Blame the Bullets, not PowerPoint

Blog readers probably know I am not a big fan of PowerPoint presentations. I sympathize with many points in the recent article We Have Met the Enemy and He Is PowerPoint, which resurrects the December 2009 story by Richard Engel titled So what is the actual surge strategy? I think it is important to focus, however, on the core problem with PowerPoint presentations: bullets.Bullets are related to the main PowerPoint problem, which is having the...

Read More

Day 2 at LinuxFest

Another great day at Linux Fest! I attended excellent presentations on Digital Forensics by Hal Pomeranz and Brian Pate (2 hours), both of which were very useful and felt very "hands on".  I can't say enough good things about LinuxFest. The organizers are doing Whatcom County business development a tremendous favor.  In reality, I think the Chamber of Commerce and the City of Bellingham should be helping to fund this volunteer supported event every quarter.  Talent comes from all over the Northwest: Seattle, Portland,  Tri-Cities,...

Read More

Brilliant Day 1 at LinuxFest NorthWest

I had a brilliant first day at LinuxFest NorthWest. I sat through five presentations on privacy and computer security in Haskell 115 at Bellingham Technical College. Brian Alseth of ACLU of Washington delivered the usual terrifying description of how data mining is  destroying privacy.  John Lock talked about Web Commerce Security. Gary Smith of PNL gave and excellent talk on Linux Server Hardening. Hal Pomeranz finished up the day with two hours on SE Linux. Wow! What a beast SE Linux is...LinuxFest...a great thi...

Read More

Review of The Rootkit Arsenal Posted

Amazon.com just posted my five star review of The Rootkit Arsenal by Bill Blunden. I received this book last year but didn't get a chance to finish it until this week, thanks to several long plane flights. From the review:Disclaimer: Bill mentions me and my book "Real Digital Forensics" on pages xxvi and 493. He sent me a free review copy of his book."Wow." That summarizes my review of "The Rootkit Arsenal" (TRA) by Bill Blunden. If you're a security...

Read More

Snort Near Real Time Detection Project

I don't think many people noticed this story, but on Thursday Sourcefire Labs published A New Detection Framework on the VRT blog and a NRT page on their labs site. I had a small part in this development due to the Incident Detection Summit I organized late last year. Sourcefire sent an army of developers (I think they had the biggest contingent) to the conference and clearly enjoyed participating. During the event they spoke to participants from...

Read More

Thoughts on New OMB FISMA Memo

I read the new OMB memorandum M-10-15, "FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management." This InformationWeek article pretty well summarizes the memo, but I'd like to share a few thoughts.Long-time blog readers should know I've been writing about FISMA for five years, calling it a "joke," a "a jobs program for so-called security companies without the technical skills to operationally...

Read More

Joanna Rutkowska and ITL and "Security by Isolation"

A day spent reading the research of Joanna Rutkowska and her Invisible Things Lab is a day spent improving your IQ. Ms. Rutkowska is famous for describing vulnerabilities in SMM, BIOS, and VM hypervisors.  In short, rather than attack the Operating System (although she has done some of that as well), she and her team attack the layer between the Operating System and the hardware; specifically rings -1, -2, -3 to use her terminology.  Her work has led her to some drastic conclusions about hardware and digital security.  In...

Read More

Still Looking for Infrastructure Administrator for GE-CIRT

Two months ago I posted Information Security Jobs in GE-CIRT and Other GE Teams. I've almost filled all of the roles, or have candidates for all roles in play, with the exception of one -- Information Security Infrastructure Engineer (1147859). We're looking for someone to design, build, and run infrastructure to support GE-CIRT functions. As you might expect, we don't need someone with Windows experience. Beyond Unix-like operating systems,...

Read More

tcpslice II

More uses for tcpslice, ipsumdump, BASH 4.1 :[This gives you today's top source IP and source IP Port combination: /usr/sbin/tcpslice `date +%Y"y"%m"m"%d"d"` $BASH_ARGV | ipsumdump --no-headers -sD - ./todays_dump.sh MarApr.snort.in.tcpd | sort -nr | uniq -c | sort -nr     13 85.144.201.237 7959      3 95.179.99.147 5900      3 64.206.157.2 23      3 222.45.112.59 8085      3 109.187.8.70 5900     ...

Read More

Review of Handbook of Digital Forensics and Investigation Posted

Amazon.com just posted my four star review of Handbook of Digital Forensics and Investigation by Eoghan Casey and colleagues. From the review:I've probably read and reviewed a dozen or so good digital forensics books over the last decade, and I've written a few books on that topic or related ones. The Handbook of Digital Forensics and Investigation (HODFAI) is a solid technical overview of multiple digital forensics disciplines. This book will introduce...

Read More

Review of The Victorian Internet Posted

Amazon.com just posted my five star review of The Victorian Internet by Tom Standage. From the review:Tom Standage mentions chronocentricity on p 213 as "the egotism that one's own generation is poised on the very cusp of history." Comparing modern times to the past, he says "if any generation has the right to claim that it bore the full bewildering, world-shrinking brunt of such a revolution, it is not us -- it is our nineteenth-century forbears."...

Read More

Measurement Over Models

Most blog readers know I strongly prefer measurement over models. In digital security, I think too many practitioners prefer to substitute their own opinions for data, i.e., "defense by belief" instead of "defense by fact." I found an example of a conflict between the two mindsets in Test flights raise hope for European air traffic:Dutch airline KLM said inspection of an airliner after a test flight showed no damage to engines or evidence of dangerous...

Read More

Vulnerable Sites Database: More Intrusion as a Service

Last year I blogged about Shodan, and today thanks to Team Cymru I learned of the latest evolution of Intrusion as a Service. It's called the Vulnerable Sites Database. According to the site, to be listed as a vulnerable site a submitter must provide "1. site name 2. vulnerability or JPG proof." This reminds me of a Web defacement archive where the submitter demonstrates having defaced a Web site, but with www.vs-db.info we get details like "local...

Read More

"Cyber insecurity is the paramount national security risk."

Thanks to @borroff I read a fascinating article titled Cybersecurity and National Policy by Dan Geer. The title of my blog post is an excerpt from this article, posted in the Harvard National Security Journal on 7 April. This could be my favorite article of the year, and it proves to me that Dan Geer's writing has the highest signal-to-noise ratio of any security author, period. (Personal note: I remember seeing Dan speak at a conference, and...

Read More

Response to Dan Geer Article on APT

A few people sent me a link to Dan Geer's article Advanced Persistent Threat. Dan is one of my Three Wise Men, along with Ross Anderson and Gene Spafford. I'll reproduce a few excerpts and respond.Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute. That describes APT's methodology, but APT is...

Read More

Last Chance for TCP/IP Weapons School 2.0 in Las Vegas

Yesterday I returned home from teaching TCP/IP Weapons School 2.0 in Barcelona for Black Hat. I'd like to thank Black Hat and my students for a great class. I believe the current format, which is a mix of methodology, labs, and answering whatever questions the students have, in about 15-20 minute spontaneous presentations, is working really well. I plan to retire the current cases this year, and develop TWS3 with new cases for teaching in 2011.My...

Read More

Bejtlich on Visible Risk Podcast

My friend Rocky DeStefano from Visible Risk posted the video (streaming) and audio (.mp3, 124 MB) of a discussion he hosted on advanced persisten threat. Myself, Mike Cloppert, Rob Lee, and Shawn Carpenter discussed APT for about an hour on video and about an hour and a half on audio. Let Rocky know what you think as a comment here or via Twitter to @visiblerisk.One comment -- slightly before the 24:00 mark, Rob made a remark about "what you and...

Read More

tcpslice

Tcpslice is a useful tool from LBL network group that allows you to carve up a large pcap file format into time slices. To look at the start and finish time stamps of the entire pcap file in various time formats:tcpslice -r Marchrferrisx.snort.in Marchrferrisx.snort.in Mon Mar 8 11:08:09 2010 Mon Apr 5 09:09:37 2010tcpslice -t Marchrferrisx.snort.inMarchrferrisx.snort.in 2010y03m08d11h08m09s660222u 2010y04m05d09h09m37s390876utcpslice -R Marchrferrisx.snort.inMarchrferrisx.snort.in 1268075289.660222 1270483777.390876To...

Read More

One year anniversary

Today is the one year anniversary of this blog. This is my 48th post in that time period. According to Google Analytics, 1,250 “absolute unique visitors” have provided for 1,566 visits from 781 unique cities from 78 unique countries. 72 page titles were viewed a total of 2,241 times. Here are some of the most popular pages: /2009/07/parsing-vista-firewall-logs-part-iii.html /2009/05/i-receive-lots-of-6000-port-scans-on-my.html/2009/09/network-monitor-api-part-ii.html/2009/05/host-protection-working-with-microsofts.html/2009/09/ive-spent-last-three-weeks-building.html/2009/05/bash-40awkgeoiplookup-and-pcregrep-are.html/2009/05/brief-anatomy-of-malware-detection-and.html/2009/05/homegrown-tcpdumpsnort-analysis.html/2009/06/viisualizing-sips-over-timeportip-range.html...

Read More

Defense Security Service Publishes 2009 Report on "Targeting U.S. Technologies"

Thanks to Team Cymru I learned of a new Defense Security Service report titled Targeting U.S. Technologies:A Trend Analysis of Reporting from Defense Industry. The report seems to be the 2009 edition, which covers reporting from 2008. I'll have to watch for a 2010 version. From the report:The Defense Security Service (DSS) works with defense industry to protect critical technologies and information. Defense contractors with access to classified...

Read More

BeyondTrust Report on Removing Administrator: Correct?

Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis. The report offers several interesting conclusions:[R]emoving administrator rights will better protect companies against the exploitation of:90% of critical Windows 7 vulnerabilities reported to date100% of Microsoft Office vulnerabilities reported in 200994% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 200964% of...

Read More

More fun with ipsumdump

More fun with ipsumdump. Below, sorting March ingress by COUNT(SIP), COUNT(SPort), Sorted GeoIP location. All very fast.ipsumdump -s --no-headers  Marchrferrisx.snort.in | sort -nr | uniq -c | sort -nr | less    626 75.125.252.73    384 74.125.19.191    358 125.45.109.196    286 66.165.46.165    242 74.125.127.191    234 74.125.53.191    138 67.214.120.156    138 204.236.155.168    127 67.228.177.148   ...

Read More

"One Page Checklist for Securing and Cleaning a Malware Infected Windows PC"

 A "One Page Checklist for Securing and Cleaning a Malware Infected Windows PC" is available.  From the paper:In this process, you are looking for outbound and inbound communication and connection attempts that seem suspicious – data transfers that you can not account for, processes that seem inexplicable, or unsigned files. You may or may not see logon attempts, registry changes, file creation, file access, file permission changes. You may need to correlate Network Monitor logs with network ingress and egress firewall logs. Additional...

Read More