Snort Report 17 Posted

My 17th Snort Report titled How to find new features in Snort 2.8.2 has been posted. It was delayed in production for a while but it still applies to Snort 2.8.2.1. From the article:Service provider takeaway: Service providers will learn about new features in Snort 2.8.2 that they can deploy at customer sites.The last time we looked at new Snort options occurred with Snort 2.8.0, released in late September 2007. Since then, Snort 2.8.0.1, 2.8.0.2...

Read More

Counterintelligence: Worse than Security?

As a former Air Force intelligence officer, I'm very interested in counterintelligence. I've written about counterintelligence and the cyber-threat before. I'm reading a book about counterintelligence failures, and the following occurred to me. It is seldom in the self-interest of any single individual, department, or agency to identify homegrown spies. In other words, hardly anyone in the CIA wants to find a Russian spy working at Langley. ...

Read More

Security Operations: Do You CAER?

Security operations can be reduced to four main tasks. A mature security operation performs all four tasks proactively. Collection is the process of acquiring the evidence necessary to identify activity of interest.Analysis is the process of investigating evidence to identify suspicious and malicious activity that could qualify as incidents.Escalation is the process of reporting incidents to responsible parties.Resolution is the process of handling...

Read More

Notes for Black Hat Students

The following is directed at students of my TCP/IP Weapons School (TWS) at Black Hat USA 2008 on 2-3 and 4-5 August 2008, at Caesars Palace, Las Vegas, NV. Please disregard otherwise.TWS is an advanced network traffic analysis class. We expect students to have some experience looking at network traffic using tools like Wireshark. We also expect students to have some experience working in Unix-like operating systems. We want you to get the most...

Read More

Review of The New School of Information Security Posted

Amazon.com just published my four star review of The New School of Information Security by Adam Shostack and Andrew Stewart. From the review:If you don't "get" Allan Schiffman's 2004 phrase "amateurs study cryptography; professionals study economics," if you don't know who Prof. Ross Anderson is, and if you think anti-virus and a firewall are required simply because they are "best practices," you need to read The New School of Information Security...

Read More

Review of Nmap Network Scanning

Recently Fyodor sent me a pre-publication review copy of his new self-published book Nmap Network Scanning (NNS). I had heard of Fyodor's book when I wrote my review of Nmap in the Enterprise last month, but I wasn't consciously considering what could be in Fyodor's version compared to the Syngress title. Although the copy I read was labelled "Pre-Release Beta Version," I was very impressed by this book. In short, if you are looking for the book...

Read More

Dark Visitor Podcast: Real "Truth About Chinese Hackers"

I just listened to the first edition of the Dark Visitor Podcast. You may remember my February post titled Review of The Dark Visitor, where I discussed a book by the The Dark Visitor Blog author Scott Henderson. In the podcast, fellow blogger Jumper speaks with Henderson (aka "Heike" on the blog) about various issues related to Chinese hackers. The pair make it clear that they base their posts on "open sources," meaning information available...

Read More

DNS and the Cyber TARDIS Problem

It's been 16 days since I responded to public notification of DNS problems in Thoughts on Latest Kaminsky DNS Issue, and 4 days since Halvar Flake's post On Dan's request for "no speculation please". Apparently the tubes are still working, since I presume you're reading this post via the Internet and not carrier pigeon. It's still been a remarkable period, characterized by the acronymn in the title of this post. I'm not referring to the TARDIS...

Read More

What Should Dan Have Done?

I answered a question on the Daily Dave mailing list, so now a few of you are asking "what should Dan have done?" about his DNS discovery. Keeping in mind my thoughts on keeping vulnerabilities in perspective, I have the following suggestions.Black Hat and/or Def Con should not be the place where "all is revealed." The gravity of the situation (such as it might be) is nullified by what will undoubtedly be a circus. Disclosure of additional details...

Read More

Vulnerabilities in Perspective

It's been nine days since Dan Kaminsky publicized his DNS discovery. Since then, we've seen a Blackberry vulnerability which can be exploited by a malicious .pdf, a Linux kernel flaw which can be remotely exploited to gain root access, Kris Kaspersky promising to present Remote Code Execution Through Intel CPU Bugs this fall, and David Litchfield reporting "a flaw that, when exploited, allows an unauthenticated attacker on the Internet to gain...

Read More

Packet Anonymization with PktAnon

I noticed a new tool on Packetstorm recently: PktAnon by Christoph P. Mayer, Thomas Gamer, and Dr. Marcus Schöller. This tool seems powerful because you can apply a variety of anonymization policies based on settings you apply in an XML configuration file. It was easy to install the tool on Debian 4.0:tws:~# cd /usr/local/srctws:/usr/local/src# wget http://www.tm.uka.de/pktanon/download/pktanon-1.2.0-dev ...

Read More

Robert Graham on TurboCap

I liked Robert Graham's post on CACE Technologies TurboCap. I don't necessarily think TurboCap is that exciting, but I learned a lot of tricks reading Robert's explanation of how to collect packets quickly for traffic inspection purposes. I've discussed some of them, like device polling on FreeBSD.By the way, don't forget to upgrade to Wireshark 1.0...

Read More

Hint of Visibility in the Cloud

Visibility in the cloud is one of my concerns these days. When someone else hosts and processes your data, how can you tell if it is "secure?" I found Robert Graham's post Gmail now shows IP address log to be very interesting. Robert explains how Gmail using HTTPS doesn't always use HTTPS (which is old news, as he says), but monitoring (of a sort) is now available to determine if someone else is using your account. According to the Gmail blog,...

Read More

Proposed Air Force Cyber Badge

The Air Force published New cyberspace career fields, training paths, badge proposed earlier this month. I found the proposed cyber badge to be interesting. From the story:The badge features: lightning bolts to signify the cyberspace domain; center bolts taken from the navigator badge and the Air Force Seal to signify cyberspace's worldwide power and reach and its common lineage and history of electronic warfare officers; and orbits to signify...

Read More

Thoughts on Latest Kaminsky DNS Issue

It seems Dan Kaminsky has discovered a more effective way to poison the DNS cache of vulnerable name servers. This is not a new problem, but Dan's technique apparently makes it easier to accomplish.One problem is we do not know exactly what Dan's technique is. He is saving the details for Black Hat. Instead of publishing the vulnerability details and the patches simultaneously, Dan is just notifying the world a problem exists while announcing...

Read More

Reviews of FreeBSD Books Posted

Amazon.com just published my four star review of BSD UNIX Toolbox: 1000+ Commands for FreeBSD, OpenBSD and NetBSD by Christopher Negus and Francois Caen . From the review:BSD Unix Toolbox (BUT) is a straightforward system administration book that could apply to many Unix-like operating systems. The title mentions "BSD" but the BSD-specific material is FreeBSD-oriented. The non-FreeBSD sections (such as using a shell) could apply to any Unix-like...

Read More

Air Force Cyber Panel

Last month I participated in a panel hosted by the US Air Force. One of my co-panelists, Jim Stogdill, summarized some of the event in his recent post Sharing vs. Protecting, Generativity on DoD Networks. I'd like to add the following thoughts. Before the event most of the panelists met for breakfast. One of the subjects we discussed was the so-called "People's Army" China uses for conducting cyber operations. You can read about this phenomenon...

Read More

Making Decisions Using Randomized Evaluations

I really liked this article from a recent Economist: Economics focus: Control freaks; Are “randomised evaluations” a better way of doing aid and development policy?:Laboratory scientists peer into microscopes to observe the behaviour of bugs. Epidemiologists track sickness in populations. Drug-company researchers run clinical trials. Economists have traditionally had a smaller toolkit. When studying growth, they put individual countries under the...

Read More

Green Security

You all know how environmentally-conscience I am. Actually, I don't consider myself to be all that "green," aside from the environmental science merit badge I earned as a Scout. However, working for a global company (and especially the Air Force, in a prior life) reinforces one of my personal tenets: move data, not people. In other words, I look for ways to acquire security data remotely, and move it to me. I'd rather not fly to a location where...

Read More