Wall Street Clowns and Their Models

Recently I cited an Economist article in Economist on the Peril of Models. While walking through the airport this Businessweek cover story, Not So Smart, caught my eye. I found the following excerpts to be interesting. The titans of home loans announced they had perfected software that could spit out interest rates and fee structures for even the least reliable of borrowers. The algorithms, they claimed, couldn't fail... It was the assumptions...

Read More

Japan v China

I couldn't make this up. Thanks to SANS Newsbites for catching the article Japan Military Homes, Ship Raided Over Data Leak.The homes of several serving members of Japan's Maritime Self Defense Force (JMSDF) and a destroyer were raided as part of an investigation into a leak of sensitive military data from a computer, Japan's Kyodo News reported Tuesday.Officers from the Kanagawa prefectural police force and the JMSDF's own criminal investigations...

Read More

Economist on Models

I intended to stay quiet on risk models for a while, but I read the following Economist articles and wanted to note them here for future reference.From "Statistics and climatology: Gambling on tomorrow":Climate models have lots of parameters that are represented by numbers... The particular range of values chosen for a parameter is an example of a Bayesian prior assumption, since it is derived from actual experience of how the climate behaves — and...

Read More

Lessons from the Military

Jay Heiser is a smart guy, but I don't know why he became so anti-military when he wrote Military mindset no longer applicable in our line of work last year. He wrote in part:The business world should stop looking to the defense community for direction on information security.I used to believe that the practice of information security owed a huge debt to the military. I couldn't have been more wrong...The business world doesn't need the defense...

Read More

More Thoughts on FAIR

My post Thoughts on FAIR has attracted some attention, but as often the case some readers choose to obscure my point by overlaying their own assumptions. In this post I will try to explain my problems with FAIR in as simplistic a manner as possible.Imagine if someone proposed the following model for assessing force: F=ma(Yes, this is Newton's Second Law, and yes, I am using words like "model" and "assess" to reflect the risk assessment modeling...

Read More

DoD Digital Security Spending

I found the article Is IT security getting short shrift? to be a good reference for other large organizations contemplating digital security spending. In addition to the chart above, this text is illuminating:Despite the growing number of attacks on military networks, securing enough money for information assurance programs is still a hard sell at the Defense Department, former Pentagon officials say.“It’s been the source of enormous frustration,”...

Read More

Germany v China

Thanks to the Dark Reading story China's Premier 'Gravely Concerned' by Hack on Germany I learned of recent digital economic espionage conducted by China against Germany. I found the most authoritative reference on the event to be published by the magazine that broke the story, which is currently running an article titled Merkel's China Visit Marred by Hacking Allegations:German Chancellor Angela Merkel was all smiles after meeting Chinese Premier...

Read More

Thoughts on FAIR

You knew I had risk on my mind given my recent post Economist on the Peril of Models. The fact is I just flew to Chicago to teach my last Network Security Operations class, so I took some time to read the Risk Management Insight white paper An Introduction to Factor Analysis of Information Risk (FAIR). I needed to respond to Risk Assessment Is Not Guesswork, so I figured reading the whole FAIR document was a good start. I said in Brothers in Risk...

Read More

Economist on the Peril of Models

Anyone who has been watching financial television stations in the US has seen commentary on the state of our markets with respect to subprime mortgages. I'd like to cite the 21 July 2007 issue of the Economist to make a point that resonates with digital security.Both [Bear Stearns] funds had invested heavily in securities backed by subprime mortgages... On July 17th it admitted that there “is effectively no value left” in one of the funds, and “very...

Read More

Experts: IDS is here to stay

Imagine my surprise when I read Experts: IDS is here to stay:Conventional wisdom once had it that intrusion prevention systems (IPS) would eliminate the need for intrusion defense systems (IDS). But with threats getting worse by the day and IT pros needing every weapon they can find, the IDS is alive and well."IPS threatened to hurt the IDS market but IDS is better equipped to inspect malware," said Chris Liebert, a security analyst with Boston-based...

Read More

What Hackers Learn that the Rest of Us Don't

I read a great article in the July/August 2007 IEEE Security and Privacy magazine titled "What Hackers Learn that the Rest of Us Don't" by Sergey Bratus. He contrasts developers and academic programs with what "hackers" do. For example:Developers are under pressue to follow standard solutions, or the path of least resistance to "just making it work."Developers tend to be implicity trained away from exploring underlying APIs because the extra time investment rarely pays off.Developers often receive a limited view of the API, with few or hardly...

Read More

Abe Singer Highlights from USENIX Class

I didn't get to attend Abe Singer's talk Incident Response either, but again I managed to get a copy of his slides. They confirmed what I planned to do with my new company CIRT (fortunately), but I wanted to highlight some elements that I hadn't given much thought until I saw them in Abe's slides.Abe pointed out that it's important to have incident response policies in place prior to an incident. I had always thought in terms of a plan, tools,...

Read More

Marcus Ranum Highlights from USENIX Class

Because I was teaching at USENIX Security this month I didn't get to attend Marcus Ranum's tutorial They Really Are Out to Get You: How to Think About Computer Security. I did manage to read a copy of Marcus' slides. Because he is one of my Three Wise Men of digital security, I thought I would share some of my favorite excerpts. Some of the material paraphrases his slides to improve readability here.Marcus asked how can one make decisions when...

Read More

Breach Pain

Several stories involving companies victimized by intruders came to light at the same time. It's important to remember not to blame the victim, like the fool editor at Slashdot implied by writing Contractor Folds After Causing Breaches. The company in question, Verus Inc., didn't "cause breaches" -- it suffered them. Some bad guy stealing data caused the breaches. Read Medical IT Contractor Folds After Breaches at Dark Reading for the details.New details on TJX came to light this week in stories like TJ Maxx Breach Costs Soar by Factor of 10...

Read More

Speaking of Bad Guys

I wanted to bring a few threat-oriented stories to your attention if you hadn't seen them. I'm also recording them here because I abhor bookmarks. It's important to remember that we're fighting people, not code. We can take away their sticks but they will find another to beat us senseless. An exploit or malware is a tool; a person is a threat.Dark images like the alley on the right first described in Analog Security is Threat-Centric remind us...

Read More

Loving the SSH

I read about GotoSSH.com courtesy of Risk Management Insight. I found a post by the author here, talking about the site being a Ruby on Rails application. terminal23 has a few comments too. How can this possibly be for real? I mean, why isn't it just "givemeallyourpasswords.com"? I would love to see who is using this service. Speaking of SSH, one of my Black Hat students brought a SSH v2-capable man-in-the-middle tool to my attention called...

Read More

Change the Plane

Call me militaristic, but I love the History Channel series Dogfights. I hope the Air Force Academy builds an entire class around the series. I just finished watching an episode titled "Gun Kills of Vietnam." The show featured two main engagements. Both demonstrated a concept I described in Fight to Your Strengths. In the first battle two A-1H Skyraiders (prop planes) shot down a MiG-17 (a jet) using their cannons. The Skyraiders survived their...

Read More

Scanning with Flash

Thanks to Rsnake I learned of a proof of concept for Flash scanning. I had to enable Javascript and have Adobe Flash installed. I used Firefox within Ubuntu 6.10. In the traffic you can see my host sending the following after finishing the three way handshake.09:31:34.348028 IP 192.168.2.8.44235 > 10.1.13.4.21: P 1:24(23) ack 1 win 1460 0x0000: 4500 004b 1f24 4000 4006 41d4 c0a8 0208 E..K.$@.@.A..... 0x0010: 0a01 0d04 accb 0015 f31e fbd2...

Read More

Note from Black Hat on ARP Spoofing Malware

During my classes I mentioned seeing a post on malware that performs ARP spoofing to inject malicious IFRAMEs on Web pages returned to anyone browsing the Web on the same segment. I found it -- ARP Cache Poisoning Incident by Neil Carpenter.Thanks to Earl Crane for taking the picture of a few ex-Foundstoners who met after the talk by Keith Jones and Rohyt Bela...

Read More

PHP Application Firewall?

I was discussing with Christ1an recently about application firewall and he actually presented me an application firewall written by pdp and maintained by .mario , which to me is very impressive. I actually looked at the source code and i must say that i don't understand a single shit. However, it was a nice effort from Christ1an and guys devoting their time to develop a php application firewall. I am network guy, i do web audit, but i am not good in coding or programming or source code review. Well, i am still learning, i want Christ1an on my team...

Read More

Reviews on Managing Cybersecurity Resources and Security Metrics Posted

Thanks to my travel to USENIX Security this week I managed to read two great non-technial security books. Amazon.com just posted my four star review of Managing Cybersecurity Resources. From the review:Managing Cybersecurity Resources (MCR) is an excellent book. I devoured it in one sitting on a weather-extended flight from Washington-Dulles to Boston. MCR teaches security professionals how to think properly about making security resource allocation...

Read More

Cisco IOS 12.3T onwards with Tool Command Language

I was again reading ioshints blog for cisco tricks. I must say he is the master of Cisco products and configuration. I was reading about tclsh and i must say it is very handy as i can write scripts and store it remotely, NVRAM or in the flash. Well, below are a few links that you can learn the basics of tclsh scripting.http://ioshints.blogspot.com/2007/05/ios-tclsh-resources.htmlhttp://ioshints.blogspot.com/2007/08/example-tcl-script-with-command-line.htmlThe Hacka ...

Read More

Must-Read Post on Virtualized Switches

While visiting Hoff's blog I saw his post VMware to Open Development of ESX Virtual Switches to Third Parties...Any Guess Who's First?. You must read this. The question I have, as with all new "features," is this: is visibility built in? Will I have access to a "virtual tap"? Can I trust it? We'll s...

Read More

Human Weapon

In FISMA Dogfights I mentioned my favorite show on the History Channel is Dogfights. A very close second, if not an equal, is the new series Human Weapon. I don't recall another regular television series devoted exclusively to martial arts. If you wonder why I bother posting about a martial arts show, see my post Fight to Your Strengths. On a related subject, based on other stories in the security blogosphere, I expect to see a martial arts...

Read More