Thoughts from Black Hat USA 2009

Black Hat USA 2009 is history. My two classes of TCP/IP Weapons School 2.0 went very well. I should be back to teach in DC, Barcelona, and Las Vegas next year. Thank you to my students for your positive feedback and cooperation in class! Despite your numbers we had little to no problems and I believe everyone learned something useful. For future classes I will add a table of contents, focus the questions, add more on my personal methodologies,...

Read More

Parsing Vista Firewall Logs: Part III

For speed, control, and simplicity, gawk is almost impossible to beat in parsing simple text logs like pfirewall.log. The script below will give you a numerically sorted list by count of the references to Src IPs in pfirewall.log for allowed packets. These sorts give a count (first column) of the unique IPs in numerical order. Note that gawk makes quick work of this searches.gawk '$3 == "ALLOW" {print $5}' pfirewall.log | sort -nr | uniq -c | sort -nr 6849 192.168.0.4 4317 127.0.0.1 3014 192.168.200.87 1577 10.10.10.74 725 192.168.168.246...

Read More

What is Cloud?

The slide at left was one of my favorites from Craig Balding's Cloud Security Ghost Story talk from Black Hat EU earlier this year. I like that he shows that a "cloud" does not mean a "VM farm" run by admins who require users to endure lengthy provisioning processes, followed by requests from the IT department for the supposed "customer" to provide information and resources they would expect to get from the Cloud. Real Clouds are provisioned via...

Read More

Parsing Vista Firewall Logs Part II

Made an interesting attempt today to parse Vista's Firewall log based on some "Scripting Guys" code from Microsoft: http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr09/hey0416.mspx. I have placed the script here: http://www.rmfdevelopment.com/PowerShell_Scripts/Scan-Firewall.ps1Regexing per line of pfirewall.log with mixed IPv4 and IPv6 address types as well as ICMP and other layer 2 protocols makes identifying network services by port unreliable without tokenizing the position of dst/src ports first. Thus the regex switch "\s80"...

Read More

Notes from OISF Meeting in DC

This month I was pleased to attend a public meeting of the Open Information Security Foundation in Washington, DC. I got a chance to meet several people I have known for many years through their work with Snort, such as Matt Jonkman, Will Metcalf, Victor Julien, Frank Knobbe, and two guys from a federal agency that have extended Sguil way beyond what I knew anyone was doing! The group posted DC Brainstorming Meeting Notes, but I wanted to record...

Read More

Guest Post at Fudsec.com

I was asked to write a guest post for the new Fudsec.com blog, so I published Threat-Centric Thinking on the Rise. From that post:A lot of people have been discussing denial of service attacks against various Important Sites earlier this month. It struck me that the focus of the discussion, really to the exclusion of anything else, has been one question: "who did it?"Think about that for a second. If this attack had happened in 1996, we would...

Read More

Review of Voice over IP Security Posted

Amazon.com just posted my four star review of Voice over IP Security by Patrick Park. From the review:The reviews of Voice over IP Security are fairly consistent at 4 stars, and I agree with that consensus. I've read a few books on this topic, and early titles were fairly awful. My favorite remains Hacking Exposed: VoIP, but a comparison with Voice over IP Security shows different audiences for the two books. The HE book is better suited for those...

Read More

Direct Financial Cost of Intrusions

Thanks to the blog reader who directed me to the Washington Times story Contractor returns money to Pentagon:Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China...Apptis agreed to the repayment after the Defense Criminal Investigative Service concluded the company and a subcontractor failed to provide "proper network security and information...

Read More

Parsing Vista Firewall Logs: Part I

These are the fields Vista HP logs for C:\Windows\System32\LogFiles\Firewall\pfirewall.log:#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info pathThe Log meanders along like as below. Note the IPv6 broadcasts:...2009-07-22 08:15:00 ALLOW TCP 192.168.0.11 74.125.95.139 53218 80 0 - 0 0 0 - - - SEND2009-07-22 08:25:21 ALLOW UDP 192.168.0.8 192.168.0.255 137 137 0 - - - - - - - RECEIVE2009-07-22 08:25:21 ALLOW UDP 192.168.0.8 192.168.0.255 137 137 0 - - - - - - - RECEIVE2009-07-22...

Read More

No tail.exe on Vista HP....

Vista's decision to ship without a native tail.exe makes monitoring logs difficult without GNUWin32 or Cygwin or some other third party utility. This batch (tail.cmd) helps:@echo offset file = %1:topchoice /T 1 /D Y > NULfor /f "eol=: tokens=3" %%i in ('find ^/C " " %1') do set lastline=%%iset /a newlastline=%lastline% - 1set oldlastline=%newlastline%:top1choice /T 1 /D Y > NULfor /f "eol=: tokens=3" %%i in ('find ^/C " " %1') do set lastline=%%iset /a newlastline=%lastline% - 1if %oldlastline%==%newlastline% (goto top1) else more +%newlastline%...

Read More

SANS Forensics and Incident Response 2009 Summit Round-Up

I'd like to share a few thoughts from the second SANS WhatWorks Summit in Forensics and Incident Response, where I delivered the keynote. I could only attend the first day, but I thought it was definitely worthwhile. I was given a few questions which I promised to answer on this blog, so here they are.With your background with Information Operations and cyber security, what would you advise the new U.S. Cyber Command? What should their priorities...

Read More

"The Cloud" exists already....

For anyone who runs a Windows PC, the vaunted "cloud computing" environment already exists. Without most of us realizing it, large collections of computer systems - CDNs, botnets, grid-enabled NOCs, hosting centers, etc. already provide the type of computing power environments that connect our PCs to a world of search engines/databases/upgrades/virus signatures from many vendors. When my Vista boots it proceeds immediately to find out who feeds it...

Read More

Free Issue of Linux+ Magazine Posted

A free issue of Linux+ magazine is available -- look for the link to "Free Issue: Linux in Mission Critical". It's 68 pages of Linux information, for free!Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 Ju...

Read More

Vista and XP Network Interfaces with Powershell

In preparation for examing the differences between XP and Vista firewalls, I wrote this interesting Powershell CTP2.0 v3 script that exposes info for all physical and virtual network interfaces. More information is available on Vista than XP. This script will work on both. Each paragraph is a separate script..\Get-NetworkInterface.ps1$Global:gwmiw32na = get-wmiobject win32_networkadapter$gwmiw32na | fl *$Global:gwmiw32na4 = get-wmiobject win32_networkadapter | Select Name,ServiceName,Speed,PhysicalAdapter$Global:gwmiw32na6 = get-wmiobject win32_networkadapter...

Read More

Review of vi(1) Tips Posted

Amazon.com just posted my five star review of vi(1) Tips by Jacek Artymiak. From the review:I agree with just about everything that appeared in KN's review. Jacek Artymiak has written a sort of "vi(1) for the Desperate" covering all of the aspects of vi I would like to see addressed. I could see this book used in an introductory Unix class where the students areexpected to try all of the examples. Jacek posted the sample files used in the book examples...

Read More

Cisco Routers for the Desperate, 2nd Ed

A little over four years ago I reviewed the first edition of Michael W. Lucas' Cisco Routers for the Desperate. A second edition has been published, but since my first review is still posted at Amazon.com I can't post another. Also, Michael asked me to tech-edit the second edition, and I don't formally rate books in which I play a part. (Authors and others who are involved in books -- it's bad form to give your own product five stars!)I gave the...

Read More

White Hat Budgeting

After publishing Black Hat Budgeting last month, several readers asked me how to spend the same $1 million on defense. This is a more difficult question. As I wrote in the previous post, for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack. That does not hold true for defense, i.e., for $1 million per year a defender could not fund a Western-salaried...

Read More

FreeBSD Pf and Tftp-proxy

Several IP-enabled devices in the lab use TFTP to retrieve configuration files from various locations on the Internet. This pains me. You can probably imagine what these devices are. Unfortunately I don't control how these devices work.I run Sguil at my lab gateway to the Internet. I watch traffic right before the gateway, before it is NAT'd. I really don't care what's on the other side. I mostly care what is leaving the network, so I concentrate...

Read More

Review of Practical Intrusion Analysis Posted

Amazon.com just published my three star review of Practical Intrusion Analysis by Ryan Trost. From the review:I must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a...

Read More

Must-Read Verizon Post Demolishes More Myths

I'm a big fan of the 2009 Verizon Data Breach Report. Today I read Compromised Assets & Data: But our company doesn’t handle credit cards... by Verizon's Bryan Sartin. It's an excellent post. I'd like to post several excerpts, emphasizing and expanding on certain points.I find it fascinating that no matter where in the world you go, what type of company you talk to, public or private sector, you find two very common beliefs: 1. All data...

Read More

Review of Security Monitoring Posted

Amazon.com just posted my four star review of Security Monitoring by Chris Fry and Martin Nystrom. From the review:I must start this review by noting that the authors of Security Monitoring (SM) cite my blog and books several times, which is appreciated. I must also mention that their boss Gavin Reid, who posted a review below, has offered to sponsor my company's application to the Forum of Incident Response and Security Teams (FIRST). O'Reilly...

Read More

You Down with APT?

Today I had shared a phone call with a very knowledgable and respected security industry analyst. During the course of the conversation he made a few statements which puzzled me, so I asked him "do you know what APT means?" He might have thought I was referring to the Debian Advanced Package Tool or apt, but that's not what I meant. When I said Advanced Persistent Threat, it still didn't ring any bells with him. I decided to do some searching...

Read More

Traffic Talk 6 Posted

My 6th edition of Traffic Talk, titled Wireshark 1.2 tutorial: Open source network analyzer's new features has been posted. From the article:Wireshark is a staple of any network administrator's toolkit, and it can be equally useful for any network solution providers or consultants who troubleshoot business networks. Most of the readers of this tutorial have probably used Gerald Combs' open source protocol analyzer for years. In this edition of Traffic...

Read More

Still Blogging

When I announced I would join General Electric as Director of Incident Response in June 2007, I had to post a follow-up titled I'm Not Dead. That issue even made it onto Bill Brenner's radar. Two years later I'm still at GE, glad that as of 1 January this year we have a functional and growing Computer Incident Response Team (CIRT) manned by the best incident handlers and support staff you'll find anywhere. Sometimes work occupies time I would...

Read More

Bejtlich on Black Hat Briefings Panel

The registration process for my TCP/IP Weapons School 2.0 class at Black Hat USA 2009 continues to be active, with seats almost gone in the weekday version. The weekend version has open seats. If you'd like more details, please see my post Black Hat Class Outline Posted.I was invited to be a panelist for The Laws of Vulnerabilities Research Version 2.0: Comparing Critical Infrastructure Industries, a description of which is posted at the Black...

Read More

Review of Hacking Exposed: Windows, 3rd Ed Posted

Amazon.com just posted my four star review of Hacking Exposed: Windows, 3rd Ed. Better late than never! From the review:I've been reading and reviewing Hacking Exposed (HE) books since 1999, and I reviewed the two previous Windows books. Hacking Exposed: Windows, 3rd Ed (HEW3E) is an excellent addition to the HE series. I agree with Chris Gates' review, but I'd like to add a few of my own points. The bottom line is that if you need a solid book...

Read More

NSA to "Screen" .gov Now, I Predict .com Later

In my Predictions for 2008 I wrote Expect greater military involvement in defending private sector networks. Today I read a great Washington Post story titled Obama Administration to Involve NSA in Defending Civilian Agency Networks. It says in part:The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely...

Read More

Understanding Svchost Part II

I have published a brief papers on svchost.exe: Svchost:To Whom and Why . It explains how to use a Mark Russinovich (Microsoft: www.Sysinternals.com) tool set to understand svchost.exe behavior. Microsoft uses Limelight Networks (among other 'CDNs') to help them distribute update content. What I do not like about this is that when you enable Microsoft update you do not explicitly give Microsoft permission to use a third party CDN to send and receive data from your PC. But that is exactly what happens in the world of Edge Networks, 'CDNs', 'Software...

Read More