"The specified uptodateness vector is corrupt."

I haven't posted in awhile.  Time to get back into the swing of things with a little pre-Christmas Season silliness.  Occasionally, the practice of network security makes us all a little goofy. Seemingly random pursuits overtake us. Silly thoughts fill our console. Perhaps this is a result of low light in the northern latitudes this time of year...In any event, should use wish to query all of the messages available in the "net helpmsg" file on Windows Vista, you can run a command like this:for /l %i in (1,1,16000) do @( echo %i &&...

Read More

Real Security Is Threat-Centric

Apparently there's been a wave of house burglaries in a nearby town during the last month. As you might expect, local residents responded by replacing windows with steel panels, front doors with vault entrances, floors with pressure-sensitive plates, and whatever else "security vendors" recommended. Town policymakers created new laws to mandate locking doors, enabling alarm systems, and creating scorecards for compliance. Home builders decided...

Read More

Celebrate FreeBSD 8.0 Release with Donation

With the announcement of FreeBSD 8.0, it seems like a good time to donate to the FreeBSD Foundation, a US 501(c)3 charity. The Foundation funds and manages projects, sponsors FreeBSD events, Developer Summits and provides travel grants to FreeBSD developers. It also provides and helps maintain computers and equipment that support FreeBSD development and improvements. I just donated $100. Will anyone match me? Thank y...

Read More

Historical Video on AFCERT circa 2000

I just uploaded a video that some readers might find entertaining. This video shows the United States Air Force Computer Emergency Response Team (AFCERT) in 2000. Kelly AFB, Security Hill, and Air Intelligence Agency appear. The colonel who leads the camera crew into room 215 is James Massaro, then commander of the Air Force Information Warfare Center. The old Web-based interface to the Automated Security Incident Measurement (ASIM) sensor is shown,...

Read More

Tort Law on Negligence

If any lawyers want to contribute to this, please do. In my post Shodan: Another Step Towards Intrusion as a Service, some comments claim "negligence" as a reason why intruders aren't really to blame. I thought I would share this case from Tort Law, page 63:In Stansbie v Troman [1948] 2 All ER 48 the claimant, a householder, employed the defendant, a painter. The claimant had to be absent from his house for a while and he left the defendant working...

Read More

Review of Martin Libicki's Cyberdeterrence and Cyberwar

Amazon.com just posted my three star review of Martin Libicki's Cyberdeterrence and Cyberwar. I've reproduced the review in its entirety here because I believe it is important to spread the word to any policy maker who might read this blog or be directed here. I've emphasized a few points for readability.As background, I am a former Air Force captain who led the intrusion detection operation in the AFCERT before applying those same skills to private...

Read More

Shodan: Another Step Towards Intrusion as a Service

If you haven't seen Shodan yet, you're probably not using Twitter as a means to stay current on security issues. Shoot, I don't even follow anyone and I heard about it. Basically a programmer named John Matherly scanned a huge swath of the Internet for certain TCP ports (80, 21, 23 at least) and published the results in a database with a nice Web front-end. This means you can put your mind in Google hacking mode, find vulnerable platforms, maybe...

Read More

I'm Surprised That Your Kung Fu Is So Expert

This story is so awesome. Hacks of Chinese Temple Were Online Kung Fu, Abbot SaysA hacker who posted a fake message on the Web site of China's famous Shaolin Temple repenting for its commercial activities was just making a mean joke, the temple's abbot was cited as saying by Chinese state media Monday.That and previous attacks on the Web site were spoofs making fun of the temple, Buddhism and the abbot himself, Shi Yongxin was cited as telling the...

Read More

Control "Monitoring" is Not Threat Monitoring

As I write this post I'm reminded of General Hayden's advice: "Cyber" is difficult to understand, so be charitable with those who don't understand it, as well as those who claim "expertise."It's important to remember that plenty of people are trying to act in a positive manner to defend important assets, so in that spirit I offer the following commentary.Thanks to John Bambanek's SANS post I read NIST Drafts Cybersecurity Guidance by InformationWeek's...

Read More

Audio of Bejtlich Presentation on Network Security Monitoring

One of the presentations I delivered at the Information Security Summit last month discussed Network Security Monitoring. The Security Justice guys recorded audio of the presentation and posted it here as Network Security Monitoring and Incident Response. The audio file is InfoSec2009_RichardBejtlich.m...

Read More

Traffic Talk 8 Posted

I just noticed that my 8th edition of Traffic Talk, titled How to use user-agent strings as a network monitoring tool, was posted this week. It's a simple concept that plenty of NSM practitioners implement, and I highly recommend ...

Read More

Extending Security Event Correlation

Last year at this time I wrote a series of posts on security event correlation. I offered the following definition in the final post:Security event correlation is the process of applying criteria to data inputs, generally of a conditional ("if-then") nature, in order to generate actionable data outputs.Since then what I have found is that products and people still claim this as a goal, but for the most part achieving it remains elusive.Please also...

Read More

Embedded Hardware and Software Pen Tester Positions in GE Smart Grid

I was asked to help locate two candidates for positions in the GE Smart Grid initiative. We're looking for an Embedded Hardware Penetration Tester (1080237) and an Embedded Firmware Penetration Tester (1080236). If interested, search for the indicated job numbers at ge.com/careers or go to the job site to get to the search function a little faster.I don't have any other information on these jobs, so please work through the job site. Thank you.Update...

Read More

Reaction to 60 Minutes Story

I found the new 60 Minutes update on information warfare to be interesting. I fear that the debate over whether or not "hackers" disabled Brazil's electrical grid will overshadow the real issue presented in the story: advanced persistent threats are here, have been here, and will continue to be here. Some critics claim APT must be a bogey man invented by agencies arguing over how to gain greater control over the citizenry. Let's accept agencies...

Read More

Notes from Talk by Michael Hayden

I had the distinct privilege to attend a keynote by retired Air Force General Michael Hayden, most recently CIA director and previously NSA director. NetWitness brought Gen Hayden to its user conference this week, so I was really pleased to attend that event. I worked for Gen Hayden when he was commander of Air Intelligence Agency in the 1990s; I served in the information warfare planning division at that time.Gen Hayden offered the audience four...

Read More

Bejtlich on Security Justice Podcast

After I spoke at the Information Security Summit in Ohio last month, the guys at the Security Justice podcast interviewed me and Tyler Hudak.You can listen to the archive here. It was fairly loud in the room but you'd never know it listening to the audio. Great work guys.We discuss open source software, vulnerability research and disclosure, product security incident response teams (PSIRTs), input vs output metrics, insourcing vs outsourcing, and...

Read More

DojoCon Videos Online

Props to Marcus Carey for live streaming talks from DojoCon. I appeared in my keynote, plus panels on incident response and cloud security. I thought the conference was excellent and many people posted their thoughts to #dojocon on Twitt...

Read More

Tentative Speaker List for SANS Incident Detection Summit

Thanks to everyone who attended the Bejtlich and Bradley Webcast for SANS yesterday. We recorded that Webcast (audio is now available) to start a discussion concerning professional incident detection.I'm pleased to publish the following tentative speaker list for the SANS WhatWorks in Incident Detection Summit 2009 on 9-10 Dec in Washington, DC. We'll publish all of this information, plus the biographies for the speakers, on the agenda site,...

Read More