National Security Strategy is Empty on "Cyberspace"

The new National Security Strategy (.pdf) says the following about "cyberspace":Secure CyberspaceCybersecurity threats represent one of the most serious national security, public safety, and economic challenges we face as a nation. The very technologies that empower us to lead and create also empower those who would disrupt and destroy. They enable our military superiority, but our unclassified government networks are constantly probed by intruders....

Read More

Digital Security Is Not Just an Engineering Problem

Recently I participated in a small meeting involving a cross-section of people interested in digital security and public policy. During the meeting one of the participants voiced the often-repeated but, in my opinion, misguided notion that the primary problem with digital security is "design." In other words, "the Internet was not designed to be secure." If the Internet was not designed to be secure, all applications are "built on a foundation...

Read More

"Privacy" vs "Security" or Privacy AND Security

Perhaps I'm alone on this, but I may not think of "privacy" and "security" the same way as some readers of this blog. It's common to hear that there is a tension between these two ideas, but I consider them to be very different, at least at the enterprise level.Privacy is primarily concerned with protecting customer data, often called Personally Identifiable Information (PII). Lawyers are typically the dominant players. This field is heavily regulated,...

Read More

More Evidence Military Will Eventually Defend Civilian Networks

In my Predictions for 2008 I wrote Expect greater military involvement in defending private sector networks. About one year ago I wrote NSA to "Screen" .gov Now, I Predict .com Later. Now thanks to a new article by Noah Shachtman titled Cyber Command: We Don’t Wanna Defend the Internet (We Just Might Have To) we read the following:At a gathering this week of top cybersecurity officials and defense contractors, the Pentagon’s number two floated...

Read More

SANS WhatWorks Summit in Forensics and Incident Response

I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks great. I will offer the "Expert Briefing: CIRT-level Response to Advanced Persistent Threat" and participate on the "APT Panel Discussion." This IR event is a great precursor to my next SANS WhatWorks Summit in Incident Detection and Log Management in DC, 8-9 December 20...

Read More

piping tcpdump output to lsof

This simple Bash script will output the lsof end of any foreign network connection:[Set to the interface of your choice]while [ 1 ]        do                for i in `tcpdump -i rl0 -c 1 -l dst $(hostname) | awk '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}'`                         do lsof -i@$i                donedonewith time/date stamp added and headers removed:while...

Read More

Forget Pre-Incident Cost, How Much Did Your Last Incident Cost?

I just read this great post by Rich Mogull titled FireStarter: The Only Value/Loss Metric That Matters. His basic argument, or at least the idea that I derived from it, is the following (all in my own words).So-called "risk managers" spend a lot of time imagining they can determine "annualized loss expectancy" by predicting how much an incident will cost. Forget all that nonsense. Before imaging what a future incident will cost, figure out how...

Read More

More on Black Hat Costs

About a year ago I wrote Black Hat Budgeting, explaining how an offensive security team might spend $1 million. I said "I submit that for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack."Tonight Jeremiah Grossman asked via Twitter:jeremiahg@taosecurity regarding black hat budgeting, does defense-in-depth exacerbate the value cost inequity for...

Read More

Watch Your WHOIS Entries

Thanks to sites like the Sucuri Security blog, domain name administrators should be learning that it is important to watch for updates to WHOIS records. Companies like Sucuri offer such a service free for one domain but charge for additional domains while providing extended services. If you'd just like to monitor your own WHOIS records using a simple script, you can be inspired by last year's article Network-based integrity monitoring keeps website...

Read More

A prototype test harness...but needs lots of work

I have spent too much time here in the last few days working on a test harness for live network files in Vista. As a prototype, what I have written may be useful. However, numerous problems were uncovered.  The idea was this: At any moment they are a discoverable set of files that are being accessed by the network. In theory, you should be able to list those files and then query them for their integrity. The heart of this is something like:    icacls %dir_file%                    ...

Read More

Car hacking....

"Indeed, we have demonstrated the ability to systematically control a wide array of components including engine, brakes, heating and cooling, lights, instrument panel, radio, locks, and so on. Combining these we have been able to mount attacks that represent potentially significant threats to personal safety. For example, we are able to forcibly and completely disengage the brakes while driving, making it difficult for the driver to stop. Conversely, we are able to forcibly activate the brakes, lurching the driver forward and causing the car to...

Read More

Review of Masters of Deception Posted

Amazon.com just posted my three star review of Masters of Deception by Michelle Slatella and Joshua Quittner. From the review:Masters of Deception (MOD) by Michelle Slatella and Joshua Quittner tells the tale of the self-proclaimed Masters of Deception, a phone phreaking and proto-computer hacker crew from the early 1990s. This was one of several books on the 1980s-1990s hacker scene that I recently read, but thus far I consider it the weakest....

Read More

Review of Cyberpunk Posted

Amazon.com just posted my four star review of Cyberpunk by Katie Hafner and John Markoff. From the review:Cyberpunk is a unique exploration of three distinct digital security stories. Authors Katie Hafner and John Markoff describe the histories of Kevin Mitnick and friends, Hans Heinrich Hübner and the Hannover hackers, and Robert T Morris and family. This approach is interesting because all three tales are told independently, yet key events occur...

Read More

Review of The Hacker Crackdown Posted

Amazon.com just posted my five star review of The Hacker Crackdown by Bruce Sterling. From the review:Bruce Sterling's book The Hacker Crackdown (THC) captures the spirit and history of the "hacker scene" in the late 1980s and early 1990s. Having lived through that period with my C-64 and first 386 PC, I thought the author accurately describes what it was like for computer users during that era. THC is one of my favorite books on hacker activity...

Read More

Everything I Need to Know About Leadership I Learned as a Patrol Leader

This post is outside the digital security realm, but I know a lot of my readers are team members and team leaders in their technical shops. I thought it might be useful to share a few thoughts on leadership. I don't claim to be the world's best leader but I've been thinking about the topic recently.I've participated in a lot of "leadership training" over the years, in and out of classrooms. A few examples: I've attended classes at GE's Crotonville,...

Read More

Papers Not PowerPoint, Plus Tips for Improvement

Recently I railed against PowerPoint. In this post I'd like to congratulate Black Hat and some of their Briefings speakers for submitting white papers, not just PowerPoint presentations. This evening while cleaning out a tmp directory I noticed a copy of a white paper by IBM's Tom Cross from Black Hat DC 2010 titled Exploiting Lawful Intercept to Wiretap the Internet. The paper describes Tom's analysis of Cisco's implementation of CALEA for law...

Read More

Bejtlich to Speak at SANS Forensics and Incident Response 2010

I am pleased to announce that I will return for the third SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. Rob Lee sent an email stating I would be on the Advanced Persistent Threat Panel with Chris Glyer and Mike Cloppert, so I'm looking forward to participating. I might also have a solo presentation, but I haven't seen the agenda yet. This IR event is a great precursor to my next SANS WhatWorks Summit in Incident...

Read More

The Face of Information Warfare

When information warfare happens, it's possible the victims will not recognize it as "warfare." I was reminded of this yesterday during the market selloff, which may have been caused by an error in trading. I'm not saying that the market selloff was an information attack. Rather, what we saw yesterday (an example appears in the screen shot -- Proctor and Gamble down 32% in the blink of an eye) reminded me of what an information attack might look...

Read More

lsof for Windows subsitute

5/10/2010 update to this post (see below)I've created a couple of Vista cmd files that pump netstat output to tasklist to help substitute for the missing`lsof -Ts` in Linux (see below). The TCP/TCPv6 output logs the time, IP address (foreign endpoint), application information. The (stateless) UDP/UDPv6 output just logs time and application information.  (See output below). The value of logging network endpoints and their process information is incalculable in security. Mark Russinovich's procmon (when run with the network filter) does this...

Read More