding and taking hold of that person were discussed. Even the word "rendition" was mentioned! The simulated Director of National Intelligence wanted to acquire and forensically analyze any electronic equipment used by the Sudan party to scope the intrusion, determine attribution, and potentially aid with recovery. Of course this was complicated by a lack of extradition treaties with Sudan, although larger geopolitical factors were mentioned as ways to gain cooperation with the Sudanese government.

  • The role of the military, particularly the National Guard, was mentioned several times. Some thought the military might need to protect critical infrastructure, while others thought the military should deploy to the streets to project force and calm the public. I could relate to this situation after living through the Beltway sniper attacks one month after I moved my family to northern VA. (Police were everywhere for weeks, even though they couldn't really protect anyone.)

  • To complicate the situation, after the first hour news came of a bomb attack on two power stations, leading to or aggravating electrical grid failures on the east coast. I thought this was unnecessary. In the scenario wrap-up, the participants focused mainly on the cyber elements. I thought the exercise could have stayed focused on 100% cyber without bringing in a traditional terrorism angle.

  • Some of the simulated government positions are worth mentioning specifically. For example, when asked what DHS could do, the simulated secretary said that [US-]CERT will be "overwhelmed" and will need NSA's help! DoD said there was no effect on the nation's nuclear weapons. DoJ said the President could not order people to not use their phones, and others reinforced that it would make the President look weak when people would ignore him. The Counselor to the President said to forget about attribution and instead focus on the effect of the incident in order to determine if it were an act of war. Several advisors recommended getting Congressional leaders involved to provide political cover for Presidential decisions. DHs said that the various "sector" groups were not designed to response to a crisis like this. State repeatedly cautioned against speculation, particularly regarding the Russian Army video linked to the March Madness malware app.

  • A few interesting parallels appeared. I mentioned Afghanistan already. One participant likened the event to weapons of mass destruction. I could easily see this being similar to a biological or chemical weapon attack. The simulated Secretary of the Treasury invoked the financial crisis, where decision makers crafted policy on the fly, stretching their authorities and seeking new powers as the situation deteriorated in 2007-2008. President Lincoln suspending habeas corpus during the Civil War was mentioned too.

  • I thought the role of the simulated Cyber Coordinator revealed the weakness of the position. Most of the other participants relied on one, two, or three forms of authority when providing advice. They 1) offered specific expertise, e.g., the AG talking about the law; and/or 2) specific news, e.g., word from the Intel Community, and/or 3) explanations of what their agencies were doing, e.g., State describing interactions with other governments. The simulated Cyber Coordinator didn't do much of those, and when he tried to apply expertise, he was wrong or wrong-headed. I cringed when he mentioned having ISPs require user PCs to be "secure" or to force them to apply patches. Just how would that happen? I could see a useful Cyber Coordinator be the person who knows the technology and its limitations, but outside of that role I have a lot of doubts.

  • It should have been clear that the National Security Council couldn't really do anything to contain or recover from the malware problem, let alone understand how much the situation could deteriorate. Understanding the consequences alone would require real analysis and input from their agencies, probably in NSA or Cyber Command. Taking steps to recover would be really baffling. I think planning and exercising the National Cyber Incident Response Plan with specific scenarios would be a good answer.

  • Wolf Blitzer's questions after the exercise weren't that great. You are not going to get a former government or security official to name foreign adversaries on national television. That reminded me of the briefings during the first Gulf War. Don't journalists know officials are not going to break their security clearances to answer questions like that?


So, I already see lots of comments on Twitter and elsewhere claiming Cyber Shockwave was lame or a waste of time. As you can see it raised a lot of issues that I consider very important. I'm glad BPC organized this event and that CNN televised it. At the very least people are talking about digital security.

Review of Intelligence, 4th Ed Posted

Amazon.com just posted my five star review of Intelligence: From Secrets to Policy, 4th Ed by Mark Lowenthall. From the review:

I was an Air Force military intelligence officer in the late 1990s. I've been working in computer security since then. I read Intelligence, 4th Ed (I4E) to determine if I could recommend this book to those who doubt or don't understand the US intelligence community (IC). I am very pleased to say that I4E is an excellent book for those with little to no intelligence experience. I also found I4E to be a great way to catch up on changes in the IC, particularly since Congress passed the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA).

I4E is a great book -- check it out!

Offshoring Incident Response

A blog reader emailed the following question.

We recently had a CISO change, and in the process of doing an initial ops review and looking at organizational structure, one of the questions the new CISO has is about the viability of offshoring incident response... I would be very interested in your views on this matter, and would appreciate any feedback you can offer.

As background, I've been involved in incident response in many different capacities: top-level military CERT, managed security services provider, fly-away consultant, government contractor, independent consultant, and top-level corporate CIRT. In other words, I've worked in insourced and outsourced environments.

I strongly advocate insourced or internal, professional incident response teams. Many technical people fixate on the technical aspects of security, as you might expect. While technical expertise is critical, it is also critical to understand the client. Depending on the size and complexity of the client, it can take an external team weeks or months to acquire the necessary understanding of the client to make a real difference. Sure, an external team can probably perform great analysis if given the right details and context. However, doing something about usually relies heavily on identifying and overcoming the various bureaucratic, cultural, financial, legal, and political challenges found in any suitable large organization. Therefore, I believe internal CIRTs are necessary for all organizations larger than a few hundred employees.

I believe it is appropriate and sometimes necessary to rely on outsourced incident response services when your organization meets one or more of these criteria during an incident.

  • Your CIRT is nonexistent.

  • Your CIRT is not staffed with enough people to meet the challenge at hand.

  • Your CIRT is not technically equipped to meet the challenge at hand.

  • Your CIRT needs help with a specific aspect of the challenge at hand.

  • Your CIRT needs external assistance due to regulatory, compliance, or other legal issues.


Furthermore, when I read the term "offshoring" I get the sense that the question may involve hiring contractors who work for the organization permanently but report to their home contracting organization. In my experience any "cost savings" in such an arrangement are a figment of the accounting imagination. I recommend full-time employees be CIRT members.

Any thoughts from blog readers?

Advice for Academic Researchers

A blog and book reader emailed the following question:

I am an info sec undergrad and have been granted a scholarship to continue my studies towards a phd with the promise of DoD service at the other end. It is critical for me to research and select the most important area of security from the Defense Department's perspective.

My question to you is this: Drawing upon your knowledge, what specific area(s) of information security do you feel will be most critical in the next several years (especially in the eyes of the Dept. of Defense)?


I post this question because I'm sure blog readers will contribute interesting comments.

For my part, I'm really interested in the following: characterizing network traffic. In other words, develop tools and techniques to describe what is happening on the network. (I'm sure a few commercial vendors think they are doing this already, but nothing approaches the level that we really need.)

Without understanding what is happening, we can't decide if the activity is normal, suspicious, or malicious. Current approaches are far too primitive and limited. This work is not as "shiny" as developing a new detection algorithm, but getting back to basics is the sort of approach that could survive in a research environment.

Selasa, 16 Februari 2010

Advanced Persistent Threat Part III

It certainly is possible to examine host or network outbound conversations.    But we then have to determine which outbound conversations are legitimate.   Current AV software attempts to block access to potentially 'known dangerous' or 'pre-determined dangerous'  malware sites but such judgements are apparently failing to prevent APT from sending stolen data to weigh stations.  On OpenBSD if we are looking at  outbound connections, we might sniff as thus using Snort:

/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"` -i dc0  'port not(whois or domain or router) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)' 

On Vista, we might have two interfaces (wired and wireless) we need to examine:

start /min cmd /c C:\snort\bin\snort.exe  -vdeXX -l .  -i 1  port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
start /min cmd /c C:\snort\bin\snort.exe  -vdeXX -l .  -i 2  port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)

We can look at the logs. And we are surprised by the number of outbound connections we make:
C:\Snort\bin>snort -v -q -r snort.log.1266372570 | find "->" | gawk -F"->" '{print $2}' | sort /R | uniq -c | sort /R
    327  74.125.103.208:80
    133  74.202.67.83:80
    105  216.35.221.76:80
    100  198.104.200.154:80
     51  72.21.91.19:80
     32  96.17.70.50:80
....

Perhaps one solution to APT would be some real time co-ordination between sites suspected of being data theft transfer stations and real-time (firewall or host) blocking of the data-transfer to those hosts/servers.  This type of solution has some headwind but may need to be implemented on a individual or corporate basis to prevent "incidental blacklisting".  Other solutions might include:

(1) real time packet examination of data for critical or sensitive information
(2) heuristic detection of data flows that seems 'abnormal'
(3) heuristic detection of file access that seems 'abnormal'

The industry awaits such solutions.

Senin, 15 Februari 2010

Answers Regarding Military Service

Once in a while I'm asking my Thoughts on Military Service. An anonynous blog reader sent the following questions. It's been a while since I wore the uniform, but at least some of you readers might care to offer your own thoughts? I'll try to answer what I can.

I got into IT after graduating from college with non-technical majors and decided that I was actually interested in areas of practical science, such as: physical computing, engineering (mechanical, electrical, and design), robotics, aerospace, and programming. IT was a great primer for some practical work experience, but after my stint with [a security company] I'm evaluating if I want to acquire more direct technical training with the things I'm passionate about.

So, here's my barrage of questions; please feel free to answer however you want, I'm simply organizing the thoughts rumbling around in my head. If I left anything relevant out, which I'm certain I did, then please mention it.

1) What was your technical experience in the Air Force? Would you recommend it?


I spent a little over two years as a "real" intelligence officer, with my technical skills directed towards selecting targets in the former Yugoslavia and planning information warfare campaigns. In the fall of 1998 I managed to be reassigned to the AFCERT where I did hands-on technical incident detection, until I left the service in February 2001.

I owe my subsequent career in this field to my time in the Air Force, although no one handed me anything on a silver platter. I'll say more about recommendations shortly.

2) Is the ROTC an appropriate program for the technical skills I want to build? Would I be able to get hands on experience but also have support, primarily financial, for requisite schooling?

ROTC does not teach anything technical. The goal is to prepare you to be an officer, not provide any specialist skills. You wouldn't attend ROTC anyway since you have a degree. More on that later.

3) What particulars about Air Force technical training would you focus on?

I'm not sure I follow this question. However, the Air Force and all military services follow a three-step process for training. First you enjoy some sort of entry-level training, involving "basic training" where the goal is to transform you into a lean mean fighting machine. My entry into the USAF was through the Air Force Academy, which was a four year degree program. Next comes training for the specialty you will perform in the service, although this is really just an introduction. My specialty training was military intelligence, which was a nine month program. Finally you will get on-the-job training, where you learn the specifics of your first assignment. That happened at Air Intelligence Agency in my case.

4) What are the glaring weaknesses that you encountered?

If you're talking about training, I guess the biggest problem is the disconnect between what the school house thinks is important vs the real world. That's not unique to the military, but it places a burden on the on-the-job trainers, none of whom are really trainers! If you don't find a good initial mentor, you can be lost. I can thank Jesse Coultrap in my first planning role and Cheryl Knecht at the AFCERT for watching out for me.

5) Is a military program preferable over the alternatives, such as civilian work experience or going back to school? I.e. Is the this type of program a good way to save me time and money in these pursuits? I'm 23 years old if that gives you some idea.

At 23, with a degree, military service is still an option. Don't join the military just for training. We are fighting two wars with plenty other action occurring. Join the military to join the military.

6) Is there flexibility to pick up other skills? Let's say I do some electrical/computer engineering, would the idea that I also want to program or learn about aerospace be encouraged?

Some will disagree, but I bet a lot of readers will agree that, once you join, you become the property of the military. Some people I know tend to live charmed lives where they go from one awesome job to the next. Others can't wait to leave, once their commitment expires. This tends to result in senior leaders saying "isn't the service awesome?" They can't understand why some of their juniors aren't happy, since their careers have been so great!

7) Do you know anything about Naval equivalents regarding technical skills (or any other program out there)?

Navy?!? Are you kidding me?!? Seriously, all of the services are ramping up their "cyber" arms. I'm even going to speak at Annapolis soon. I can put you in touch with some Middies if you want.

8) How's Air Force life, generally?

Wow, big question. I could use some input from active duty folks here. Let me say that I personally found the burden on my family too heavy to stay in uniform. That was before Iraq and Afghanistan, and I was in the Air Force, not the Army or Marine Corps. I don't know how those guys can manage. They sacrifice everything.

9) Would it be better to go through an officer program or enlist straight up?

Since you have a degree, you should apply for Officer Candidate School or Officer Training School, depending on the service. I'm not disrespecting enlisted people, but if you have your degree I think many enlisted people would recommend getting your commission. The pay differential alone is worth it.

I'd appreciate comments from any other readers. Thank you.

Max Ray Butler Sentenced (Again)

In late 2007 I blogged Max Ray Butler in Trouble Again. Please see that post and Kevin Poulsen's June 2009 story for details. According to ComputerWorld, you don't want to be Max Ray Butler:

A former security researcher turned criminal hacker has been sentenced to 13 years in federal prison for hacking into financial institutions and stealing credit card account numbers.

Max Ray Butler, who used the hacker pseudonym Iceman, was sentenced Friday morning in U.S. District Court in Pittsburgh on charges of wire fraud and identity theft. In addition to his 13-year sentence, Butler will face five years of supervised release and must pay US$27.5 million in restitution to his victims, according to Assistant U.S. Attorney Luke Dembosky, who prosecuted the case for the federal government.

Dembosky believes the 13 year sentence is the longest-ever handed down for hacking charges.

Butler, also known as Max Vision, pleaded guilty to wire fraud charges in June last year.


In an odd coincidence, today Kevin Mitnick Tweeted:

15 years ago today I was busted by the Feds...wow.. How things have changed since 1995!

Jumat, 12 Februari 2010

Get the Divers Out of the Water

I'm wondering if this story resonates with anyone.

Imagine a group of undersea divers. They are swimming in the ocean doing some sort of productive activity, maybe retrieving treasure, or doing research, or something else. The divers receive instructions from managers in a boat.

Suddenly one of the divers is attacked by a shark. It tears right through his diving suit. There's blood in the water. The managers see the blood but tell the divers to keep doing their work. The injured diver attracts other sharks. Now the other divers are being attacked. The managers tell the divers to keep working.

It's a disaster. Divers are severely injured, and some are dying. In the boat some generalist first responders see the blood, and recommend putting the divers in protective cages. They aren't sure exactly what is happening so they fall back on the standard operating procedures.

A few of the divers seek shelter in the cages. Now the managers are howling that the divers aren't doing their work. They want the divers sent back out.

The generalist first responders don't know what to do. They ask if anyone else in the boat can help. Some specialist responders lower a camera into the water and see sharks eating divers. They tell the managers to pull the divers out.

The managers concede that the sharks are a problem but they want some sort of customized response for each injury. Can't we assess each diver, identify the damage, apply some bandages, and keep the work going?

This debate rages for hours, far too long in the opinion of everyone involved. More and more divers are hurt, the sharks continue to swarm, and no one is happy.


Let's explain this story.

  • The divers are computers.

  • The sharks are intruders, possibly even malware.

  • Dying divers are computers whose data is being denied, degraded, or stolen by intruders.

  • The managers are managers, or asset owners.

  • The generalist first responders operate anti-malware software.

  • The diving suit is anti-malware software in a default configuration.

  • The cage is anti-malware software operated in a more aggressive configuration.

  • Getting divers out of the water means isolating a compromised computer from the network.

  • The specialist first responders are the incident response team.

  • The camera lowered into the water is an investigation of the malware by the IR team.


My question is: how should this scenario have played out? I have a few recommendations:

  • If you're going to swim in shark-infested waters, be resistant to shark attack, not ignorant of shark attack. Realize sharks are everywhere and prepare your defenses appropriately.

  • If you're attacked by sharks, and your defenses fail, your first priority is to try to save the first victim.

  • The second priority is to protect the rest of the divers so they can continue their mission.

  • The priority should not be to keep everyone performing their mission, because it ignores the risk of the first diver dying (data loss, etc.) and the risk of exposing the other divers to attack (propagation of the malware).

  • The fastest way to accomplish both priorities is to have a pre-approved incident response plan, with provisions for getting divers out of the water. This can involve an approval process where managers are told the situation and asked for approval to disconnect the victim. The difference between this process and what happened in the story is that the debate centers on whether or not to implement containment, not what should be done in general.

  • Managers have to realize that they can't put vulnerable divers in the water and expect no negative consequences when they are attacked. Either spend resources up front to better protect the assets, or act quickly and decisively once trouble happens. Trying to plough on whatever the situation descends into lengthy and costly chaos.


I'm curious if anyone else has thoughts on this. I am interested in cases where the threat is fairly common (i.e., not advanced threats), so there is little to be gained by trying to learn more by observing the adversary.

Advanced Persistent Threat Part II

These thoughts occur to me this week in reading the numerous blog posts on APT  and the Mandiant Report. Somehow my research made me think of  the bane of Othello the Moor ( "Iago" ). Very loosely translated from Latin, "Iago"  might mean "I am nothing". Often it is  more commonly translated as "supplanter" or "heel grabber".

(1) I don't have a binary, technical threat analysis, disassembled stub, class diagram or detection method for APT.
(2) I don't know any host based security products that would block "illegitimate APT" (outgoing traffic) on ports 80 and 443 from a legitimate user space request.  How would developers even implement such a service? If you could trace all events to an un-hijacked input device, you could block any events that are not desktop based.  This would probably put updates,software installations,sandbox scripts in a pickle. Therefore, is this a problem in search of a network based solution?
(3) I propose we solve the debate about how "APT style" threats can be distinguished from other threats by

  • (a) ranking the level of resources needed to complete them or
  • (b) the level of functional immunity granted their perpetrators

(4) I don't know yet how to prototype or replicate an APT in my lab.  Therefore, How do I know it exists outside of the conceptualization of others?
(5) Ten years ago last August I received this comment while working with an IDS developer: "This product will stop the script kiddies and most of the uber-hackers.  Then there's the "Men in Black".  I have no idea how we stop them."

- "Iago"

Rabu, 10 Februari 2010

A Hacker in Charge of Your Tax Dollars?

I read Hacker 'Mudge' gets DARPA job by Elinor Mills:

Peiter Zatko--a respected hacker known as "Mudge"--has been tapped to be a program manager at DARPA, where he will be in charge of funding research designed to help give the U.S. government tools needed to protect against cyberattacks, CNET has learned.

Zatko will become a program manager in mid-March within the Strategic Technologies Office at DARPA (Defense Advanced Research Projects Agency), which is the research and development office for the Department of Defense. His focus will be cybersecurity...

Another lure of the job was the budget he will have. Zatko said he doesn't know exactly how much of the $3.5 billion a year DARPA spends to fund research he will oversee but said it's likely to be a "good chunk."


A hacker in charge of your tax dollars? I think that's... great! I'm pleased to see someone with the right mindset and experience making decisions on next-generation digital security projects. I am pretty sure no one with a lame research proposal or dumb idea for a start-up is going to be able to fool Mudge. This is another watershed event for our community, similar to Jeff Moss being selected to an advisory position in DHS.

It's important to place this event in context. The cover at the top shows "Maximum Security," one of the first technical books on digital security to be published. ("Practical Unix and Information Security" was my introduction.) The year was 1997, and the Anonymous author chose not to reveal his identity for fear of the consequences. Think about that for a moment. Now, 13 years later, we have a real hacker -- a real hacker, not an intruder -- supervising the budget of a government agency. That's amazing progress. Congratulations Mudge!

PS: One minor point. The author writes:

Zatko cut his security chops as a teen-age hacker in the 1980s and managed to stay one step ahead of the law.

I have a feeling the author added this line to "spice up" the article, thinking that "hackers" need to have run-ins, or need to avoid run-ins, with the law in order to have "street cred." In all the years I have known of Mudge (I met him in the fall of 1998 when he taught a class with Mike Schiffman at the AFIWC), I never thought of him as a criminal or a "near-criminal." He's always been a security researcher as far as I am concerned.

Thor vs Clown

It started with this post by M.D.Mufambisi to the pen-list list:

Im designing an SMS baking application but i need to research on the security risks involved first... What are the risks around this application? How are such applications normally subverted? Are there any case studies someone can point me to?

After a few responses, Craig Wright chimed in:

The solution needs to be based on risk.

Where a system uses an SMS response with a separate system (such as a web page), the probability that the banking user is compromised and a fraud is committed, P(Compromise), can be calculated as:

P(Compromise) = P(C.SMS) x P(C.PIN)

Where: P(C.SMS) is the probability of compromising the SMS function and P(C.PIN) is the compromise of the user authentication method


Craig followed up with a blog post:

Many people feel that it is not feasible to model risk quantitatively. This of course is blatantly false. In the past, many of the calculations have been computationally infeasible at worst and economically costly at best. This has changed. The large volumes of computational power that is available coupled with novel stochastic methods has resulted in an efficiently viable means of calculating risk quantitatively with a high degree of accuracy. This can be measured as a function of time (as survival time), finance (or monetary value) or any number of other processes...

Tim Mullen, a guy who I first met in 2002 teaching at Black Hat, responded on full-disclosure:

I'm looping in the FD list because often my replies don't make it to Pen-Test, and this has hit a nerve with me.

I've looked over your post...

Once I was able to get past the overwhelming egoism and self-substantiating claims of your contributions to the industry, I arrived at the conclusion that the only portion of the aforementioned page that is not complete drivel and even laughable to anyone who has actually worked towards ascertaining actual risk in production environments, is where you describe your own words as "ravings..."

I'm fine with you sitting back and gloating about the Security Hero award you got from Northcutt, but when I see that you are actually contributing to ANY level of Critical Infrastructure Protection, it makes me fear for anyone who might be counting on your presumed skillset to actually make intelligent decisions about risk where human safety is at stake.

Your "risk formula" is ridiculous. What number would your formula have yielded 2 weeks before SQL Slammer was released? Where is the variable for unpatched systems? What number do we plug in for malicious employee factorization? More importantly, where is the calculation for self absorbed snake-oil selling academics with no real experience using their calculator to come up with magic numbers that represent the risk of a nuclear power plant being hacked?

Since you are (self-described) as "currently the only GIAC GSE (Compliance) holder globally and the most highly accredited Global Information Security Professional" and thus (presumably, if only in your mind) the greatest security mind in the world, how about accepting a challenge to an open debate on the subject at Defcon? People like you are dangerous and need to be exposed before someone in a position of power actually believes that you know what you are talking about. Bring your abacus.


Craig then responded with some sort of monetary challenge, and Tim and Craig are now debating how to arrange that.

If you want history on why I consider model = clown, please check out the posts on my clown tag.

When I read

"In the past, many of the calculations have been computationally infeasible at worst and economically costly at best. This has changed. The large volumes of computational power that is available coupled with novel stochastic methods has resulted in an efficiently viable means of calculating risk quantitatively with a high degree of accuracy."

it is clear to me Craig is pretty well disconnected from reality. Did we not just suffer a global recession exacerbated by clowns who thought they could model risk "with a high degree of accuracy"?

Selasa, 09 Februari 2010

Advanced Persistent Threat

The news on  "Advanced Persistent Threat" has been broken in a big way by Google and the recent Mandiant report.  More comments will follow at a later date.  But some occur to me now:

(1) Our current desktop and server Operating Systems are not secure.
(2) Computer networks are insecure for most organizations and at many levels.
(3) Digital data can no longer be protected against a determined foe.
(4) Security researchers and visionaries should receive more funding. Lots.

Order and read the Mandiant Report. Then imagine what a resourced foe could do if they believed the security of their nation-state depended upon seemless corporate intrusions.  Now imagine those techniques automated and in the wild.  In order for the world to have safe computing systems, our government and industry needs to sponsor more research and decriminalize vulnerability research. Otherwise, no data will ever be secret or protected again.

Making Progress Matters Most

I found this article by John M. Kamensky to be interesting:

Teresa Amabile and Steven Kramer, in a recent Harvard Business Review article called “What Really Motivates Workers,” tell managers: “The key to motivation turns out to be largely within your control.”

Their advice? “Scrupulously avoid impeding progress.”

Amabile and Kramer surveyed more than 600 managers and then conducted a multiyear study of hundreds of knowledge workers, asking them to keep daily diaries to discover the top motivator of performance. Not surprisingly, managers and workers came to different conclusions.

Managers were asked to rank the impact of five workplace factors commonly considered significant motivators: recognition, incentives, interpersonal support, support for making progress and clear goals. “Recognition for good work” topped their list.

However, the recognition factor was ranked dead last by workers. The researchers found that workers ranked “support for making progress” as their No. 1 motivator...

Amabile and Kramer found that “making progress” was linked to 76 percent of employees’ reported “best days.”


I agree with this sentiment. I am most motivated when I can make progress. What do you think?

Senin, 08 Februari 2010

Defending Against the Small Business Threat

A great and overdue article in the Wall Street Journal this morning:  "Wanted: Defense Against Online Bank Fraud".   The article discusses a now popular cyber-crime first popularized in 2008 which is initiated by an online theft/fraud of insecured ATM/payroll data on user/client/small business PCs.  Fake payroll members are created and then [recruited] "money mules" cash out fraudulent paychecks from ATM terminals across the globe.  If the fraud is timed right, a small business can lose large sums from their payroll accounts within 24 hours or less. The FBI and the IC3 has been warning about this for some time:


Small businesses during a recession make  excellent targets.  It is a bit like capitalizing on sick children.  Large businesses and banks know the value of security infrastructure and development. They have lots to lose and they have been high priority targets in the past. (And they have just received big chunks of "Stimulus funding." ) Most small business employ limited staff, have a few PCs (perhaps running some accounting software), maybe some server or cloud infrastructure investments, and a web site or web/commerce site.
The few aggressive owners/proprietors that investigate securing their infrastructure may have done so on a "self-help" basis - implementing firewalls, UTM, anti-virus, anti-spyware.  But even these self-motivated individuals are in no way prepared to be the targets of dedicated information warfare from skilled global criminal enterprises originating in eastern Europe, South America, Russia, China, etc. Thus, in less than 24 hours, small business payroll accounts, many of these derived from  'bridge loans' from local banks, are wiped out.  The targeting of small business by cyber-criminals is an "anti-stimulus" effort; functioning to effectively siphon funds from a weakened American economy.

Minggu, 07 Februari 2010

So Much for China's "Peaceful Rise"

I was not surprised to read China’s hawks demand cold war on the US in the Times Online.

[A]lmost 55% of those [in China] questioned for Global Times, a state-run newspaper, agree that “a cold war will break out between the US and China”...

An independent survey of Chinese-language media for The Sunday Times has found army and navy officers predicting a military showdown and political leaders calling for China to sell more arms to America’s foes...

This time China must punish the US,” said Major-General Yang Yi, a naval officer. “We must make them hurt.” A major-general in the People’s Liberation Army (PLA), Luo Yuan, told a television audience that more missiles would be deployed against Taiwan. And a PLA strategist, Colonel Meng Xianging, said China would “qualitatively upgrade” its military over the next 10 years to force a showdown “when we’re strong enough for a hand-to-hand fight with the US”...

As a crescendo of strident nationalistic rhetoric swirls through the Chinese media and blogosphere, American officials seem baffled by what has gone wrong and how fast it has happened...

“The truth was that the atmosphere was cold and intransigent when the president went to Beijing yet his China team went on pretending that everything was fine,” the diplomat said.


American officials have been "baffled" because they fell for the so-called "peaceful rise" propaganda promulgated by the Chinese government and its sympathizers and apologists in the West. Now that the Chinese government is feeling confident, it's less inclined to keep its true intentions out of its state-run media. As Liu Menxiong, a member of the Chinese people’s political consultative conference, said in the article:

“We have nothing to be afraid of. The North Koreans have stood up to America and has anything happened to them? No. Iran stands up to America and does disaster befall it? No.”

Sabtu, 06 Februari 2010

APT Presentation from July 2008

Some of you may remember me mentioning the 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. I provided the keynote and really enjoyed listening to the presentations, which Rob has graciously made available at http://files.sans.org/summit/forensics08/. One of the presentations, by Mandiant consultant Wendi Rafferty and then-Mandiant consultant (now GE-CIRT incident handler) Ken Bradley, was titled Slaying the Red Dragon.

As you can see from the first two slides shown at left, this was presentation explicitly addressed advanced persistent threat. I didn't mention it originally because it discusses a specific attack vector. However, it's been over 18 months since the presentation was made. Therefore, to show that APT is "not a new term" but also to share some technical insights, I thought it acceptable to advertise this presentation.

By the way, the presentations from the 2009 event are posted at http://files.sans.org/summit/forensics09/.

I'm sure we will discuss this topic at the 2010 Incident Response Summit and the 2010 Incident Detection Summit.

Review of The Book of Xen Posted

Amazon.com just posted my five star review of The Book of Xen by Chris Takemura and Luke S. Crawford. From the review:

The Book of Xen (TBOX) is a great book for Linux system administrators who want to deploy Xen. The authors ground their recommendations in over four years of experience running Xen to support Internet-facing virtual private servers. I found their writing style to be very engaging; it reminded me of reading any one of Michael Lucas' No Starch books. If you know your way around Linux and want to deploy Xen in production, TBOX is the book for you.

Thank you to No Starch for providing me a free review copy.

Kamis, 04 Februari 2010

Answering APT Misconceptions

There's finally some good reporting on advanced persistent threat appearing in various news sources. A new Christian Science Monitor story, one by Federal Computer Week, and one by Wired are making progress in raising awareness. Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening. From now on, rather than repeat myself trying to answer these misconceptions, I decided to consolidate them here.

  1. Myth 1. APT is a "new term," invented by Mandiant. Reality: Mandiant did not invent the term. The Air Force did in 2006. More info: What Is APT and What Does It Want?

  2. Myth 2. APT is "not new." Reality: APT is only new to people who have not been involved with the problem. If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong. Just performing an Attribution Using 20 Characteristics exercise helps demonstrate that APT is not like organized crime or other structured attackers. More info: Two-Dimensional Thinking and APT

  3. Myth 3. APT is "marketing hype." Some companies with little to no experience with APT are clearly jumping on the counter-APT bandwagon, even registering domain names related to APT. That is sad but not unexpected. However, companies like Mandiant are not suddenly releasing reports because of Google v China. Mandiant offered a public Webcast (which I attended) in March 2009 called State of the Hack - Addressing the Advanced Persistent Threat. They and certain other companies have been public about APT for a while, but a lot of people were ignoring them. More info: You Down With APT?

  4. Myth 4. APT is a "class of attacker." Reality: Most of the counter-APT community uses APT to refer to specific threats or "threat agents" if you prefer that term. Those threats are associated with a certain country. In some cases, certain counter-APT community members prefer to include other countries with similar capabilities. If required to differentiate during discussions, I prefer to prefix APT with the named country.

  5. Myth 5. APT is "FUD." Reality: Fear can be healthy if it helps reallocate resources away from wasteful and ineffective compliance regimes like FISMA. No one I know who fights APT sleeps very well. Regarding uncertainty and doubt, what more do you need to know? Read my post Is APT After You? to get a better sense if you should worry. It's better to prepare your defenses now than to start once a Federal agent comes knocking. More info: DNI Blair Leads with APT as a "Wake-Up Call"


I may add more myths as they appear, but for now those five seem sufficient.

By the way, I appreciate the private communication and public comments from people genuinely interested in learning about this issue. It helps focus my attention away from the critics who refuse to align with reality. It's also clear that many of you understand why I use certain phrases or address this subject in the manner that I do. I am glad those of us with similar backgrounds can at least share in that sense of solidarity. Thank you.

DFRWS, VizSec, and RAID 2010 Calls for Papers

I'm involved in one degree or another with three somewhat academically-oriented conferences this year. I wanted to post notices of the call for papers for each event.

First is DFRWS 2010 on 2-4 Aug in Portland, Oregon. I am on the Technical Program Committee but will not attend due to a family conflict. The CFP ends 28 Feb.

Next is VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee and plan to attend. The CFP for full papers ends 30 Apr.

Last but not least is RAID 2010 on 15-17 Sep in Ottawa, Ontario. I like the fact this conference is held in conjunction with VizSec, so I will probably attend. The CFP ends 4 Apr.

Google and NSA Fulfilling 2008 Predictions

In December 2007 I wrote Predictions for 2008. They included 2) Expect greater military involvement in defending private sector networks; 3) Expect increased awareness of external threats and less emphasis on insider threats; and 4) Expect greater attention paid to incident response and network forensics, and less on prevention.

All three of those predictions are being fulfilled by the Google v China incident as demonstrated by this Washington Post story by Ellen Nakashima titled Google to enlist NSA to help it ward off cyberattacks:

The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity.

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications.


I expect to see a lot of protest from people who have knee-jerk reactions to anything associated with NSA. However, the article notes that NSA is trying to help defend Google against advanced persistent threat, which benefits Google's users. As I wrote in Notes from Talk by Michael Hayden:

The agency with the most capability to defend the nation suffers because it is both secret and powerful, two characteristics it needs to be effective. The public and policymakers (rightfully) distrust secret and powerful organizations.

If NSA can change this perception it will help them better defend American national interests.

Rabu, 03 Februari 2010

DNI Blair Leads with APT as a "Wake-Up Call"

AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Blair at yesterday's US Senate Select Committee on Intelligence hearing. In his testimony, DNI Blair began his Annual Threat Assessment of the US Intelligence Community with the following. I highlight "began" because this section wasn't buried in the middle of the document. He discussed digital threats right from the start.

The national security of the United States, our economic prosperity, and the daily functioning of our government are dependent on a dynamic public and private information infrastructure... This critical infrastructure is severely threatened.

The recent intrusions reported by Google are a stark reminder of the importance of these cyber assets, and a wake-up call to those who have not taken this problem seriously...

I am here today to stress that, acting independently, neither the US Government nor the private sector can fully control or protect the country’s information infrastructure...

The existing balance in network technology favors malicious actors, and is likely to continue to do so for the foreseeable future. Sensitive information is stolen daily from both government and private sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey.

We often find persistent, unauthorized, and at times, unattributable presences on exploited networks, the hallmark of an unknown adversary intending to do far more than merely demonstrate skill or mock a vulnerability...

Many have the capabilities to target elements of the US information infrastructure for intelligence collection, intellectual property theft, or disruption...


I'm sure a few readers keyed on the terms "unattributable" and "unknown". Only in the section on China did DNI Blair mention a country that "pose[d] challenges to its neighbors and beyond" with respect to cyber activities. He said:

The PLA’s capabilities and activities in four key areas pose challenges to its neighbors and beyond Taiwan, including China’s military relationships across the developing world; China’s aggressive cyber activities; its development of space and counterspace capabilities; and its expansive definition of its maritime and air space with consequent implications for restricted freedom of navigation for other states...

The other section where "cyber" was mentioned appeared in the International Organized Crime material:

International organized crime (IOC) is threatening US interests by forging alliances with corrupt government officials, undermining competition in key global markets, perpetrating extensive cyber crimes, and expanding their narcotrafficking networks...

International criminal organizations are likely to become more involved in cyber crimes, raising the risk of significant damage to the global financial and trust systems—banking, stock markets, and credit card services—on which the global economy depends.


I highlight the criminal aspect to remind everyone that cyber crime is a real problem that should not be forgotten!

I'm sure there are readers who will dismiss this as "Beltway propaganda," but I think it's important to realize what the nation's top intelligence official -- surely a "grown up" by anyone's standards -- has to say to the Senate about recent digital intrusions.

Selasa, 02 Februari 2010

Traffic Talk 9 Posted

I just noticed that my 9th edition of Traffic Talk, titled Testing Snort with Metasploit, was posted. From the article:

Security and networking service providers are often asked whether their solutions are working as expected. Two years ago, I wrote How to test Snort, which concentrated on reasons for testing and ways to avoid doing poor testing. In this article, prompted by recent discussions among networking professionals, I show how to combine several tools in a scenario where I test Snort with Metasploit.