Some Thoughts on Computer Defense for Small Business

I have written a paper targeted for small business owners: "Some Thoughts on Computer Defense for Small Business""The problem of computer security will continue to increase in intensity in the coming years. Geo-political conflict, an increasing wealth divide between North and South in an increasingly networked world, and increasingly sophisticated threats will challenge the most well prepared specialists to secure your network.  The passage of time has only made the following Unix administrator's adage become more true:   “There...

Read More

Advanced Persistent Threat IV

SRI's Malware Threat Center has issued version 1.5 of Bot Hunter. Bot Hunter uses a proprietary algorithm with data collection facilities of a customized Snort to determine the botnet communication on Windows hosts and at Unix bastion at the egress of your network.  You can review the data it collects from its honey net.  Here's a picture of it running on Vista:Update: 02/27/10  And so I had a 1.10 Score. (Below)...

Read More

Information Security Jobs in GE-CIRT and Other GE Teams

I'm hiring for my team (GE-CIRT) again. The following summarizes open positions:Information Security Incident Handler (1145304); serious skills requiredInformation Security Incident Analyst (1147842); intermediate skills requiredInformation Security Event Analyst (1147849); extreme willingness to learn requiredSecurity Assurance Team Senior Analyst (1147811); intermediate skills requiredSecurity Assurance Team Analyst (1147853); extreme willingness...

Read More

Reaction to Cyber Shockwave

I just finished watching Cyber Shockwave, in the form of a two hour CNN rendition of the 16 February 2010 simulation organized by the Bipartisan Policy Center (BPC). The event simulated, in real time, a meeting of the US National Security Council, with former government, military, and security officials role-playing various NSC participants. The simulation was created by former CIA Director General Michael Hayden and the BPC’s National Security...

Read More

Review of Intelligence, 4th Ed Posted

Amazon.com just posted my five star review of Intelligence: From Secrets to Policy, 4th Ed by Mark Lowenthall. From the review:I was an Air Force military intelligence officer in the late 1990s. I've been working in computer security since then. I read Intelligence, 4th Ed (I4E) to determine if I could recommend this book to those who doubt or don't understand the US intelligence community (IC). I am very pleased to say that I4E is an excellent...

Read More

Offshoring Incident Response

A blog reader emailed the following question.We recently had a CISO change, and in the process of doing an initial ops review and looking at organizational structure, one of the questions the new CISO has is about the viability of offshoring incident response... I would be very interested in your views on this matter, and would appreciate any feedback you can offer.As background, I've been involved in incident response in many different capacities:...

Read More

Advice for Academic Researchers

A blog and book reader emailed the following question:I am an info sec undergrad and have been granted a scholarship to continue my studies towards a phd with the promise of DoD service at the other end. It is critical for me to research and select the most important area of security from the Defense Department's perspective.My question to you is this: Drawing upon your knowledge, what specific area(s) of information security do you feel will be...

Read More

Advanced Persistent Threat Part III

It certainly is possible to examine host or network outbound conversations.    But we then have to determine which outbound conversations are legitimate.   Current AV software attempts to block access to potentially 'known dangerous' or 'pre-determined dangerous'  malware sites but such judgements are apparently failing to prevent APT from sending stolen data to weigh stations.  On OpenBSD if we are looking at  outbound connections, we might sniff as thus using Snort:/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"`...

Read More

Answers Regarding Military Service

Once in a while I'm asking my Thoughts on Military Service. An anonynous blog reader sent the following questions. It's been a while since I wore the uniform, but at least some of you readers might care to offer your own thoughts? I'll try to answer what I can.I got into IT after graduating from college with non-technical majors and decided that I was actually interested in areas of practical science, such as: physical computing, engineering (mechanical,...

Read More

Max Ray Butler Sentenced (Again)

In late 2007 I blogged Max Ray Butler in Trouble Again. Please see that post and Kevin Poulsen's June 2009 story for details. According to ComputerWorld, you don't want to be Max Ray Butler:A former security researcher turned criminal hacker has been sentenced to 13 years in federal prison for hacking into financial institutions and stealing credit card account numbers.Max Ray Butler, who used the hacker pseudonym Iceman, was sentenced Friday morning...

Read More

Get the Divers Out of the Water

I'm wondering if this story resonates with anyone.Imagine a group of undersea divers. They are swimming in the ocean doing some sort of productive activity, maybe retrieving treasure, or doing research, or something else. The divers receive instructions from managers in a boat.Suddenly one of the divers is attacked by a shark. It tears right through his diving suit. There's blood in the water. The managers see the blood but tell the divers to...

Read More

Advanced Persistent Threat Part II

These thoughts occur to me this week in reading the numerous blog posts on APT  and the Mandiant Report. Somehow my research made me think of  the bane of Othello the Moor ( "Iago" ). Very loosely translated from Latin, "Iago"  might mean "I am nothing". Often it is  more commonly translated as "supplanter" or "heel grabber".(1) I don't have a binary, technical threat analysis, disassembled stub, class diagram or detection method for APT.(2) I don't know any host based security products...

Read More

A Hacker in Charge of Your Tax Dollars?

I read Hacker 'Mudge' gets DARPA job by Elinor Mills: Peiter Zatko--a respected hacker known as "Mudge"--has been tapped to be a program manager at DARPA, where he will be in charge of funding research designed to help give the U.S. government tools needed to protect against cyberattacks, CNET has learned.Zatko will become a program manager in mid-March within the Strategic Technologies Office at DARPA (Defense Advanced Research Projects Agency),...

Read More

Thor vs Clown

It started with this post by M.D.Mufambisi to the pen-list list:Im designing an SMS baking application but i need to research on the security risks involved first... What are the risks around this application? How are such applications normally subverted? Are there any case studies someone can point me to?After a few responses, Craig Wright chimed in:The solution needs to be based on risk.Where a system uses an SMS response with a separate system...

Read More

Advanced Persistent Threat

The news on  "Advanced Persistent Threat" has been broken in a big way by Google and the recent Mandiant report.  More comments will follow at a later date.  But some occur to me now:(1) Our current desktop and server Operating Systems are not secure.(2) Computer networks are insecure for most organizations and at many levels.(3) Digital data can no longer be protected against a determined foe.(4) Security researchers and visionaries should receive more funding. Lots.Order and read the Mandiant Report. Then imagine what a resourced...

Read More

Making Progress Matters Most

I found this article by John M. Kamensky to be interesting:Teresa Amabile and Steven Kramer, in a recent Harvard Business Review article called “What Really Motivates Workers,” tell managers: “The key to motivation turns out to be largely within your control.”Their advice? “Scrupulously avoid impeding progress.”Amabile and Kramer surveyed more than 600 managers and then conducted a multiyear study of hundreds of knowledge workers, asking them to...

Read More

Defending Against the Small Business Threat

"Do you expect I'm going to solve this? I'm going to take on these Russian thieves? Clearly I'm not going to [be able to] do it." -small business owner defrauded by malware and "money mules" A great and overdue article in the Wall Street Journal this morning:  "Wanted: Defense Against Online Bank Fraud".   The article discusses a now popular cyber-crime first popularized in 2008 which is initiated by an online theft/fraud of insecured ATM/payroll data on user/client/small business PCs.  Fake payroll members are created...

Read More

So Much for China's "Peaceful Rise"

I was not surprised to read China’s hawks demand cold war on the US in the Times Online.[A]lmost 55% of those [in China] questioned for Global Times, a state-run newspaper, agree that “a cold war will break out between the US and China”...An independent survey of Chinese-language media for The Sunday Times has found army and navy officers predicting a military showdown and political leaders calling for China to sell more arms to America’s foes...“This...

Read More

APT Presentation from July 2008

Some of you may remember me mentioning the 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. I provided the keynote and really enjoyed listening to the presentations, which Rob has graciously made available at http://files.sans.org/summit/forensics08/. One of the presentations, by Mandiant consultant Wendi Rafferty and then-Mandiant consultant (now GE-CIRT incident handler) Ken Bradley, was titled Slaying...

Read More

Review of The Book of Xen Posted

Amazon.com just posted my five star review of The Book of Xen by Chris Takemura and Luke S. Crawford. From the review:The Book of Xen (TBOX) is a great book for Linux system administrators who want to deploy Xen. The authors ground their recommendations in over four years of experience running Xen to support Internet-facing virtual private servers. I found their writing style to be very engaging; it reminded me of reading any one of Michael Lucas'...

Read More

Answering APT Misconceptions

There's finally some good reporting on advanced persistent threat appearing in various news sources. A new Christian Science Monitor story, one by Federal Computer Week, and one by Wired are making progress in raising awareness. Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening. From now on, rather than repeat myself trying to answer...

Read More

DFRWS, VizSec, and RAID 2010 Calls for Papers

I'm involved in one degree or another with three somewhat academically-oriented conferences this year. I wanted to post notices of the call for papers for each event. First is DFRWS 2010 on 2-4 Aug in Portland, Oregon. I am on the Technical Program Committee but will not attend due to a family conflict. The CFP ends 28 Feb.Next is VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee and plan to attend. The CFP for full papers...

Read More

Google and NSA Fulfilling 2008 Predictions

In December 2007 I wrote Predictions for 2008. They included 2) Expect greater military involvement in defending private sector networks; 3) Expect increased awareness of external threats and less emphasis on insider threats; and 4) Expect greater attention paid to incident response and network forensics, and less on prevention.All three of those predictions are being fulfilled by the Google v China incident as demonstrated by this Washington Post...

Read More

DNI Blair Leads with APT as a "Wake-Up Call"

AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Blair at yesterday's US Senate Select Committee on Intelligence hearing. In his testimony, DNI Blair began his Annual Threat Assessment of the US Intelligence Community with the following. I highlight "began" because this section wasn't buried in the middle of the document. He discussed digital threats right from...

Read More

Traffic Talk 9 Posted

I just noticed that my 9th edition of Traffic Talk, titled Testing Snort with Metasploit, was posted. From the article:Security and networking service providers are often asked whether their solutions are working as expected. Two years ago, I wrote How to test Snort, which concentrated on reasons for testing and ways to avoid doing poor testing. In this article, prompted by recent discussions among networking professionals, I show how to combine...

Read More