Response to Daily Dave Thread

I don't subscribe to the Daily Dave (Aitel) mailing list, but I do keep a link to the archives on my interests page. Some of the offensive security world's superstars hang out on that list, so it makes for good reading.The offensive side really made an appearance with yesterday's thread, where Dave's "lots of monkeys staring at a screen....security?" thread says:My feeling is that IDS is 1980's technology and doesn't work anymore. This makes Sourcefire...

Read More

Thoughts on Sourcefire IPO

In the spirit of not trying to repeat what everyone else blogs, I'll keep this post on the Sourcefire IPO brief. The must-read post belongs to Mike Rothman -- great work Mike. I'm excited by this development. I'll probably even buy some Sourcefire stock, just so I can attend the shareholders meeting. I've never owned stock in a friend's company, so this would be novel enough to justify the purchase.However, in the long term I expect Sourcefire to be acquired anyway. I stand by my ideas that all network security functions will collapse to the...

Read More

Counterpane Bought: Investors Relax

Eighteen months after MCI bought MSSP NetSec, another telecom has bought another MSSP. This time, BT bought Counterpane. I guessed that Counterpane was desperate. At least the investors who poured four rounds of venture capital into Counterpane can realize some sort of return. The announcement concluded with this statement:As at 31 December 2004 the audited gross assets of the business were $6.8m.That doesn't sound very promising.I expect a good amount of reorganization and removal of personnel. BT will want the low-level analysts to stay,...

Read More

Bejtlich Speaking on Tenable Webinar

Ron Gula of Tenable Security invited me to speak at an upcoming Tenable Webinar. You can register for the event now. It will take place 1000 ET Friday 17 November 2006. We'll talk about network security problems facing the enterprise, my favorite security books and resources, and take questions li...

Read More

Bejtlich Speaking on Insider Threat

I will participate in the DE Communications Inside Job Webinar at 1100 ET on Thursday 9 November 2006. I plan to discuss why traditional externally-focused security techniques and tools are not well suited to deterring, detecting, and removing insider threats.By insider threat I do not mean flawed services on desktops. I mean parties with the capabilities and intentions to exploit vulnerabilities in assets. I guarantee you will hear me say that the "80%" figure is a myth. Even though I am appearing with at least one other speaker (Jerry Shenk),...

Read More

Pre-Review of Four Books

Several publishers were kind enough to send me review copies of four new books. The first, which I requested, is Cisco Press' Storage Networking Protocol Fundamentals by James Long. I requested a copy of this book while starting to read a book on securing storage area networks and network attached storage. Basically, the book I was reading is a disaster. I decided this new Cisco Press book looked promising, so I plan to read it first and then turn to the security-specific SAN/NAS book. I'll review the two as a set later. Next is Syngress'...

Read More

Sign Up for Tenable Webinars

I'm not sure if you're aware of these, but Ron Gula of Tenable Security is conducting a series of Webinars on a variety of interesting network security topics. I watched Tuesday's edition on vulnerability management. The Webinars are not a selling vehicle for Tenable products. Instead, Ron explains one or more aspects of the security scene. If you know Ron you recognize he knows network security better than almost anyone out there. The next Webinar is scheduled for today, and all are fr...

Read More

Bloom's Hierarchy for Digital Security Learning

Twenty years ago, when some of my readers were busy being born, I was a high school freshman. My favorite instructor, Don Stavely, taught history. One of the educational devices he used was Bloom et al.'s Taxonomy of the Cognitive Domain, pictured at left. This hierarchy, which travels from bottom to top, is a way to describe a student's level of understanding of a given subject.These descriptions from Purdue are helpful:Knowledge entails the...

Read More

Thoughts on Gates Security Memo

While reading Gary McGraw's great book Software Security, I had a chance to re-read the famous Bill Gates security memo of January 2002. I wasn't blogging back then, so I didn't record my reaction to it. Almost five years later, the following excerpt struck me:[E]ven more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always...

Read More

Enterprise Rights Management

The October 2006 Information Security Magazine features a great story titled Safe Exchanges. It discusses software it calls "enterprise rights management" (ERM):Enterprise rights management is technology that allows corporations to continuously control and protect documents, email and other corporate content through the use of encryption and security policies that determine access rights.I found this case study compelling:Fenwick & West was an early adopter, choosing ERM software by startup SealedMedia, a company recently acquired by Stellent.Kesner...

Read More

Extrusion Detection Sightings

I've noticed the term extrusion detection appearing more frequently, usually tied to the latest buzzphrase -- "insider threat." The GSA-loving magazine Federal Computer Weekly recently mentioned the following:Emerging tools known as extrusion-detection systems are helping government agencies and private companies detect whether sensitive information is leaving their organizations...“Our goal is to monitor traffic from the inside going out,” said...

Read More

More Reasons to Discuss Threats

The word "threat" is popular. What used to be Bleeding Edge Snort is now Bleeding Edge Threats. It's a great site but I think it should have avoided using the term "threat." I think "Bleeding Edge Security" would have been better, but apparently that's not cool enough?I noticed the OWASP is trying to define various security terms as well. (Because OWASP means Open Web Application Security Project, I didn't say "OWASP project." Those who say "ATM machine," "NIC card," and "CAC card," please take note.) OWASP has Wiki pages for attack, vulnerability,...

Read More

Pre-Review: Programming Python, 3rd Ed

I'd like to thank the fine folks at O'Reilly for sending me a review copy of Programming Python, 3rd Ed. I've added this book to my other set of programming books waiting to be read. I'll probably start with several tiles from Apress, namely Beginning Python, Dive Into Python, and then end the Apress titles with Foundations of Python Network Programming, since network programming is my main interest. I'll use O'Reilly's Programming Python, 3rd...

Read More

Reviews of Digital Forensics Books Posted

Amazon.com just posted three new reviews on digital forensics books. The first is File System Forensics Analysis by Brian Carrier. Here is a link to the five star review. The second is Windows Forensics by Chad Steel. Here is a link to the four star review.The third is EnCase Computer Forensics by Steve Bunting and William Wei. Here is a link to the three star review.All three books share the same introduction. I decided to read and review three...

Read More

Government Contracting Lists from FCW

As a consultant near the Beltway, it helps to understand the competition and potential partners. I found the following lists to be helpful. They appeared in the 4 Sep 06 print issue of FCW.Top 74 systems integratorsTop 140 Schedule 70 contractsTop 25 government IT contractorsTop 100 small federal vendors in fiscal 2006Top 25 8(a) companies and Top 25 women-owned compan...

Read More

Security Is Not Refrigeration

Analogies are not the best way to make an argument, but they help when debating abstract concepts like "virtual trust". Consider the refrigerated train car at left. Refrigeration is definitely a "business enabler." Without refrigeration, food producers on the west coast couldn't sell their goods to consumers on the east coast. Refrigeration opened new markets and keeps them open.However, refrigeration is not the business. Refrigeration is a means to an end -- namely selling food to hungry people. Refrigeration does not generate value; growing...

Read More

Thoughts from IATF Meeting

I try to attend meetings of the Information Assurance Technical Forum once a year. I last visited in 2003 and 2005. The following are some thoughts from the meeting I attended two weeks ago. They are not an attempt to authoritatively summarize or describe years of net-centric thought and work by the US Department of Defense. These are just a few thoughts based on the presentations I saw in an unclassified environment. Prior to seeing this diagram...

Read More

Review of Web Application Security Books Posted

Amazon.com just posted my two reviews on books about Web application security. The first is Hacking Exposed: Web Applications, 2nd Edition by Joel Scambray, Mike Shema, and Caleb Sima. Here is a link to the five star review. The second is Professional Pen Testing for Web Applications by Andres Andreu. Here is a link to the four star review.Both reviews share the same introduction.I recently received copies of Hacking Exposed: Web Applications,...

Read More

Notes on Net Optics Think Tank

Last week I attended and spoke at the latest Net Optics Think Tank. I've presented for Net Optics twice before, but this was the first event held in northern Virginia. The first half of the event consisted of two briefings. The first discussed tap technology. This was supposed to be a basic introduction but I learned quite a bit, especially with regards to fiber optics. Specifically, I learned of some cases where customers reverse cables when...

Read More

Tell Intel What You Think

This Undeadly.org thread clued me in to the problems OpenBSD is having getting documentation and firmware restribution rights for Intel wireless NICs. Theo's letter is not what I would want an Intel decision-maker to read. However, Kenneth J Hendrickson's comment is exactly what I used as a template for an email to Intel's point of contact on this manner -- majid [dot] awad [at] intel [dot] com.As a FreeBSD user, I recognize that drivers for Linux...

Read More

Thoughts on Virtual Trust

I've said before that there is no return on security investment (ROSI). This argument appears to have morphed again in the form of a paper titled Creating Business Through Virtual Trust. A Technorati search will show you other comments on this idea. These are mine.First, I agree with others who say "virtual trust" should not be "virtual" -- it's either "trust" or it's not. That's not a major point though.Second, the thesis for the paper appears to be the following, as shown in the abstract. Business is concerned with the creation of new entities...

Read More

Visit to Symantec Security Ops Center

Last week I was invited to visit the Symantec Security Operations Center (SOC) in Alexandria, VA. I had been there twice before, before they acquired Riptech and after. Jonah Paransky, Director of Product Management for MSS, answered many of my technical and business questions.On this trip I learned that Symantec operates two 24x7x365 SOCs (in the USA and the UK), along with one in Europe, one in Japan, and other support centers. They do not collect...

Read More

Chapter 3 from Extrusion Online

In addition to Chapter 18 from Tao, I noticed Chapter 3 from my third book, Extrusion Detection: Security Monitoring for Internal Intrusions is also online at SearchSecurityChannel.com. This book has been getting some attention because it starts with the premise that your internal network is compromised. Given that assumption, how do you detect, contain, and eradicate intruders on your network? The model applies well to insider and outsider threats.I...

Read More

Bejtlich in Australia in May 2007

I mentioned earlier that I was invited to speak at the AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007. I accepted the invitation, and I will probably deliver a short presentation and a longer (half-day or day-long) tutorial. After AusCERT, I plan to teach one or two-day classes in Brisbane and/or Sydney. I will probably teach condensed versions of my training classes Network Security Operations and TCP/IP Weapons School.As I develop the...

Read More

Chapter 18 from Tao Online

With the launch of the new SearchSecurityChannel.com site, I can report that chapter 18 of my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection is now available online. Chapter 18 is "Tactics for Attacking Network Security Monitoring." It outlines technical means attackers may degrade or deny operations to detect and respond to intrusions.Keep an eye on SearchSecurityChannel.com. I am working with the editor on a plan...

Read More

Recovering from Bad FreeBSD Packages

Recently I've encountered problems with some of the packages built by the FreeBSD team. In the case I described earlier, libtclx8.4.so and libmysqltcl.so.3 were somehow damaged in the .tbz packages I installed on one of my systems. I recovered by using good copies from another system.Yesterday I ran into the following error after I upgraded my packages.orr:/home/richard$ firefox/libexec/ld-elf.so.1: /usr/local/lib/libplds4.so.1: Undefined symbol...

Read More

FreeBSD Update with IPv6

Is it possible to use FreeBSD Update with a host running FreeBSD in an IPv6 only scenario? It's not acceptable to leave it unpatched. The system in question is also extremely slow (P200, 32 MB RAM) so building via CVS is not a good option.Maybe FreeBSD Update is hosted on an IPv6 dual-stack system?p200:/root# freebsd-update fetchFetching updates signature...fetch: http://update.daemonology.net/i386/6.1/updates.sig: Network is unreachableShoot....

Read More

Essential FreeBSD Ports

In the spirit of documenting my FreeBSD system administration practices, I thought I would mention the FreeBSD ports I install on every system -- regardless of function. In the future you may see some of these migrate into the base installation, as happening with Portsnap. Others are well-established but have stayed out of the base system for various reasons.security/freebsd-update: described here as a tool to update a GENERIC kernel and userland,...

Read More

Installing Screen Port with Remote FreeBSD Ports Tree

I don't like to keep ports trees on all of my FreeBSD systems. I prefer to install packages whenever possible. Upgrading those packages requires the ports tree, however. To use Portupgrade I NFS mount /usr/ports from a single system that keeps an up-to-date ports tree. The major problem with this plan involves the sysutils/screen port. No package is created, and you can't build one yourself.poweredge:/usr/ports/sysutils/screen# make package===>...

Read More