Review of Malware Forensics Posted

Amazon.com just posted my five star review of Malware Forensics. From the review:

Malware Forensics is an awesome book. Last year Syngress published Harlan Carvey's 5-star Windows Forensic Analysis, and now we get to enjoy this new title by James Aquilina, Eoghan Casey, and Cameron Malin, plus technical editing by Curtis Rose. I should disclose that I co-wrote a forensics book with Curtis Rose, and I just delivered a guest lecture in a class taught by Eoghan Casey. However, I still call books as I see them, regardless of the author. (Check out my review of Security Sage's Guide to Hardening the Network Infrastructure for proof.) I can confidently say that anyone interested in learning how to analyze malware, or perform incident response, will benefit from reading Malware Forensics.

Read More

DC BSDCon 2009 Call for Papers Open

I was pleased to hear from Jason Dixon, who told me that he is organizing DC BSDCon 2009 on 4 and 5 February 2009 at the Washington Marriott Wardman Park. This is right before ShmooCon 2009 and has been coordinated with that group.

DC BSDCon has a call for papers open until 1 December, with selections announced on 15 December. I will probably submit a presentation.

I will not attend ShmooCon this year. I've decided the logistics are too much of a hassle. There's a few talks on Friday evening, a full day on Saturday, and a few talks on Sunday. The commute to DC takes me about 1 3/4 hours each way, using public transportation, so I spend more time travelling than I do in talks Friday or Sunday. Sunday morning's activities conflict with church. Saturday I try to give my wife a break from our two kids. Spending a weekend on what are essentially "work activities" isn't worth it.

Read More

Vulnerabilities and Exploits Are Mindless

Jofny's comment on my post Unify Against Threats asked the following:

So, Richard, I'm curious which security people - who are decision makers at a business level - are focusing on vulnerabilities and not threats?

If there are people like that, they really need to be fired.

This comment was on my mind when I read the story FBI: US Business and Government are Targets of Cyber Theft in the latest SANS NewsBites:

Assistant Director in charge of the US FBI's Cyber Division Shawn Henry said that US government and businesses face a "significant threat" of cyber attacks from a number of countries around the world. Henry did not name the countries, but suggested that there are about two dozen that have developed cyber attack capabilities with the intent of using those capabilities against the US. The countries are reportedly interested in stealing data from targets in the US. Henry said businesses and government agencies should focus on shoring up their systems' security instead of on the origins of the attacks.

The editors' comments are the following:

(Pescatore): It really doesn't matter where the attacks come from, businesses have been getting hit by sophisticated, financially motivated, targeted attacks for several years now.
(Ullrich): A very wise remark. It doesn't matter who attacks you. The methods used to attack you and the methods used to defend yourself are the same. We spend too much time worrying about geographic origins. In cyberspace, nation states are a legacy concept.

This is the mindset that worries me, even though the FBI AD agrees. It ignores this fact: Vulnerabilities and exploits are mindless. On the other hand, intelligent adversaries are not. Therefore, if you are doing more than defending yourself against opportunistic, puerile attackers, it pays to know your enemy by learning about security threats (as shown on the book cover to the right).

Once your security program has matured to the point where not any old caveman can compromise you, it pays to put yourself in the adversary's place. Who might want to exploit your organization's data? What data would be targeted? How could you defend it? How could you detect failure? When complaining to the government and/or law enforcement, to whom can you attribute the attack? Knowing the enemy helps prioritize what to defend and how to do it.

About the AD telling businesses not to worry about threat sources: he's just quoting official FBI policy. I wrote about this in More Threat Reduction, Not Just Vulnerability Reduction:

Recently I attended a briefing were a computer crimes agent from the FBI made the following point:

Your job is vulnerability reduction. Our job is threat reduction.

In other words, it is beyond the legal or practical capability of most computer crime victims to investigate, prosecute, and incarcerate threats.

Let's briefly address the "In cyberspace, nation states are a legacy concept." comment. We've been hearing this argument for fifteen years or more. Last time I checked, nation states were alive and well and shaping the way cyberspace works. Just this morning I read the following Economist article Information technology: Clouds and judgment; Computing is about to face a trade-off between sovereignty and efficiency:

The danger is less that the cloud will be a Wild West than that it will be peopled by too many sheriffs scrapping over the rules. Some enforcers are already stirring up trouble, threatening employees of online companies in one jurisdiction to get their employers based in another to fork over incriminating data for instance. Several governments have passed new laws forcing online firms to retain more data. At some point, cloud providers may find themselves compelled to build data centres in every country where they do business.

Finally, independent actors do not operate intelligence services who target our enterprises; nation states do. I've written about Counterintelligence and the Cyber Threat before. Part of the problem may stem from a distinction Ira Winkler made at RSA 2006, which I noted in my post RSA Conference 2006 Wrap-Up, Part 3:

I highly recommend that those of you who give me grief about "threats" and "vulnerabilities" listen to what Mr. Winkler has to say. First, he distinguishes between those who perform security functions and those who perform counter-intelligence. The two are not the same. Security focuses on vulnerabilities, while counter-intelligence focus on threats.

Maybe I spend more time on the counterintelligence problem than others, but I can't see how vulnerability-centric security is a good idea -- except for those who sell "countermeasures."

Read More

Unify Against Threats

At my keynote at the 2008 SANS Forensics and IR Summit I emphasized the need for a change in thinking among security practitioners. To often security and IT groups have trouble relating to other stakeholders in an organization because we focus on vulnerabilities. Vulnerabilities are inherently technical, and they mean nothing to others who might also care about security risks, like human resources, physical security, audit staff, legal staff, management, business intelligence, and others. I used the following slide to make my point:



My point is that security people should stop framing our problems in terms of vulnerabilities or exploits when speaking with anyone outside our sphere of influence. Rather, we should talk in terms of threats. This focuses on the who and not the what or how. This requires a different mindset and a different data set.

The business should create a strategy for dealing with threats, not with vulnerabilities or exploits. Notice I said "business" and not "security team." Creation of a business-wide strategy should be done as a collaborative effort involving all stakeholders. By keeping the focus on the threats, each stakeholder can develop detective controls and countermeasures as they see fit -- but with a common adversary in mind. HR can focus on better background checks; physical security on guns and guards; audit staff on compliance; legal staff on policies; BI on suspicious competitor activities, and so on. You know you are making progress when management asks "how are we dealing with state-sponsored competitors" instead of "how are we dealing with the latest Microsoft vulnerability?"

This doesn't mean you should ignore vulnerabilities. Rather, the common strategy across the organization should focus on threats. When it comes to countermeasures in each team, then you can deal with vulnerabilities and the effect of exploits.

Note that focusing on threats requires real all-source security intelligence. You don't necessarily need to contract with a company like iDefense, one of the few that do the sort of research I suggest you need. This isn't a commercial for iDefense and I don't contract with them, but their topical research reporting is an example of helpful (commercial) information. I would not be surprised, however, to find you already have a lot of the background you need already held by the stakeholders in the organization. Unifying against the threats is one way to bring these groups together.

Read More

Trying Secunia Vulnerability Scanning

One feature which most Unix systems possess, and that most Windows systems lack, is a native means to manage non-base applications. If I install packages through apt-get or a similar mechanism on Ubuntu, the package manager notifies me when an update is needed and it's easy for me to install them. Windows does not natively offer this function, so third party solutions must be installed.

I had heard about Secunia's vulnerability scanning offerings, but I had never tried them. I decided to try the online version (free for anyone) and then the personal version on a home laptop I hadn't booted recently.

You can see the results for the online scanner below. All that was needed was a JRE install to get these results.



The online scanner noticed I was running an older version of Firefox, and I needed to apply recent Microsoft patches. The fact that it checked Adobe Flash and Acrobat Reader was important, since those are popular exploit vectors.

Next I tried the personal version and got the results below.



This scan added more results, but only after I unchecked "Show only 'Easy-to-Patch' programs" on the Settings tab. I like that Secunia told me that my Intel wireless NIC driver needed patching. If I look for details I see this:



Clicking on the Download Solution icon took me to an Intel Web page, but at that point I needed to know what NIC driver I needed. That's why Secunia says "If you have the technical knowledge to handle more difficult programs, then we strongly recommend that you disable this setting" with respect to the "Show only 'Easy-to-Patch' programs" option.

I noticed Secunia doesn't check to see if WinSCP is patched, so I used the easy "Program missing? Suggest it here!" link to offer that idea to Secunia.

What do you use to keep the various applications installed on Windows up-to-date?

Read More

Review of OSSEC HIDS Guide Posted

Amazon.com just posted my five star review of OSSEC HIDS Guide. From the review:

I'm surprised no one has offered serious commentary on the only book dedicated to OSSEC, an incredible open source host-based intrusion detection system. I first tried OSSEC in early 2007 and wrote in my blog: "OSSEC is really amazing in the sense that you can install it and immediately it starts parsing system logs for interesting activity." Stephen Northcutt of SANS quotes this post in his foreword to the book on p xxv. Once you start using OSSEC, especially with the WebUI, you'll become a log addict. OSSEC HIDS Guide (OHG) is your ticket to taking OSSEC to the next level, even though a basic installation will make you stronger and smarter.

I'm not kidding about the log addict part. I find myself obsessively hitting the refresh button on my browser when viewing the OSSEC WebUI, even though it refreshes itself. Sad.

Read More

Comment on New Amazon Reviewer Ranking System

I just happened to notice a change to my Amazon.com reviews page. If you look at the image on the left, you'll see two numbers: "New Reviewer Rank: 481" and "Classic Reviewer Rank: 434". I found the following explanation:

You may have noticed that we've recently changed the way top reviewers are ranked. As we've grown our selection at Amazon over the years, more and more customers have come to share their experiences with a wide variety of products. We want our top reviewer rankings to reflect the best of our growing body of customer reviewers, so we've changed the way our rankings work. Here's what's different:

• Review helpfulness plays a larger part in determining rank. Writing thousands of reviews that customers don't find helpful won't move a reviewer up in the standings.


• The more recently a review is written, the greater its impact on rank. This way, as new customers share their experiences with Amazon's ever-widening selection of products, they'll have a chance to be recognized as top reviewers.


• We've changed the way we measure review quality to ensure that every customer's vote counts. Stuffing the ballot box won't affect rank. In fact, such votes won't even be counted.

We're proud of all our passionate customer reviewers and grateful for their investment of time and energy helping other Amazon customers.

On my overall profile page I found a second statistic, shown at left, which says that 90% of my votes are considered "helpful." That's cool! I appreciate any helpful votes I get. It's the main feedback for reviews I write so I am glad anytime I see someone logged into Amazon.com who votes for my reviews.

Apparently you shouldn't vote too often for me, because under the new system you're considered a fan voter and ignored!

Fan voters are people who consistently appreciate the author's reviews. These votes are not reflected in the total vote count to provide our customers with the most unbiased and accurate information possible.

Right now I have 131 "fan voters," so that's another reason my ranking dropped from 434 to 481.

The proof for me, however, regarding the new ranking system would be the effect on someone I know writes a dozen or more "reviews" per day, most of which I consider worthless. 4437 "reviews" (i.e., books read) since October 2002? That's two books per day -- no way! As you can see on the right, this person has fallen from the number 11 system using the Classic Ranking, down to 521. Ha ha.

Looking at the profile statistic, you can see a 75% rating. That's higher than I expected, but it definitely had an effect on the overall ranking. I think what really hurt this guy is his "fan voter" count: 892. I have a feeling Amazon.com believes these fans are fake accounts under the control of the reviewer, so Amazon.com has decided to just ignore them. For someone like Mr. 521 with "892 fans," I could see how that would affect his rank.

There's a hot debate in the Amazon.com forums about this topic now. Some people are really bent out of shape over these changes. Take it easy -- it's just Amazon.com.

Read More