Using Responsible Person Records for Asset Management

Today while spending some time at the book store with my family, I decided to peruse a copy Craig Hunt's TCP/IP Network Administration. It covers BIND software for DNS. I've been thinking about my post Asset Management Assistance via Custom DNS Records. In the book I noticed the following:"Responsible Person" record? That sounds perfect. I found RFC 1183 from 1990 introduced these.I decided to try setting up these records on a VM running FreeBSD...

Read More

Sample Lab from TCP/IP Weapons School 2.0 Posted

Several of you have asked me to explain the difference between TCP/IP Weapons School (TWS), which I first taught at USENIX Security 2006, and TCP/IP Weapons School 2.0 (TWS2), which I first taught at Black Hat DC 2009 Training last week. This post will explain the differences, with an added bonus.I have retired TWS, the class I taught from 2006-2008. I am only teaching TWS2 for the foreseeable future.TWS2 is a completely brand-new class. I did...

Read More

Inputs vs Outputs, or Why Controls Are Not Sufficient

I have a feeling my post Consensus Audit Guidelines Are Still Controls is not going to be popular in certain circles. While tidying the house this evening I came across my 2007 edition of the Economist's Pocket World in Figures. Flipping through the pages I found many examples of inputs (think "control-compliant") vs outputs (think "field-assessed"). I'd like to share some of them with you in an attempt to better communicate the ideas my last...

Read More

Consensus Audit Guidelines Are Still Controls

Blog readers know that I think FISMA Is a Joke, FISMA Is a Jobs Program, and if you fought FISMA Dogfights you would always die in a burning pile of aerial debris.Now we have the Consensus Audit Guidelines (CAG) published by SANS. You can ask two questions: 1) is this what we need? and 2) is it at least a step in the right direction?Answering the first question is easy. You can look at the graphic I posted to see that CAG is largely another set...

Read More

Asset Management Assistance via Custom DNS Records

In my post Black Hat DC 2009 Wrap-Up, Day 2 I mentioned enjoying Dan Kaminsky's talk. His thoughts on the scalability of DNS made an impression on me. I thought about the way the Team Cymru Malware Hash Registry returns custom DNS responses for malware researchers, for example. In this post I am interested in knowing if any blog readers have encountered problems similar to the ones I will describe next, and if yes, did you / could you use DNS to help mitigate it?When conducting security operations to detect and respond to incidents, my team...

Read More

HD Moore on the Necessity of Disclosure

HD Moore posted a great defense of full disclosure in his article The Best Defense is Information on the latest Adobe vulnerability. The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn't mean that these...

Read More

Buck Surdu and Greg Conti Ask "Is It Time for a Cyberwarfare Branch?"

The latest issue of the Information Assurance Technology Analysis Center's IANewsletter features "Army, Navy, Air Force, and Cyber -- Is It Time for a Cyberwarfare Branch of [the] Military?" by COL John "Buck" Surdu and LTC Gregory Conti. I found these excerpts enlightening.The Army, Navy, and Air Force all maintain cyberwarfare components, but these organizations exist as ill-fitting appendages that attempt to operate in inhospitable cultures where...

Read More

More Information on CNCI

In response to my post Black Hat DC 2009 Wrap Up, Day 1, a commenter shared a link to a Fairfax Chamber of Commerce briefing by Boeing on the Comprehensive National Cybersecurity Initiative (CNCI) that I last mentioned in FCW on Comprehensive National Cybersecurity Initiative. I've extracted a few slides below to highlight several points.The first slide I share shows abbreviated definitions for Computer Network Defense, Computer Network Exploitation,...

Read More

VirtualBSD: FreeBSD 7.1 Desktop in a VM

Want to try FreeBSD 7.1 in a comfortable, graphical desktop, via a VMWare VM? If your answer is yes, visit www.virtualbsd.info and download their 1.5 GB VM. I tried it last night and got it working with VMware 1.0.8 by making the following adjustments:Edit VirtualBSD.vmx to say#virtualHW.version = "6"virtualHW.version = "4"and VirtualBSD.vmdk to say#ddb.virtualHWVersion = "6"ddb.virtualHWVersion = "4"and you will be able to use the VM on VMware...

Read More

Black Hat Briefings Justify Supporting Retrospective Security Analysis

One of the tenets of Network Security Monitoring, as repeated in Network Monitoring: How Far?, is collect as much data as you can, given legal, political, and technical means (and constraints) because that approach gives you the best chance to detect and respond to intrusions. The Black Hat Briefings always remind me that such an approach makes sense. Having left the talks, I have a set of techniques for which I can now mine my logs and related...

Read More

Black Hat DC 2009 Wrap-Up, Day 2

This is a follow-up to Black Hat DC 2009 Wrap-Up, Day 1.I started day two with Dan Kaminsky. I really enjoyed his talk. I am not sure how much of it was presented last year, since I missed his presentation in Las Vegas. However, I found his comparison of DNS vs SSL infrastructures illuminating. The root name servers are stable, dependable, centrally coordinated, and guaranteed to be around in ten years. We know what root name servers to trust,...

Read More

Black Hat DC 2009 Wrap-Up, Day 1

I taught the first edition of TCP/IP Weapons School 2.0 at Black Hat DC 2009 Training in Arlington, VA last week to 31 students. Thanks to Steve Andres from Special Ops Security and Joe Klein from Command Information for helping as teaching assistants, and to Ping Look and the whole Black Hat staff for making the class successful. I believe the class went well and I am looking forward to teaching at Black Hat Europe 2009 Training in April. Very...

Read More

Thoughts on Air Force Blocking Internet Access

Last year I wrote This Network Is Maintained as a Weapon System, in response to a story on Air Force blocks of blogging sites. Yesterday I read Air Force Unplugs Bases' Internet Connections by Noah Shachtman:Recently, internet access was cut off at Maxwell Air Force Base in Alabama, because personnel at the facility "hadn't demonstrated — in our view at the headquarters — their capacity to manage their network in a way that didn't make everyone...

Read More

Back from Bro Workshop

Last week I attended the Bro Hands-On Workshop 2009. Bro is an open source network intrusion detection and traffic characterization program with a lineage stretching to the mid-1990s. I finally met Vern Paxson in person, which was great. I've known who Vern was for about 10 years but never met him or heard him speak.I first covered Bro in The Tao of Network Security Monitoring in 2004 with help from Chris Manders. About two years ago I posted...

Read More

Last Day to Register Online for TCP/IP Weapons School 2.0 in DC

Black Hat was kind enough to invite me back to teach a new 2-day course at Black Hat DC 2009 Training on 16-17 February 2009 at the Hyatt Regency Crystal City in Arlington, VA. This class, completely new for 2009, is called TCP/IP Weapons School 2.0. This is my only scheduled class on the east coast of the United States in 2009.The short description says:This hands-on, lab-centric class by Richard Bejtlich focuses on collection, detection, escalation,...

Read More

New Online Packet Repository

As of a few weeks ago I am no longer involved with OpenPacket.org. One of the reasons is a great new online packet repository sponsored and run by Mu Dynamics called Pcapr. I've had an account there for a few months, but it looks like the site is now open to the general public. Check it out -- there's a lot of cool features already.Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for...

Read More

Benefits of Removing Administrator Access in Windows

I think most security people advocate removing administrator rights for normal Windows users, but I enjoy reading even a cursory analysis of this "best practice" as published by BeyondTrust and reported by ComputerWorld. From the press release:BeyondTrust’s findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users...

Read More

More on Weaknesses of Models

I read the following in the Economist;Edmund Phelps, who won the Nobel prize for economics in 2006, is highly critical of today’s financial services. "Risk-assessment and risk-management models were never well founded," he says. "There was a mystique to the idea that market participants knew the price to put on this or that risk. But it is impossible to imagine that such a complex system could be understood in such detail and with such amazing correctness......

Read More

Notes on Installing Sguil Using FreeBSD 7.1 Packages

It's been a while since I've looked at the Sguil ports for FreeBSD, so I decided to see how they work. In this post I will talk about installing a Sguil sensor and server on a single FreeBSD 7.1 test VM using packages shipped with FreeBSD 7.1. To start with the system had no packages installed.After running pkg_add -vr sguil-sensor, I watched what was added to the system. I'm only going to document that which I found interesting.The sguil-sensor-0.7.0_2...

Read More

Data Leakage Protection Thoughts

"Data Leakage Protection" (DLP) appears to be the hot product everybody wants. I was asked to add to the SearchSecurity section I wrote two years ago, but I'm not really interested. I mentioned "extrusion" over five years ago in What Is Extrusion Detection?This InformationWeek story had an interesting take:What constitutes DLP? Any piece of backup software, disk encryption software, firewall, network access control appliance, virus scanner, security...

Read More