Pascal Meunier Is Right About Virtualization

I love Pascal Meunier's post Virtualization Is Successful Because Operating Systems Are Weak:It occurred to me that virtual machine monitors (VMMs) provide similar functionality to that of operating systems...What it looks like is that we have sinking boats, so we’re putting them inside a bigger, more powerful boat, virtualization...I’m now not convinced that a virtualization solution + guest OS is significantly more secure or functional than just...

Read More

Verizon Study Continues to Demolish Myths

I just read Patching Conundrum by Verizon's Russ Cooper. Wow, keep going guys. As in before, I recommend reading the whole post. Below are my favorite excerpts:Our data shows that in only 18% of cases in the hacking category (see Figure 11) did the attack have anything to do with a “patchable” vulnerability. Further analysis in the study (Figure 12) showed that 90% of those attacks would have been prevented had patches been applied that were six...

Read More

Logging Web Traffic with Httpry

I don't need to tell anyone that a lot of interesting command-and-control traffic is sailing through our Web proxies right now. I encourage decent logging for anyone using Web proxies. Below are three example entries from a Squid access.log. This is "squid" format with entries for user-agent and referer tacked to the end.Incidentally here is a diff of my Squid configuration that shows how I set up Squid.r200a# diff /usr/local/etc/squid/squid.conf...

Read More

Sourcefire Best of Open Source Security Conference

Sourcefire is sponsoring a Best of Open Source Security (BOSS) conference 8-10 February in Las Vegas, NV, with the main activities happening on 9-10 February. Sourcefire is holding the event simultaneously with their annual users conference. I am on the committee evaluating speakers so I look forward to seeing what people want to prese...

Read More

Verizon Business Report Speaks Volumes

This morning I attended a call discussing the new Verizon Business 2008 Data Breach Investigations Report. I'd like to quote the linked blog post and a previous article titled I Was an Anti-MSS Zealot, both of which I recommend reading in their entirety. First I cite some background on the study.Verizon Business began an initiative in 2007 to identify a comprehensive set of metrics to record during each data compromise investigation. As a result...

Read More

House of Representatives v China

Thanks to one of my colleagues for pointing out Lawmaker says Chinese hacked Capitol computers:By PETE YOST and LARA JAKES JORDAN – 3 hours agoWASHINGTON (AP) — A congressman said Wednesday the FBI has found that four of his government computers have been hacked by sources working out of China.Rep. Frank Wolf, a Virginia Republican, said that similar incidents — also originating from China — have taken place on computers of other members of the House...

Read More

Publicity: BSD Associate Examinations

I was asked to mention the following BSD Associate examinations will take place at the following three events:RMLL: Mont-de-Marsan, France, Jul 02, 2008OpenKyiv 2008: Kiev, Ukraine, Aug 02, 2008LinuxWorld: San Francisco, CA, Aug 06-07, 2008From the BSDA description:The BSDA certification is designed to be an entry-level certification on BSD Unix systems administration. Testing candidates with a general Unix background, but less than six months of...

Read More

The Best Single Day Class Ever

I had the great fortune to attend Edward Tufte's one day class Presenting Data and Information. I only knew Tufte from advertisements in the Economist. For example, the image at left was frequently used as an ad in the print magazine. I had not read any of his books although I knew of his criticism of PowerPoint, specifically with respect to the Challenger disaster.This was the best one day class I have ever taken. It profoundly altered the way...

Read More

NoVA Sec Meeting Memory Analysis Notes

On 24 April we were lucky to have Aaron Walters of Volatile Systems speak to our NoVA Sec group on memory analysis. I just found my notes so I'd like to post a few thoughts. There is no way I can summarize his talk. I recommend seeing him the next time he speaks at a conference.Aaron noted that the PyFlag forensics suite has integrated the Volatility Framework for memory analysis. Aaron also mentioned FATkit and VADtools. In addition to Aaron...

Read More

Recycling Security Technology

Remember when IDS was supposed to be dead? I thought it was funny to see the very same inspection technologies that concentrated on inbound traffic suddenly turned around to watch outbound traffic. Never mind that the so-called "IPS" that rendered the "IDS" dead used the same technology. Now, thanks to VMware VMsafe APIs, vendors looking for something else to do with their packet inspection code can watch traffic between VMs, as reported by the...

Read More

Intel Premier IT Magazine on "War Gaming"

Intel Premier IT Magazine published an article titled Wargaming: How Intel Creates a Company-Wide Security Force. (Access granted after registration with whatever you want to input.) What Intel calls "war gaming" sounds like three activities.For reference I differentiated between Threat and Attack Models last year.Threat Modeling: Identifying parties with the capabilities and intentions to exploit a vulnerability in an assetAttack Modeling: Identifying...

Read More

Review of Nmap in the Enterprise Posted

Amazon.com just published my 3 star review of Nmap in the Enterprise by Angela Orebaugh and Becky Pinkard. From the review:Initially I hoped Nmap in the Enterprise (NITE) would live up to its title. I was excited to see "Automate Tasks with the Nmap Scripting Engine (NSE)" on the cover, in addition to the "Enterprise" focus. It turns out that beyond a few command line options of which I was not previously aware, and some good info on interpreting...

Read More

Review of No Tech Hacking Posted

Amazon.com just posted my 4 star review of No Tech Hacking by Johnny Long. From the review:No Tech Hacking (NTH) again demonstrates that the fewer the number of authors a Syngress book advertises, the better the book. With security star Johnny Long as the main author, the book adds a section in Ch 5 (Social Engineering) by Techno Security organizer Jack Wiles. The "special contributors" no doubt worked with Johnny to answer his questions, but it's...

Read More

Review of Botnets Posted

Amazon.com just posted my 2 star review of Botnets by Craig Schiller, et al. From the review:I am wary of Syngress books that consist of a collection of contributions. The quality of the books usually decreases as the number of authors increases. Botnets is no exception, unfortunately. You will probably enjoy chapters by Gadi Evron (Ch 3, Alternative Botnet C&Cs) and Carsten Willems (Ch 10, Using Sandbox Tools for Botnets). I was initially interested...

Read More

Review of Building a Server with FreeBSD 7

If you look at the reviews of Building a Server with FreeBSD 7 by Bryan Hong, you'll see my review for the self-published Building an Internet Server With FreeBSD 6 Posted, which I gave 4 our of 5 stars. No Starch took the first edition, worked with the author, and published this new book using FreeBSD 7.0 as the base OS. If I could post a new review at Amazon.com, I would also give this book 4 out of 5 stars. I think BASWF7 is an excellent companion...

Read More

FX on Cisco IOS Rootkits

I saw FX speak on Cisco IOS forensics at Black Hat DC 2008. I just got a chance to read his excellent post On IOS Rootkits. I was impressed to read FX's pointer to his company's Cisco Incident Response - CIR Online Service, with a specific report run on Sebastian 'topo' Muniz's IOS rootkit. Also, consider this from FX's post:Now that some people actually talk about IOS rootkits, interesting tidbits show up. One person asked me if we have tested...

Read More

A Clueful Interview

If you have ten minutes and want to be genuinely more informed when it's over, read Federico Biancuzzi's excellent interview of Nate Lawson titled Racing Against Reversers. I found this comment interesting:Q: It sounds as security through obscurity has some admirers among the DRM designers. What is the role of "secrets" in a DRM system?A: In software protection, obscurity is everything. You're ultimately depending on the attacker to not be able...

Read More

NSM vs Encrypted Traffic Revisited

My last post What Would Galileo Think was originally the first part of this post, but I decided to let it stand on its own. This post is now a follow on to NSM vs Encrypted Traffic, Plus Virtualization and Snort Report 16 Posted. I received several questions, which I thought deserved a new post. I'm going to answer the first with Galileo in mind.LonerVamp asked:So can I infer that you would prefer to MITM encrypted channels where you can, so to...

Read More

What Would Galileo Think

I love history. Studying the past constantly reminds me that we are not any smarter than our predecessors, although we have more knowledge available. The challenge of history is to apply its lessons to modern problems in time to positively impact those problems. I offer this post in response to some of the reporting from the Gartner Security Summit 2008, where pearls of wisdom like the following appear:What if your network could proactively adapt...

Read More

Phone Book Full Disclosure

The following story is all over the local media. From the Hagerstown (MD) Herald-Mail, which broke the story:A mistake by Verizon that led to the printing of about 12,500 unlisted or nonpublished telephone numbers and corresponding addresses in a telephone book has prompted fear and anger in some of those affected...In March, Verizon inadvertently sold the numbers to Ogden Directory Inc. for publication in the phone book...The phone books were in...

Read More

Old School Layer 2 Hacking

When I designed my TCP/IP Weapons School class my intent was to teach TCP/IP at an advanced level using traffic generated by security tools. I thought the standard approach of showing all normal traffic was boring. Sometimes students (or those on the sidelines) wonder why I should bother teaching a technique like ARP spoofing at all, when layer 7 attacks are what the cool kids are doing these days. One answer is below.Ref: Sunbelt BlogHow could...

Read More

Snort Report 16 Posted

My 16th Snort Report titled When Snort Is Not Enough has been posted. From the article:[I]t's important to understand how a network intrusion detection system (IDS) like Snort and techniques based upon its use fit into a holistic detection and response operation. Placing Snort within an entire security program is too broad a topic to cover in this Snort Report. Rather, let's consider when a tool like Snort is independently helpful and when you should...

Read More