I Have Seen the Future, and It Is Monitored

Today I spoke at the ISS World Spring 2007 conference in Alexandria, VA. ISS stands for Intelligence Support Systems. The speakers, attendees, and vendors are part of or support legal and government agencies that perform Lawful Intercept (LI) and associated monitoring activities. Many attendees appeared to be from county, state, and federal law enforcement agencies (LEAs). Others were wired and wireless service providers who are responsible for fulfilling LI requests.This was a very different crowd. Even when cops attend security conferences...

Read More

Interview with Designing BSD Rootkits Author

If you like rootkits and/or FreeBSD try reading this interview with Designing BSD Rootkits author Joseph Kong. This amazes me:Could you introduce yourself?Joseph Kong: I am a relatively young (24 years old) self-taught computer enthusiast who enjoys working (or playing, depending on how you look at it) in the field of computer security; specifically, at the low-level...When did you hear about rootkits for the first time?Joseph Kong: The first time...

Read More

Owning the Platform

At AusCERT last week one of the speakers mentioned the regular autumn spike in malicious traffic from malware-infested student laptops joining the university network. Apparently this university supports the variety of equipment students inevitably bring to school, because they require or at least expect students to possess computing hardware. The university owns the infrastructure, but the students own the platform. This has been the norm at universities for years.A week earlier I attended a different session where the "consumerization" of information...

Read More

Electronic Discovery Resources

The Economist recently published Electronic discovery: Of bytes and briefs. To summarize:As technology changes the way people communicate, the legal system is stumbling to keep up. The “discovery” process, whereby both parties to a lawsuit share relevant documents with each other, used to involve physically handing over a few boxes of papers. But now that most documents are created and stored electronically, it is mostly about retrieving files from computers. This has two important consequences...First, e-discovery is more intrusive than the...

Read More

MRAPs Lose to Arms Race

Three weeks ago I wrote about Vulnerability-Centric Security regarding the Mine Resistant Ambush Protected (MRAP) vehicle, the US Army's replacement for the Hummvee pictured at left. I consider the MRAP an example of the failures of vulnerability-centric security. This morning USA Today's story MRAPs can't stop newest weapon validates my thoughts:New military vehicles that are supposed to better protect troops from roadside explosions in Iraq aren't...

Read More

Review of Inside the Machine Posted

Amazon.com just posted my four star review of Inside the Machine. From the review:Let me say that I wish I could give this book 4 1/2 stars. It's just shy of 5 stars, but I couldn't place this book alongside some of my favorite 5-star books of all time. Still, I really enjoyed reading Inside the Machine -- it's a great book that will answer many questions for the devoted technical reader.At the end of the review I mention Scott Mueller's Upgrading and Repairing PCs. In a nice show of synchronicity, the chapter from Scott's book on Microprocessor...

Read More

Clueless Consultants

I'm seeing a common "business of security" theme today, following my post The Peril of Speaker-Sponsors. Ira Winkler writes in If You Have to Ask, You Shouldn't Be Asking:[S]omeone once attended a presentation that I gave on penetration testing, and then contacted me a year later with an e-mail that basically said, “I finally talked a client into letting me perform a pen test. I don’t know what to do, how to do it, what to charge, or any special legal language that should be in the contract.” My response was basically, “You shouldn’t do the work...”In...

Read More

Bejtlich on Sites Collide Podcast

Tyrel McMahan interviewed me at CONFidence for his Sites Collide podcast. It's in QuickTime format. We talk about what smaller businesses should do with regards to monitoring and I discuss ideas from my conference presentation. Thanks to Tyrel for the intervi...

Read More

Security Language

Gunnar Peterson's post on the new Common Attack Pattern Enumeration and Classification (CAPEC) project reminded me that MITRE is hosting a ton of these sorts of frameworks. Most of them are listed at measurablesecurity.mitre.org so I intend to refer to that portal from now on. It would be great to see related projects cooperate with MITRE's work. For example, the Web Application Security Consortium "Threat" Classification should be renamed to be an attack classification, consistent with the MITRE CAPEC enumeration. Similarly, it would be nice...

Read More

The Peril of Speaker-Sponsors

One of the interesting aspects of being an independent consultant is having other companies think TaoSecurity exists as a mighty corporate entity with plenty of cash to spend. This has exposed me to some of the seedier aspects of corporate life, namely "speaker-sponsorship." Have you ever attended a keynote address, or other talk at a conference, and wondered how such a person could ever have been accepted to speak? There's a good chance that person paid for the slot.Two instances of this come to mind. First, several months ago I was contacted...

Read More

Attacker 3.0

Gunnar Peterson mentioned a few terms that, for me, brilliantly describe the problem we face in digital security. To paraphrase Gunnar, the digital world consists of the following:Security 1.0Web 2.0Attacker 3.0To that might I add the following:Government -1.0User 0.5Application Developer 2.5What do I mean by all of this?Government -1.0: in general, hopelessly clueless legislation leads to worse security than without such legislation -- often due to unintended consequencesUser 0.5: users are largely unaware and essentially helpless, but I wouldn't...

Read More

Prof Starbird Mathematics Courses

I'm a big fan of courses produced by The Teaching Company, so I bet similarly-minded blog readers might also enjoy such courses. My favorite instructor is Prof Michael Starbird. I noticed that three of his four courses are on sale until 14 June:Change and Motion: Calculus Made ClearMeaning from Data: Statistics Made ClearWhat Are the Chances? Probability Made ClearWhen I say "sale" I mean "buy these now or wait another year until they are on sale...

Read More

Brief Thought on FreeBSD X.org Update

Since I do not run X on my FreeBSD servers, and my laptop now runs Ubuntu (heretical but productive, I know), I have not been affected by the update of X.org to 7.2 on FreeBSD. I read Updating Firefox 2 and FreeBSD 6.2 and the response Not everybody will be happy with the X.org upgrade. Basically there's a difference of opinion concerning the appropriateness of radically changing a key addition to the operating system mid-stream, i.e., during the...

Read More

Another Anti-Virus Problem, Again

In February I blogged about a vulnerability in a Trend Micro product that exposed systems "protected" by this anti-virus software to remote exploitation. Symantec provides another example that running anti-virus is not cost free: Symantec false positive cripples thousands of Chinese PCs. Now, according to Symantec may compensate Chinese users hit by buggy update, Symantec may pay companies affected by its botched signature update. Trend Micro apparently had a similar problem in 2005, before I was blogging about these dangers; it cost TM $8.2...

Read More

Reminder: Time Running Out for Bejtlich at GFIRST

I'll be teaching and speaking at the 2007 GFIRST conference in Orlando, FL in June 2007. This is pro-bono since DHS isn't paying airfare, hotel, meals, or a speaking honorarium. On Monday 25 June 2007 I'll be teaching two half-day tutorials. The first will cover Network Incident Response and the second will cover Network Forensics. On Tuesday 26 June at 1415 I will deliver the talk I gave at Shmoocon -- Traditional IDS Should Be Dead. I spoke at the 2006 and 2005 GFIRST conferences as well.GFIRST still hasn't updated their training page to...

Read More

Reminder: Early Registration Ends Soon for Bejtlich at SANSFIRE 2007

I'll be teaching a special one-day course, Enterprise Network Instrumentation, at SANSFIRE 2007 in Washington, DC on 25 July 2007. ENI is a one-day course designed to teach all methods of network traffic access. If you have a network you need to monitor, ENI will teach you what equipment is available (hubs, switch SPAN ports, taps, bypass switches, matrix switches, and so on) and how to use it effectively. Everyone else assumes network instrumentation is a given. ENI teaches the reality and provides practical solutions.Please register while there...

Read More

Bejtlich Teaching Network Security Operations in Chicago

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Chicago, IL on 27-29 August 2007. This is a public class, although I will be speaking at the 30 August meeting of the Chicago Electronic Crimes Task Force. Please register here. The early discount applies to registrations before midnight 27 July. ISSA members get an additional discount on top of the early registration discount.Network Security Operations addresses the following topics:Network Security MonitoringNSM theoryBuilding...

Read More

Bejtlich Teaching Network Security Operations in Cincinnati

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Cincinnati, OH on 21-23 August 2007. The Cincinnati ISSA chapter is hosting the class. Please register here. The early discount applies to registrations before 20 July. ISSA members get an additional discount on top of the early registration discount.Network Security Operations addresses the following topics:Network Security MonitoringNSM theoryBuilding and deploying NSM sensorsAccessing wired and wireless trafficFull content...

Read More

4000 Helpful Votes at Amazon.com

Last week the "Helpful Votes" count for my Amazon.com reviews reached the 4,000 count. I hit 3,000 in January 2006 and 1,500 in December 2003. Since reaching the 3,000 mark I've read and reviewed 55 additional books. Thank you to everyone who votes my reviews "helpful."If you want to see what I have on my shelf and plan to read next, please check out my reading list. If you want to see the books I hope to see soon, please visit my Amazon.com...

Read More

Bejtlich Teaching at USENIX Security

USENIX just posted details on USENIX Security 2007, 6-10 August in Boston, MA. I will be teaching TCP/IP Weapons School, Layers 4-7 on 6-7 June. This is a sequel to TCP/IP Weapons School, Layers 2-3 at USENIX Annual 2007 in Santa Clara, CA on 21-22 June and TCP/IP Weapons School, Layers 2-3 at Techno Security 2007 in Myrtle Beach, CA on 6-7 June.The 2 day class I'm teaching at Black Hat on 28-29 and 30-31 July is a condensed version (2 days) of the 4 day series (broken into layers 2-3 and 4-7) for USENIX. I also plan to teach this condensed...

Read More

Snort Report 6 Posted

My sixth Snort Report -- Output options for Snort data has been posted. From the introduction:Output modes are the methods by which Snort reports its findings when run in IDS mode. As discussed in the first Snort Report, Snort can also run in sniffer and packet logger modes. In sniffer mode, Snort writes traffic directly to the console. As a packet logger, Snort writes packets to disk in Libpcap format. This article describes output options for...

Read More

Heading Home from Australia

My whirlwind Australia trip is coming to a close. I'll be boarding a flight from Sydney to LAX soon. I'd like to thank Christian Heinrich and John Dale from Secure Agility for hosting me in Sydney and to everyone at AusCERT for helping me with my classes in Gold Coast.I'd like to briefly record a few thoughts on the AusCERT conference.Andrea Barisani gave a great talk on the rsync1.it.gentoo.org compromise of December 2003. He emphasized that preventing incidents is nice, but security monitoring and awareness are absolutely critical. I need...

Read More

Latest Plane Reading

I'm on the road again, en route to Gold Coast for AusCERT, followed by a public course on Network Security Monitoring in Sydney on Friday 25 May 2007. There are still seats left -- check it out if you want to attend! Here are a few thoughts on items I read on my flight from IAD to LAX.The latest Cisco IP Journal article on DNS Infrastructure by Steve Gibbard is awesome. Read it if you really want to understand global DNS in a few pages.The Hotbots paper Peer-to-Peer Botnets (.pdf) is awesome. I question the use of PerilEyez for forensic work,...

Read More

It's Only a Flesh Wound

The slide above is from Gartner analyst Greg Young's 2006 presentation at the Gartner IT Security Summit 2006, Deconfusicating Network Intrusion Prevention (.pdf). "Deconfusicating" appears to be a fake synonym for simplifying. I bet that was supposed to confuse an IDS, but not an IPS. Funny that stopping an attack requires detecting it, but never mind. Someone recently recommended I read this presentation, so I took a look. It's basically a...

Read More

Thoughts on Latest CISSP Requirements Change

You all know I am a big fan of the CISSP certification. (If you don't recognize that as sarcasm, please read some old posts.) I wasn't going to comment on the press release (ISC)²® to Increase Requirements for CISSP® Credential to Validate Information Security Expertise, but no one else really has. First, a little history. The last time a requirements change was announced was January 2002, in the press release (ISC)² TO IMPLEMENT NEW CISSP REQUIREMENTS IN 2003. That article stated:...new requirements for the Certified Information Systems Security...

Read More

Database Forensics

Database ninja David Litchfield told me he posted the latest in a series of lengthy articles on investigating Oracle database incidents. Specifically, he asked me to review the newest article on Live Response (.pdf) given my background. I recommend checking out the whole set of articles at Database Security. Speaking of database security, I got a chance to see Alexander Kornbrust of Red-Database-Security GmbH talk about Oracle (in)security at CONFidence 2007. His talk reminded me of comments Thomas Ptacek once made about certain software being...

Read More

Page Rank at 4

Hi guys, its been really a long time since i update my blog. These days, i am just pure pure busy with ideas flowing around and trying to make my ideas happen. I am actually doing lotsa research and reading work and putting bits and pieces together once it is ready. I should be starting to code when i make a return trip back to dubai from singapore. Well, i was searching for page ranking of my blog, and to my surprise, just 2 months of blogging and commenting, i got a page rank of 4 which i am so happy. Its like i start from 0 to 4, and now, thats...

Read More

Third of the Three Wise Men

I just listened to my third of the Three Wise Men, Ross Anderson, courtesy of Gary McGraw's Silver Bullet Podcast. This is another must-heed. During the podcast Prof. Anderson mentioned the following:With respect to secure software development: As tools improve, we continue to "build bigger and better disasters." That echoes a theme in my previous posts."If someone is going to call themselves a security engineer, then they have to learn how things...

Read More

Second of the Three Wise Men

I just blogged about a new podcast by the first of my Three Wise Men, namely Marcus Ranum. My second of the Three Wise Men for today is Dan Geer. I just noticed his testimony to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology last month has been published. This is another must-heed collection of smart ideas. Brian Krebs summarized the hearing in his story Nation's Cyber Plan Outdated, Lawmakers Told. Dr. Geer's testimony included this gem:I urge the Congress to put explaining the past, particularly for the purpose...

Read More

RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls

All you fans of mindlessly blocking ICMP traffic are going to be in trouble if you try that strategy with IPv6. Luckily this month RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls was just published. This Informational RFC provides concrete guidance using these categories:Traffic That Must Not Be DroppedTraffic That Normally Should Not Be DroppedTraffic That Will Be Dropped Anyway -- No Special Attention NeededTraffic for Which a Policy Should Be DefinedTraffic That Should Be Dropped Unless a Good Case Can Be Made This is...

Read More

CONFidence Wrap-Up

This morning I delivered a talk at CONFidence 2007 in Krakow, Poland. I'd like to thank Andrzej Targosz and Jacek Artymiak for being the best hosts I've met at any conference. They got me at the airport, took me to dinner (along with dozens of others), and will take me to the airport (at 0430 no less!) tomorrow. I spent a good amount of time with Anton Chuvakin, Daniel Cid, and Stefano Zanero, which was very cool. I'd like to mention two talks. First, I watched Paweł Pokrywka talk about a neat way to discovery layer two LAN topology with crafted...

Read More

Thoughts on Rear Guard Security Podcast

I just listened to the first episode of Marcus Ranum's new podcast Rear Guard Security. A previous commenter got it right; it's like listening to an academic lecture. If that gives you a negative impression, I mean Marcus is a good academic lecturer. These are the sorts of lessons you might buy through The Teaching Company, for example. Marcus isn't talking about the latest and greatest m4d sk1llz that 31337 d00ds use to 0wn j00. Instead, he's questioning the very fundamentals of digital security and trying to equip the listener with deep...

Read More

LBNL/ICSI Enterprise Tracing Project

Thanks to ronaldo in #snort-gui I learned about the LBNL/ICSI Enterprise Tracing Project. According to the site:A goal of this project is to characterize internal enterprise traffic recorded at a medium-sized site, and to determine ways in which modern enterprise traffic is similar to wide-area Internet traffic, and ways in which it is quite different.We have collected packet traces that span more than 100 hours of activity from a total of several...

Read More