Thursday, December 27, 2007

Building Didier Stevens' SpiderMonkey in Cygwin

Here's one for your malware analysis toolkit. For some time now, I've been using Rhino, Mozilla's Java implementation of JavaScript, to help automate deobfuscation. SpiderMonkey is Mozilla's C implementation of JavaScript, including a shell much like Rhino's.

There are a couple of things that Mozilla's engine doesn't do when it comes to deobfuscating JavaScript. Specifically, you're left to manually convert eval and document.* calls yourself. That's where this really smart guy Didier Stevens comes in. He has a modified SpiderMonkey that solves both of these issues.

So you already know that I like Cygwin for lots of things, including malware analysis. Unfortunately, SpiderMonkey is really only intended to build on Win32 with Visual Studio. However, there are a couple of quick shortcuts you can take to get it to build with gcc in Cygwin. So here we go.

1. Install Cygwin with gcc and standard C libraries.
2. Download and untar Stevens' SpiderMonkey source tarball.
3. In js/src/config/ find the line that begins with MKSHLIB and change the ld linker syntax by replacing '-shared' with '-r':

$ grep -n MKSHLIB config/
50:MKSHLIB = $(LD) -shared $(XMKSHLIBOPTS)

4. Build using make with the following syntax:

$ make -f Makefile.ref OS_ARCH='Linux'

We're essentially lying to make to get it to build as if our Cygwin environment is a Linux box. This is why shared linking breaks. But it should be a non-issue.

5. The make will exit with errors, but if all went well, the JavaScript shell, js.exe, has already been built:

$ cd Linux_All_DBG.OBJ
$ ls -l js.exe
-rwxr-xr-x 1 nobody None 1493267 Dec 27 17:40 js.exe
$ cd
$ cp js/src/Linux_All_DBG.OBJ/js.exe $HOME

$ ./js.exe
js> document.write("oh word!");
js> ^C
$ cat write.log
oh word!

And that's it. Make a copy of the binary for future use and clean up.

Tuesday, December 25, 2007


A nasty storm blew threw West Michigan on Sunday and Monday with lots of wind damage. It knocked out power to major chunks of the city, including the airport, which is literally close to home for me. Fortunately, the uptime on my OpenBSD box shows 25 days, so we never lost power (or cable, which is good, because I am trying to Tivo My Name Is Earl reruns that I missed.) So if you're family and you're reading this, we're safe and warm.

And then there are the latest mutations of that ongoing Storm thingy that fortunately doesn't leave people homeless or stranded. It's still annoying, though. You can't help but get the sense that the spammers are all taking advantage of the holidays:

That's 60 new spam messages in my Postini quarantine since Friday. That's not my GMail account, which has closer to 7K, but rather my work-only address which is seldom-published and hardly sees any spam. Additionally, Postini only shows me messages it's not sure about, so that's almost always new variations of spam messages. For me to have 60 in a month is rare, let alone a few days. The dirtbags have been busy.

Friday, December 21, 2007

On a Lighter Note...

Say what you will about Bill Gates, but sometimes he does something that you just have to admire. According to Reuters, he's recently acquired a stake in FEMSA Cerveza, a Mexican beer and soft-drink conglomerate. Mexican beers don't often make it to the top of a beer snob's list, but for my taste, Bohemia is one of the better pilsners out there. Plus, it's usually cheaper than, say, Pilsner Urquell. And cheap beer is good beer when it's also good beer.

On a Personal Note...

If you're one of the people that has my blog in your feeds list, then you've no doubt noticed that I have not been posting much lately. At all. I hope to get back to it in the new year, but Q407 has been insanely crazy for me, and I had to prioritize my time across the board.

But it's not bad news. Quite the contrary, actually. Made official just this week, I am now the head of infosec as well as the corporate infosec officer at the company where I work. My good friend and mentor, Tim, is returning to his technical roots but otherwise staying put. It's pretty much a job swap for the two of us, with Tim becoming the infosec team's technical lead.

I thought long and hard about the offer before accepting, and I came to a realization. I haven't worked on a team this talented in a decade. My mentor and the man I am succeeding will remain on staff as a resource to me and I to him. I will never get a better opportunity to step up to leadership. I will never have more support and more talent behind me than I do now. It's a little much to digest, really, and I think the rambling nature of this post gives you a hint at just how much my head is still swimming at the idea.

Anyhow, I hope to resume blogging in the new year as time permits. I have a couple of ideas that, if I find some time over the next few weeks, I may polish enough to post. Anyway, I hope that wherever you are, that you find peace and prosperity in the New Year.


Thursday, December 13, 2007

Deloitte Data Disclosure Study

So, I can't decide what this study really means. The short version is that Deloitte did a survey of security & privacy staff from the US about data breaches and disclosures, and 85% of respondents had at least one incident, and 63% of respondents had six or more in the past 12 months.

But I don't know if this is the sky falling, or just the entropic nature of data. Clearly 85% of companies are not having TJX-sized breaches. But the 85% is apparently incidents where notification ocurred. Unfortunately, the report doesn't expand on what constitutes notification and whether that means specifically that individuals were notified.

Either way, this study raises a good point around incident response. Specifically, due to the ubiquitous nature of mandatory disclosure laws, it's time to revisit your incident response procedures and include language for determining if notification is necessary, and then coordinating and documenting notification efforts so that you can prove that you followed applicable laws.

Friday, December 7, 2007

2008 Security Blog Predictions

Predictions seem to be a less popular topic this year than they were last year when nearly everybody with a blog made a stab at security predictions for 2007. There are still a few who have dusted off their crystal balls and taken a stab at it.

My blog wasn't up and going last year, so there are no poorly made guesses about security trends out there for you to hold me accountable for. This year will be no different. Instead, I present to you, dear readers...

My 2008 Security Blog Predictions

  1. MSRC will continue to only post on the 1st Thursday and 2nd Tuesday of each month.
  2. Matasano will burn up their clients' 2007 budgets and start posting again in January.
  3. Richard Bejtlich will still be the only guy blogging about network taps.
  4. Raffy will still be the only guy talking about AfterGlow, even though it works with Snort and Greg Hoglund used it in his new debugging tool.
  5. Nate Lawson's blog will be surpassed by Chris Eng's as the most difficult to digest. Especially if Nate keeps posting exclusively about vintage computers and BaySec.
  6. The Wired Support Intelligence blog will finally be declared abandoned and taken offline.
  7. People will continue to read Schneier's blog, even though it's just Bruce riffing one-liners on 2-week old articles.
  8. I will finally read WebSense Labs' blog regularly because they will add an RSS feed.
  9. I will finally blog about my experiences upgrading ArcSight 3.5 to 4.0, because my hardware will eventually arrive and I will finally be able to do the upgrade.
  10. ...and last but not least, security blogging will continue to really just be all about Google page rank.

Thank you, and good night.

Tuesday, November 27, 2007

Tis The Season

Sunday morning I followed up on a case involving a new mass-sploiter. It was interesting - PHP remote file inclusion attack with a hosted exploit that was targeting Windows. Of course, it didn't affect any of the systems it touched on my end, and I decided not to try for the binary. Why not? Because it was Sunday morning, I was at my in-law's house, packing up to go have a late Thanksgiving with my family.

And then it hit me. Get ready. Here it comes. As we head into the holidays, the malware folks are gearing up, hoping to catch us off guard. They've already got the design in place, the new text for socially engineering users and packing & obfuscation tricks to bypass spam filters and AV scanners. They're just waiting. Last winter it was New Year's Eve and then the SuperBowl. The timing of those attacks was no coincidence. This season I expect something similar.

Thursday, November 15, 2007

Attack Surfaces and The Impending Headache

If you rewind 6 years, the big security pain point for most companies was the disruption caused by worms like Code Red, nimdA, Slammer, Sasser, Blaster, etc. The common thread that made these worms so effective, and thus disruptive, was widely-deployed, unpatched Microsoft products.

Today, the threat of a catastrophic worm of this type is almost non-existent in most modern networks. Microsoft fixed code, we deployed client firewalls and automated patching, and got serious about the security of Internet-facing services. This is good news, but it's also a mixed bag. The attacks didn't stop, they just changed.

Other attack surfaces - web applications and web browsers - started to get attention. And today, an unpatched exploit for IE is worth more to the bot/adware crowd than one for IIS 6. But lately there's been an upswing in exploits against third-party apps that integrate with web browsers. QuickTime, RealPlayer, Acrobat Reader, Shockwave, have all had remote code execution vulnerabilities discovered - and exploited by the bad guys - in the past few months. And this is exacerbated by the fact that at least half of your QuickTime or RealPlayer installs are from folks that installed iTunes or Rhapsody so they could sync their MP3 player at work, so you don't even know that they're out there.

But here's the real teeth-kicker. There was also a vulnerability in Viewpoint Media Player announced last week. With an exploit circulating. And I'll bet that until you read about it being vulnerable, you had never heard of Viewpoint Media Player and didn't have (and perhaps still don't have) any idea where it's installed throughout your network.

So now I have to defend mobile workstations against attacks on software I don't even know is out there? We have a pretty tight workstation management regimen where I work, and I was able to poll our software management tool for Viewpoint. And sure enough, there are a half-dozen installs.

So the picture this paints for the near future isn't pretty: even more time spent trolling mailing lists and RSS feeds for new vulnerabilities, expensive software to inventory your workstations and manage the software that's installed on them, a politically charged fight to take away local administrator privileges anywhere you can, and developing new ways to triage and mitigate vulnerabilities while you wait for some tiny software shop to fix the vulnerability.

Or, you could just focus on the insider threat. ;-)

Fixes For ArcSight Console on Linux

If you're like me and you prefer to run a distro other than CentOS or RedHat Enterprise on your laptop or workstation, you may have run into problems trying to install and run ArcSight Console. So here are a couple of quick hack/fix tips that can get you up and running.

1) The problem: The installer won't run. It gives the following error:

error while loading shared libraries: cannot open shared object file: No such file or directory

The fix:

sed -i 's/export LD_ASSUME_KERNEL/#xport LD_ASSUME_KERNEL/g' ArcSight-

2) The problem: When I try to run the installer or a previously installed console, I get the following error:

java: xcb_xlib.c:50: xcb_xlib_unlock: Assertion `c->xlib.lock' failed.

The fix:

sed -i 's/XINERAMA/FAKEEXTN/g' $HOME/arcsight/Console/current/jre/lib/i386/xawt/

3) The problem: Some windows don't draw correctly or at all when running the nvidia X11 video driver. I run 'arcsight console' and it hangs.

The fix: Switch back to the lame, non-AIGLX nv driver.

The hack: For some reason, if you run Java inside of strace, it works. (I suspect this has to do with Java threading.) Edit the script in the current/bin/scripts directory. The very last line begins with "$JAVA_HOME/bin/java". Put 'strace' at the beginning of that line. Now run 'arcsight console' like you normally would. Using 'strace' generates a lot of overhead, and will slow the console down, but it runs, which is more than you had before. And if you just can't give up compiz's wobbly windows, this may work for you.

Friday, November 9, 2007

Snort Turns 9, Marty Talks About 3.0

Snort turns 9 years old this month. It's come a long way and gotten a lot bigger:

paul@arnold ~/snort-0.96$ find . -type f |wc -l
paul@arnold ~/snort-2.8.0$ find . -type f |wc -l

Today Marty blogged about the changes that Sourcefire has in mind for the 3.0 engine. Some of this is old news, some of it's brand new. Here's what I found to be of specific interest:

0) Rewrite the core frameworks for Snort from the ground up to clean out code base cruft and leverage external libraries where possible to [...] effectively reduce the size and complexity of the code base making it easier to extend and ultimately lending the security benefits of a smaller code base.

Amen. The Snort 2.8.0 binary alone is over 8MB, to say nothing of the dynamic preprocessor libraries. It can be more if you compile in support for MySQL or PostgreSQL. That said, 2.8 and stream5 are significant improvements over their predecessors. If you're still on 2.6 or 2.7, don't wait for 3.0.

1) Build an "contextually aware engine", one that has the ability to understand what it's defending built around the concept of network context. Network context is essentially data about the environment that is being defended by Snort, the composition of the hosts in the network as well as the local network composition.

I'm glad to hear Marty say this, though frankly it's part of what we've built with the help of Oinkmaster. Trying to get the right rules turned on and looking at the right traffic is tough and requires deep knowledge of your network and how to configure your IDS. And it takes time. But it's worth it, and it is definitely the hardest part of tuning out false positives (and avoiding overtuning so that you miss real attacks). Anything Sourcefire can do to make this process more intuitive is a good thing in my book

2) Abstract and compartmentalize Snort's subsystems to make components "separable".

Sure. I think that we started seeing this with 2.6 and the dynamic preprocessors. I would like to add that I think Snort is due for an update or replacement for barnyard. Something more flexible and more easily integrated (and with better documentation) would be nice.

4) Add an interactive shell to the system so that it may be more fully orchestrated at runtime.

He's talking about Lua. I like the idea of an interactive shell interface to the engine. Honestly, though, I'm not sure what I'd do with it.

5) Multithread the engine to take better advantage of multi-core platforms that are standard today.

If you wouldn't hate me for it, I'd embed dancing hamsters or puppies or something equally ridiculous as a symbol of my elation. In other words, it's about effin time. Snort being single-thread only is, in my opinion, the single greatest scalability barrier that it has.

Data Source API - An abstraction API between the facilities provided by the data source and the rest of the Snort 3.0 software framework. This API exists to that the rest of Snort 3.0 can work without caring whether the Data Source is implemented as hardware or software.

And last but not least, what may be a second I-told-you-so for me this week. I don't know, but I suspect the purpose of this API is to eliminate the need for a LibPcap-bound network interface and open up the possible ways Snort can acquire network data like, say, disk?

Thursday, November 8, 2007

Targeted Phishing, You Don't Say?

I hate to say it... Oh, who am I kidding? I LOVE to say, "I told you so!" This is actually pretty neat, so long as you're not

(Via Schneier) admitted today that one of their employees was the victim of targeted phishing. And that once his account was compromised, it was used to get lists of e-mail addresses for... wait for it... more targeted phishing attacks!

So as targeted phishing attacks pass from the realm of pen-testers-who-can't-use-debuggers to actual criminals, the anti-spam/phishing segment is going to have to catch up. And it's not going to be easy, because traditionally collecting spam and phishing e-mails has been remarkably easy. But once the attacks become targeted, it's exponentially harder to get samples before the damage is done.

Enter the custom-tailored anti-phishing service. Gonna call those VC folks back.

Wednesday, November 7, 2007

And They Were All Yellow

Symantec bought Vontu. Never heard of Vontu? They are an established player in the data-leakage security niche. Primarily deployed on networks that fall under the purview of the Gramm-Leach-Bliley Act, Vontu's flagship product works like an IPS, but instead of loading it up with vulnerability signatures, you load it up with keywords and snippets of your confidential data.

For $350M, this is is a gamble for Symantec for a couple of reasons. First, the expansion of the data-leakage market is very much a question-mark. Sure Vontu's poised to dominate if it does blow up, especially with Symantec's Panama Canal of a channel. But Symantec is a desktop client company. They've killed every network device they've ever acquired, and some that they built themselves. Sure Vontu has a desktop client as well, but it's not their leader.

What I find most interesting about this acquisition is that Symantec is known for paying pennies for secondary niche players and trying to pump them on their brand recognition against primary niche players. Their whole product strategy can be summed up as "one brand, one vendor." In this case, they bought one of the best-of-breed players in the niche, if not the top dog. And they paid good money for them, too. Recent acquisitions like Altiris and Revivio were more of the old Symantec trying to find a bargain buy into a new market. So the Vontu purchase leaves me confused. I would've expected Symantec to buy somebody like Tizor and stay away from Vontu and PortAuthority.

By the way, there's an excellent Forrester paper on Symantec's ongoing shopping spree. If you work for a Forrester subscriber, or own a lot of Symantec stock, it's worth reading. (I am the former and, at not the latter, for what that's worth.) If you're keeping track, Symantec has acquired no fewer than 31 companies since 2000.

Also, Vontu co-founder (and recent multimillionaire!) Joseph Ansanelli testified before a House subcommittee about combating identity fraud. (PDF Link) Another interesting read, but when you contrast this with the recent ID theft study that Bruce Schneier blogged about today, you have to wonder if there's a decent sales line for these products beyond GLBA compliance.

Tuesday, November 6, 2007

Am I Not In On The Joke?

So I just found Security Mike's Guide to Internet Security.

You have to understand that I respect the hell out of Mike Rothman. Which is why I am choosing to believe that this is an elaborate tongue-in-cheek joke that I'm just not able to extract the punchline from.

This quote in particular has me convinced that this is some sort of hoax:

"You certainly can pay your local Geek to come over and configure your computer and sell you lots of software you have no idea about. Bring your checkbook – it’s going to run you hundreds You can do it yourself of dollars. And you get to pay every year to renew your software as well. Don't forget the Geeks get paid when you buy software as well, so they have an interest in loading you up with stuff you don't need.

It’s not right. So I decided to do something about it."

That something is selling a 6-month website subscription for $37. So either I have just seen the Lone Ranger take a bribe and slap an old lady, or I am still not in on the joke. Mike's selling a book for the mom set on how to secure their own computer? Because paying for McAfee is some sort of injustice?

I teach a course very similar to Mike's book through my employer's corporate training program. If you would like a copy, e-mail me, and I will send you the slide deck. Steal my bullet points. Pass my advice around. I don't want any money. If you feel like giving me credit, that's cool. The people this is really for don't know who I am anyway.

Be free, common sense, be free!

I'll just leave you with this:

"Best of all, there is NO RISK to you. You don’t like Security Mike's Guide? Get your money back. [...] Regardless of the reason, if you are unhappy – I will send your money back. That’s right. If you aren’t happy, you can have your money back. I’ll wish you good luck because Security Mike’s Guide isn’t for everyone. It’s all good."

It conjures images of clowns and ponies and free hot dogs at a used car lot.

Monday, November 5, 2007

For the Paranoid

Been too busy to blog lately. Got a few things half-ready to post. Just need to find the time, motivation, and answers to get them posted. So this is just a proof-of-life post, I guess.

This story from Radar Mag made my day, sort of. It's an excellent story, but if you're paranoid like me, it may take you some place you'd rather not go. Maybe I should move my blog to typepad. :-)

Friday, October 26, 2007

The Heartbreak of Nondisclosure

Look what I've got in the test lab this week:

It's a little more recognizable with the front bezel on it:

That's right, it's ArcSight Logger 2.0 beta! Alas, the non-disclosure agreement prevents me from telling you any more than that. OK, I'll also tell you that, much to my disappointment, the cool logo bezel does not light up.

Sunday, October 21, 2007

Addendum: If I Could Tell Your CISO 3 Things

On the issue of spending on monitoring versus prevention, I stand by what I said about spending on monitoring equal to prevention. But there's another point worth making that I missed the first time around. So, if I may, I'd like to tell your CISO another thing.

1b) Let the results of your 2007 monitoring determine what you spend your 2008 prevention dollars on. Simply put, no consultant, auditor, or magazine is going to know better than you what your security problems are. So, unless you still don't believe me about monitoring, don't let them tell you how to spend your money. (Remember that "deep packet inspection firewall" you bought in 2005? That's what you get for listening to a magazine.)

Set aside time each year to review what your big messes were as well as where your analysts spent the majority of their time. Then look at the market for technologies that can cut the amount of time your talent spends doing the same thing over and over by hand. Also look at technologies that can help you keep the promises you made under your breath to never let _____ happen again.

So while there may be no Security-ROI-Santa-Claus, comprehensive operational security is self-supporting. Leverage it to the maximum extent that you are able.

A Little Wi-Fi Hacking With Your Half-Caf Nonfat Mochachino?

So like, literally right now Vivek and Sohail from AirTight networks are presenting on a new attack on WEP at Toorcon. This new technique, cheekily dubbed Cafe Latte, attacks clients instead of access points. But according to an interview that the researchers gave prior to Toorcon, the attack can take from a few minutes to a few hours, making it no more efficient than existing techniques.

Cool research guys, but I guess the question I have is this. If I need to attack a mobile client instead of an access point in order to avoid detection by, I dunno, a wireless IDS of some sort - and I have to struggle with position and availability of the target, no less - won't I be shocked to discover that your technique works because this highly secure wireless network uses WEP?!

I'm just saying. Attacks against wireless clients in the field are interesting, and fertile ground for all sorts of cool hacks and lucrative crime. But - and maybe I'm missing the obvious here - I don't get it.

Monday, October 15, 2007

A Little YouTube Nostalgia

Nothing serious, just some computing throwbacks.

Remember when Bill Cosby sold computers? Or when Windows 1.0 came out? (Yeah, that is Steve Ballmer in the godawful jacket.) What about when Commodore 64 got a joystick? Did you even know that Atari made computers?

I had a TI-99/4A back in the day. With the 300bps acoustic coupler and the cassette storage cable to record my BASIC programs for later retrieval. I'm so friggin' old I could cry.

Friday, October 12, 2007

State Penn

I just got this story off of Engadget. It only has a little something to do with security, and my rant even less so.

Penn State has developed a high-security environment for students to take exams in. This is a total waste of technology. The point of this is to ensure that students cannot cheat on tests by using iPods or cell phones to store potential answers to questions. In my day, it was graphing calculators, and in my folks' day it was arms up shirt sleeves.

My point is not that invasive, high-tech monitoring can't work, though it probably can't. My point is that it only allows the continued perception of validity of the worst testing higher education has to offer - memorization. Computers are for data storage. Human minds are for imagination, applying concepts, and learning. None of this can be stored on an iPod. Professors who insist that students learn by regurgitating facts that can be digitized and retrieved with Ctrl-F only serve as a barrier to learning.

Wednesday, October 10, 2007

On George Clooney and HIPAA

Palisades hospital in New Jersey has suspended 27 employees for accessing actor George Clooney's medical record after he was treated there following a motorcycle crash. I don't disagree with the employees' suspension, but the hospital spokesperson told reporters, "What these individuals did was violate a HIPAA regulation. We can not say that they actually released any of this information to the media."

It's clear that someone did leak to the media information from his medical record, but the hospital doesn't know who. Additionally, these employees had access to patient EMR data as employees of a covered entity (the hospital). So I'm picking a nit here, but I do believe the hospital has admitted that it doesn't know which of the 27 employees suspended, if any, actually violated HIPAA. As far as I can tell they were, under the law, authorized to view Clooney's medical record. Of course, what they did was still inappropriate, unprofessional, unethical, and probably a violation of hospital policy.

But perhaps the best-slash-worst part of this whole situation is that a union rep defending some of the suspended employees has been quoted as saying, "There are hospital obligations to have security systems so that a breach can't occur -- obviously that failed."

Tuesday, October 9, 2007

Phishing Secure Email Portals

Here's a new twist on an old scam:

Lots of companies have implemented some form of "secure e-mail" solution. If you haven't seen this before, a user at Megabank or Gotham Hospital sends you a message about your personal information. Instead of arriving directly over SMTP (which is, among other things, as clear a text protocol as any), you receive a notification via SMTP that tells you to click on a link to a web site (encrypted with SSL) where you can log in and retrieve your message. This is extremely common in the health care vertical because the HIPAA Privacy Rule that went into effect in 2003 explicitly forbids sending personal information unencrypted over the Internet.

So it makes perfect sense that these portals are worth phishing - they are almost guaranteed to contain some sort of valuable data. But it got me thinking about something else. I work in the health care vertical, and we have a secure e-mail solution in place. And when we evaluated products a few years ago, we discovered some sort of session handling flaw in better than half of the products we looked at. Not to mention that a number of the vendors out there support what can only be described as a "letter-of-the-law" configuration*.

Anyway, I wonder if phishing is all that necessary for sites like these. I would bet that there are enough vulnerabilities in enough of these portals that hacking them straight up is a better bet for the criminals that want the dumps to sell on IRC. Especially since some of the third-party products out there are appliances that insist on SSL termination at the appliance. What's that mean to a hacker? A blind spot to the IDS plus permission from the firewall. Oh, and we all know how good the logging on an appliance like that is bound to be.

* In this mode, the portal sends a link that contains a hash of some kind. Send that link back with the valid hash, view the message. Well, technically, the private data's not sent unencrypted. Instead, a link to the private data is sent unencrypted. If you have deployed something like this and you feel that you can justify it, I'd love to hear from you. Obviously there was enough demand for it since most of the vendors in this space have something like it.

Monday, October 8, 2007

If I Could Tell Your CISO 3 Things

This is me on my soapbox. Preaching to the choir.

1. Buy more monitoring.
It's necessary to spend security dollars on prevention and protection technologies. But it's very easy (and thus very common) to overspend on these technologies as well. Budget and spend at a prevention-to-monitoring ratio of 1:1. Security monitoring is the cornerstone of security response, and in many ways response is more important than defense.

Think of it this way. As CISO, you are the mayor of Securityville, which is on the border of North Korea, Iran, Chechnya, Darfur, and Canada. When you spend on prevention products, you are buying fences and sprinklers to keep bad guys out and keep fires from spreading. When you don't buy monitoring tools, you lack cameras and smoke alarms to tell you that the fence has a hole in it and everything is on fire. To say nothing of the police and firefighters. Which brings me to...

2. Hire more firefighters.
And by firefighters I mean security analysts that can monitor for and respond to security incidents. In 2007, if you haven't experienced a security breach yet, you probably don't believe me when I tell you it's an inevitability. But when you reread this 2 months from now, you'll know I'm right. Or you'll smugly chuckle at how this post is all FUD while Chinese hackers rifle through your e-mail unhindered. Either way, if your security folks are all busy managing firewalls and doing vulnerability scans and nobody's monitoring your network, then you can't argue my point because you don't even know that you've been pwned.

Also, hire good people. Talented people. Security monitoring is not a help desk job, so you can't pay help desk pay for it. I'm proud of our team's incident turnaround time and ecstatic about the fact that in most cases we detect and respond to incidents before the impacted employees are aware there's a problem. But this is the natural order of things, because...

3. Security is not everybody's job.
So stop saying it is. Cindy's job is processing expense reports. Tom's job is developing new client accounts. Jim's job is, well, I don't know what Jim does, but he runs Fantasy Football each year, so he can stay. Oh, right, back to you and how security is your job.

If you want employees to act securely, then you must do the (very unpopular, unfriendly, unfun) job of writing and by God enforcing data security policies. It's really cool if you can write them, design the oversight and monitoring controls, and then hand enforcement over to the compliance or audit departments. Then you'll still get invited to happy hour every once in awhile. But not by Jim. He's not talking to you since he was written up for distributing NCAA brackets printed on the blank side of old payroll reports.

Wednesday, October 3, 2007

Is Your IP Address Personal Info?

According to a German court it is. (via Eric Fitzgerald's blog)

The remedy that this ruling implies - not logging IP addresses to a web site beyond the duration of the user's session - is either unsustainable or crippling to site security.

If it becomes standard practice in Germany to not log IP addresses anywhere for any length of time, they will essentially be declaring open season on themselves. There will be no network evidence trail and therefore no case to prosecute. I can't imagine it'll come to that, but it is interesting to ponder.

Tuesday, October 2, 2007

Paris Got a Raw Deal

OK, so this might be proof that Paris Hilton's prison sentence was too harsh. An MIVD official (read: high ranking Dutch spy) was sentenced at The Hague for losing some part of an NSA intelligence feed he had access to in his role (as a high ranking Dutch spy). The sentence? 120 hours of community service. So, uh, I guess if you live in Utrecht, keep an eye out for a guy in a tuxedo picking up trash along A27.

TJX: A Glimmer of Clue?

This is the first time I've heard anyone say anything about TJX doing something about their network security posture. But read between the lines here. WEP has been thrown under the bus, they've implemented WPA, but all of these credit card numbers lived in a database.

Is it safe to assume that the sa or sysdba password was different than the WEP key? OK, then maybe WEP wasn't the only problem? It's disingenuous to make WEP the scapegoat for what is a larger security failure. But, hey, at least they're using WPA now. Anybody taking bets as to whether or not it's WPA-PSK?

Friday, September 28, 2007

BackTrack ( remix)

I was waiting for my download to finish before I told you that has released a version of the BackTrack live CD that A) is also a VMWare appliance and B) has Metsploit 3 ready to run. (It also has the latest aircrack-ng for those long airport layovers.)

OK, my download is done.

Firewalls, SIM, and Visualization

Saudi asks for help on the loganalysis mailing list:

"Looking for help in identifying meaningful/actionable reports that we can get from Firewall log analysis."

Normally, I would've replied to the list, but attaching a bunch of jpeg files that will be sent to hundreds of people is poor etiquette. So instead, I'll spam the list with a link to this blog post. :-)

Reports are great and all, and you've gotten some excellent suggestions so far. But I'm a believer in mjr's artificial ignorance model for log analysis, so I put a high value on finding things that I don't know that I'm looking for. And when you want to do that with millions of events, visualization is the way to go. So here are some ArcSight data monitors that I have that are specific to firewall data.

This is a pair of moving average graphs. The green one is 'accept' messages and the red one is 'drop' or 'reject' messages. Big spikes or dips in these graphs are interesting. The other thing you can't see in these is that there's a second line along the bottom. That line is the failover firewall. When it fails over, both graphs draw a pretty 'X' with intersecting lines.

This is another moving average graph. I love these things! This one isolates workstation VLANs (so this is user-land only) and pairs srcaddr/dstport. Big spikes and long plateaus are usually interesting. The plateaus have traditionally been malware trying to scan or send spam. We've gotten better at catching this stuff on the front end, though, so I rely on this less today than I did 2 years ago. Also, if multiple lines are doing the same thing, that's interesting, too, since it can mean multiple infections.

This data monitor shows, to-scale, firewall events by hour, by severity. Any place you have visible orange or red or green is probably interesting. Also an abnormally high or low event count per hour is also interesting. This one above shows the overnight, so the yellow, orange, and red appear more prevalent because there are fewer events in those buckets.

This data monitor is a pie graph that shows last-hour firewall events by target country code. This probably doesn't work for all organizations, but my company is based and does business exclusively in the US. That means that any large amount of traffic destined for RU or CN is probably the start of a bad day for me.

This data monitor is just a chart that displays the Top 10 sources of blocked traffic. I've whited-out the actual IP's, but you can see the zone details. (The top 3 DMZ servers are due to a recent change in the firewall that the servers haven't caught up to.)

One of the cool things about SIM visualization gadgetry like ArcSight's data monitors is that these displays are in near-realtime. So it's like a report that's always running, and that's really easy to operationalize - "Here, stare at this for a few minutes every so often. If it looks weird, click on it and find out why."

Thursday, September 27, 2007

A Message for Digital Flow

I was following up on some suspicious JavaScript content and found this:

//****** Advanced DHTML Popup Pro Version, Build: 130 ******
// Copyright (c) Digital Flow Software 2005-2006
// The present javascript code is property of Digital Flow Software.
// This code can only be used inside Internet/Intranet web sites located on *web servers*, as the outcome of a licensed Advanced DHTML Popup application only.
// This code *cannot* be used inside distributable implementations (such as demos, applications or CD-based webs), unless this implementation is licensed with an "Advanced DHTML Popup License for Distributed Applications".
// Any unauthorized use, reverse-engineering, alteration, transmission, transformation, facsimile, or copying of any means (electronic or not) is strictly prohibited and will be prosecuted.
// ***Removal of the present copyright notice is strictly prohibited***

And subsequently, this:

Unblockable popups

The popups that are created with Advanced DHTML Popup are not blocked by standard external window blocking software as they are part of the web page and not windows on your visitors desktop.

So, first of all, I would like to say that for as long as your "intellectual" property appears on my network just like a malware dropper, I will continue to reverse engineer its content to verify its intent. Second of all, you guys seem pretty smart. Why couldn't you find real jobs?

Tuesday, September 25, 2007

eBay Hacked?

Sounds like somebody may have hacked an eBay server or two and dumped member dox to one of the forums. Keep a close eye on your credit cards that are associated with eBay and/or PayPal. Also keep an eye out for an announcement from eBay of the personal info disclosure.

Update: Maybe not. May have been a problem with eBay software. Either way, personal info seems to have been disclosed. Here's a post (that's subsequently been pulled) from an eBay employee:

" View Listings Report 26-09-07 00:47 EST 82 of 88The site wasn't actually hacked... it was a server issue where the system displayed the poster's information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect. It was not some hacker sitting there entering in someone's information and using a card generator."

More here.

Another Update:

Check out some video of the actual data. Look out for the cheezy Nintendo music. It'll sneak up on you!

Monday, September 24, 2007

TJX Settlement Close?

According to a article, a tentative settlement has been reached in the TJX breach class-action lawsuit. If the judge accepts the settlement, consumers will get:
  1. Up to a $30 voucher per customer who can show time/money spent dealing with the breach (at a rate of $10/hr).
  2. 3 years of credit monitoring and identity theft insurance for about 450K customers who had lots of info (including DL# and SSN) stolen.
  3. Marshalls and TJ Max will hold a 3-day "Customer Appreciation 15% Off Sale." (I kid you not!)
Unfortunately, the settlement lets TJX avoid admitting breach of contract and negligence with regard to its data security practices. Also apparently missing from the settlement is any commitment from TJX to improve security. Of course, with the settlement costing an estimated $256M, we can hope that the board and execs at TJX have seen the light on security spending.

Friday, September 21, 2007

Expert Advice

I feel a little strange about being proud of this achievement, but anywhere my name appears along with the word "expert" in the same context as folks like Kevin Kadow and Lenny Zeltser, it makes my head swell.

Thursday, September 20, 2007

It's Official

The Grand Rapids ISSA chapter has secured local evil* genius Matt Carpenter to present at our October meeting. Matt is a SANS instructor and security analyst at Intelguardians. He will be presenting the research he and Tom Liston debuted at SANSFire 2007 on VM escaping.

If you're in Michigan or even Northern Indiana or Northeastern Illinois (or Eastern Wisconsin - the ferry drops you in Muskegon, just 40 minutes away!), and couldn't get to SANSFire, this is your chance to catch part of it for free.

* Matt's not actually evil, in fact he's a genuinely great guy and I'm honored to call him my friend. But if he were evil, we'd all be in big, BIG trouble.

Tuesday, September 18, 2007

September GRSec Announced!

Go here for details.

Mike Rothman on the ArcSight IPO

I'm probably the last person to blog about this. I was at the conference when Robert Shaw announced that ArcSight had filed with the SEC, but I missed the actual announcement thanks to a trip into Adams Morgan the night before. The rest of the day there were conversations about who could or would buy ArcSight once they go public, what the initial share price would be, how the stock would perform, etc. The buy-up probably won't happen, but interesting stuff to hypothesize about.

In all honesty, I was going to skip posting about it until I found Mike Rothman going all sour grapes on ArcSight's IPO filing. And that made me smile, so I thought I'd share. I would like to crown Mike Rothman "The Official SIM Playa Hater." It's like some SIM vendor backed over his puppy with their car when he was a kid. :-)

Sunday, September 16, 2007

Defcon 15 Talks Online

Couldn't get time off work? Customs denied you entry to the US? Banned from the casinos in Vegas? Not to worry. Now you can watch the Defcon talks with the same blurry vision that most attendees had at the time!

Here are my picks:

1) Bruce Potter
2) Major Malfunction
3) Jared DeMott
4) Johnny Long
5) Bruce Schneier

But for a complete list, check out the full list of speakers.

The Future of Vulnerability Disclosure

If you're not already talking about this issue, this is your wake-up call. Going back 15 years or more the debate, if you can call it that, around disclosure has been the issue of when and how much to disclose. The two extremes were CERT who wouldn't disclose until the vendor released a patch, and the early days of the full-disclosure mailing list where people simply posted proof-of-concept exploits without bothering with the vendor.

But this year I've heard more about disclosure than I have in almost a decade. And for those of us in security operations, it's not good news. The monetization of the Internet is having an impact on vulnerability research and consequently the issue of disclosure. This has lead to a number of developments all focusing around the issue of whether or not vulnerability researchers should be paid and by whom. In the past, the model was responsible disclosure and if you worked independent of the vendor, you could release your advisory in conjunction with their patch. Researchers got credit and hoped that it would draw in business.

Of course, the pool's a lot more crowded for researchers these days. And where a researcher could've drawn a nice salary at a security consultancy like ISS or @stake and still gotten on-the-clock time to research bugs, they've been consolidated and exist under the profit-driven umbrella of a publicly-traded company. This means a lot of new as well as a good number of "old" (which makes them roughly my age) vulnerability researchers now have to pay their own way. Combine this with positions taken by large vendors like Microsoft and Cisco that they will not pay third-party researchers, and this means lots of smart people - make that smart people that hack stuff - are out there trying to find a way to get paid for their work.

So now, researchers are selling to companies like 3Com/TippingPoint but it's safe to say that at least a few of them are selling to malware kitmakers on the black market. There have also been a couple of attempts at agnostic auction houses that let researchers sell to the highest bidder, whoever that is. This means that at some point in the future, the next big vulnerability could go not just first, but exclusively to organized crime. If that doesn't scare you, it should.

But what should scare you more is that the biggest stakeholders - the infosec ops folks on the front lines, the IT orgs they work for, and software customers everywhere - literally don't have a seat at the table on this one. Black Hat and Defcon both had roundtable discussions on disclosure, and you heard a lot from researchers, lawyers, software vendors, and infosec product vendors. But so far as I can tell, the people that will be impacted most haven't been asked for their opinion. I wish I had a good idea for how to get us heard on this issue. But I don't. So I guess all I have for you is something more to worry about. Sorry.

Friday, September 14, 2007

The Bride of Useless Statistics

It's Friday, so that means it's time to pick on another Dark Reading story. I've decided to dust off an old theme and once again confront bad statistics in the press.

Tim Wilson's story, "Insider Threats Increase, But Damage Is Minimal" and the CSI/FBI Survey that he sites describe the losses from incidents involving insiders as being significantly lower than those caused by outsiders. The problem here isn't really the math as the survey itself, which , in my opinion, incorrectly categorized a number of incident types and then averaged all of their costs, skewing the data significantly.

From Tim's article, "Insider abuse of Internet access was the most frequently-cited incident among the CSI survey respondents, at 59 percent. Fifty percent cited the loss or theft of laptop or mobile devices, while 25 percent cited misuse of instant messaging services."

So they counted up all of the losses from people trying to surf porn, lost equipment, and used chat software in violation of company policy. And then they lumped them in with, "Another 25 percent said they had experienced "unauthorized access to information" in the past 12 months, and 17 percent said they have suffered loss or theft of customer/employee data."

So a smaller subset of the incidents described involves malicious intent, not just boorish behavior and bad luck. And as a result, the losses aren't very big on a per-incident basis. But comparing unauthorized chat sessions with electronic embezzlement is apples and felonies.

I also can't help but notice that lots of this stuff is of the easy-to-detect variety. Sure, by now you should be able to catch users trying to access Internet sites that aren't appropriate for a professional setting or know when a laptop goes missing. But of those that responded to the CSI survey, how many even possess the ability to detect when an administrator, accountant, or executive siphons off valuable corporate data and sells it? Data that they are authorized to access?

How will you detect the breach? How will you know unauthorized disclosure occurred? How will you calculate financial losses from it? I would guess that most of the respondents to the CSI/FBI survey can't answer all of those questions in a way that would satisfy their corporate leadership. Hell, I'll bet their vendors can't answer those questions, either.

Tuesday, September 11, 2007

"Headless" ArcSight Installs

This was brought up by a conference attendee yesterday, and I thought I'd throw my two cents out there for general consumption.

ArcSight has a very nice Java GUI interface for most of the things you need it to do. But if you work in an optimized and/or hardened UNIX environment, chances are pretty good your servers don't have an X-Windows display. This can make installing, upgrading, and managing ArcSight a bit of a hassle, but there are options.

All of the ArcSight installers support a text-only install mode. This is triggered by running the installer with the '-i console' flag. This gives you an old-school text interface (not curses, though having vt100/ANSI emulation is helpful for the password entry prompts) that walks you through the install wizard. You can also run $ARCSIGHT_HOME/bin/ (where xxx is manager, agent, etc.) in text mode. It's a good idea to make sure that $DISPLAY is not set in your shell before you do. If it doesn't detect $DISPLAY, it will run in a text mode also.

However, there are a small number of tools that cannot be run in text mode for whatever reason. One example is 'arcsight database pc' which launches the PartitionArchiver configuration tool. In order to do run this tool, you need an X11 display. So here's how I do it.

1. Boot Linux workstation with X11 display. This is the default GUI for nearly every Linux distro - using something like Knoppix will work fine. It does not need to accept connections to port 6000 across the network (traditional X11 $DISPLAY does, but you don't allow X11 across security domains, right?).

2. Connect to UNIX server with 'ssh -X' which manually configures X11 tunneling over ssh.

3. If you will be su-ing to another user that is not root, run 'chmod 666 $HOME/.Xauthority' WARNING: Do not do this on any system with multiple users, untrusted services, etc. It should go without saying, but...

4. Run su to the user you need to become (root, arcsight_user, nobody, oracle, 4DGifts, whatever) and set 'XAUTHORITY=/your/ssh/user/home/dir/.Xauthority && export XAUTHORITY'

5. Run ArcSight GUI tools like 'arcsight database pc'

I have encountered (with Beryl on Fedora 7) some redraw issues. So be prepared that you might get a window with nothing in it. Also, be patient. The display is being redrawn over an old, inefficient protocol that is additionally being encrypted and tunneled. Performance is good on a LAN or fast WAN connection, but slower connections or connections with latency problems will have slower redraws.

Friday, September 7, 2007

CyberWar is, uhh... what is it?

Oh, yeah, it's just like all other hacking, except it's gov-to-gov.

Richard Stiennon wonders in his Wednesday blog post if the PLA hackers that pwned Ministry of Defense e-mail systems wanted to get caught. His theory goes, government-quality hackers should be so good that they are undetectable unless they intend to disrupt systems. Since neither thing happened in this case, Richard suggests that maybe China meant to get caught in order to send a message.

Personally, I think there's a simpler explanation. It goes back to a conversation that I had with Richard Bejtlich about the detectability of breaches. The "Titan Rain" attacks have been going on for the better part of three years (as far as we know). And there were bound to be good hacks that were still detected. Especially since this story made Time Magazine in 2005, we should assume that all of the Allied Forces' three-letter branches have been on the lookout for Chinese hackers.

We often hear (and some of us often say) that, "We have to get it right every time, the bad guys only have to get it right once," when security folks talk about defending against network attacks. But as soon as the attack starts, that equation flips on hackers' avoiding detection, especially if you're going to stay on a system for an extended period of time in order to gather intel. The number of chances that formal security detection mechanisms will catch you increases exponentially with time. Not to mention curious admins, auditors, and plain old dumb luck.

Bottom line is that the best hackers in the world can penetrate nearly any system, and can cover their tracks well. But eventually they'll get caught, whether they mean to or not. And that's what happened to the Chinese hackers in this case. Oops.

Thursday, September 6, 2007

Firing Up The Rumor Mill

So last week we saw the first post from a new MSDN blog - "hackers @ microsoft." It's in my RSS feeds for now. Microsoft hiring hackers is hardly a newsworthy rumor. It's pretty much common knowledge. The big success story of infosec has been Microsoft's product turnaround over the past 5 years. The message there, that you as an infosec professional should take back to your organization, is that throwing money at security works. So tell them to throw more money at you and your projects.

The rumor I want to start has to do with the hiring of new hackers by Microsoft. Specifically, I'm going to loudly whisper that Microsoft may have hired Mark Litchfield. Here's the evidence I have compiled:

1) Mark was supposed to teach at BlackHat with his brother David, but couldn't. According to David, he was denied entry into the US because Customs felt he may have abused the visa waiver program (like Halvar). Apparently, the reason for his frequent trips to the US prior to BlackHat had to do with purchasing a house in WA.

2) But maybe Mark is moving to the US to focus on growing NGS in the states, you say. Except that NGS already has its US headquarters in Dallas.

3) If you dig around in bugtraq archives, you will see that Mark has published vulns in all variety of Microsoft products, from 2003 Server to SQL Server to IIS to IE to Outlook. Of course, Mark has spent a good amount of time publishing vulns in Oracle products as well. But Oracle's not headquartered in Washington. Microsoft is. Plus, Oracle still doesn't "get it." Microsoft does.

Tuesday, September 4, 2007

ArcSight User Conference

The ArcSight 2007 User Conference is upon us! Well, next week anyway.

A lot of the hits I get are from people searching Google for 'arcsight ...' If you're an ArcSight user that stumbled on my blog and will be at the conference next week, drop me a line or just stop me and say, "Hi." Feel free to e-mail me (p melson at g mail dot com), though I'll be pretty easy to find - I'll be the tall pasty guy in the obnoxious hawaiian shirt standing next to the free beer.

It's probably too late for me to tell you this, but last year's conference was excellent. I am not a big fan of the venue since it is pretty isolated (so rent a car!), but the facilities are plenty nice. The presentations last year were excellent, and are reason enough to attend. Add to that the chance to trade stories and ideas with other users in all sorts of industries along with the access you get to ArcSight developers and support staff, and it's 3 days very well spent.

Friday, August 31, 2007

Rogue Wireless Access Points

Doug asks:

" you have a suggestion (besides NAC) for pinpointing a rogue access point on a lan from the wired side?"

Finding rogue AP's from the wired side is tricky. You can try scanning for them using Nessus or NMap, but I've had only limited success with these techniques. This is because the typical wireless router you get from Best Buy today isn't going to give up enough data for Queso TCP fingerprinting or banner grabbing to work if the 'outside' interface is plugged in to your network, which is pretty much required in order for it to work.

If the AP is just an AP (like my Linksys WAP11) and not a NAT router (like my Linksys WRT54G), then NMap or Nessus may work for you. Using your switches is another good way to find it - look for multiple ARP entries with a single MAC on any given switch port. There may be 'switchport port-security' features on your Cisco IDF/userland switches that can prevent regular APs from serving more than the first wireless client as well. Probably depends on the switch's IOS version and the AP's behavior.

You can also do things like dump ARP/CAM tables from your switches and match the first part of the MAC address against the IEEE database looking for manufacturers like Buffalo, Linksys, D-Link, TI, etc.

This works with AP's and routers alike, and is probably a good idea to do on any network without EAP/NAC, especially if you've standardized your workstations so you know all the NIC's are from just one or two OEMs, so anything else is worth tracking down.

However, I think that the best way to find rogue AP's is via wireless signal. Using something like the features built in to the Airespace/Cisco systems, a wireless IDS like AirDefense, or even just regular site checks with a laptop and Kismet (or a PDA and PocketWarrior) will yield the best results.

Storm on Blogger

Don't believe anything I link to, ever. Even before this. :)

Thursday, August 30, 2007

The Great NAC Robbery

From Dark Reading's "News Feed" (aka industry press release feed) comes a purported success story about an intermediate school district in Texas that has implemented Mirage Networks' NAC. Reading stuff like this makes me ill. There are several components of this scenario that are offensive to my sensibilities and common sense in general.

First, K-12 schools have very real, very unique security challenges. (I speak from experience. My early work with firewalls, content management, security monitoring, incident response, forensics, and working with law enforcement all came from working for a school district for the latter half of the 1990's.) But rogue devices (the problem that NAC should be positioned to solve) shouldn't be one of them, at least not a big one. Simple network design and segmentation should cut down on accidental cross-over from student/library/commons networks, and then physical supervision (you know, teachers, librarians, parapros, etc.) can be used to cut down on students intentionally plugging in laptops in classrooms or offices.

Secondly, NAC is the wrong fix for Sasser. Patching a 4-year old vulnerability is the right fix. If your patch cycle is over 4 years, then you have no patch cycle, and with or without NAC, you've lost. Using NAC to 'ban' all of your unpatched workstations from the internal network may save your unpatched servers, but kicking out legitimate users on internal machines is still an overall loser for IT. Functionally and politically, this can't be sustained.

Thirdly, school money is taxpayer money. School administrators - especially facilities and IT folks - hate to be reminded of it, but it's true. This is a nice win for the account manager at Mirage that pulled it off. K-12's can be tricky to sell into, and they typically have tight budgets with limited or no dedicated spending for security. An ISD like Round Rock will actually encompass several local school districts, and RRISD itself consists of over 40 schools, plus admin offices and bus garages. At that size, there's pretty much no way this wasn't at least a 6-figure expenditure. And for what? A temporary fix for a problem that could've been solved with $20K of server hardware and WSUS? If I lived in Round Rock, TX, you can be sure I'd be at the next board meeting asking questions.

Friday, August 24, 2007


Andreas Oestling's pmgraph utility is probably the best visualization tool for output from Snort's perfmonitor preprocessor. Unfortunately, Andreas' home page at went offline a few months back. Fortunately, for those of you trying to find a copy of pmgraph, Sourcefire's Jason Brvenik has made copies available here, and here.

Friday, August 17, 2007

Bruce Potter vs. ecard

At Defcon 15, Bruce Potter gave an awesome talk titled, "Dirty Little Secrets of Information Security" that I certainly hope makes its way to YouTube soon. Especially for those folks that were asked to leave the far-too-tiny room in which Bruce was speaking.

A little background: When Shmoo Group forms like Voltron, Bruce (aka gdead) happens to be the head. The big, loud, talking head. Bruce is also a consultant at Booz Allen, one of the ShmooCon organizers, and one of the most entertaining speakers working the *Con circuit today (he's like Johnny Long with IRC cred). I'm a fan of what Bruce has to say, generally.

So back to his DefCon talk. On slide #6 (going from the PDF on the DefCon CD, which is different than the slide deck he actually used), Bruce announced that "Defense In Depth is Dead." Naturally, I disagree. Defense in depth is hardly dead, in fact it's pretty much the only chance you have. And so I present to you, dear readers...



I'm going to use the case of the ecard worm outbreak to disprove Bruce's assertion that defense in depth is dead.

Bruce says...
  • We start with bad code
  • Then we added firewalls
  • ...but still bad code
  • Then we added AV, IDS, and anti-spam
  • ...still bad code
  • Then we added 2-factor auth and single sign-on
  • ...bad code again
  • Then we added application firewalls
  • ...code is still bad, plus we have LOTS MORE code now
  • We have lots of security controls, environmental complexity, and mad technology, but we still get owned because of bad code. So fix the code, stupid.
  • Didn't exploit code vulnerabilities in your OS, browser, or anything that runs code
  • Was delivered by sending e-mail messages with links in them that got users to download and run the dropper, which did all of the mass pwnage.
  • Wasn't blocked by most firewalls because it used inbound SMTP and outbound HTTP
  • Kicked my AV vendor's ass for several weeks by repacking binaries
  • Schooled really stupid spam filters by changing it's delivery message and download URL
  • Got past IDS until the vendors wrote signatures for it
  • BUT couldn't install on machines where the user wasn't a local administrator
  • It WAS found by monitoring firewall logs in the SIM
  • AND was stopped when the application firewall was configured to block "http://*/ecard.exe" requests
  • AND when Group Policy disallowed the execution of files named ECARD.EXE
  • PLUS NOW my spam vendor has decent filters that catch it
  • AND my AV vendor is detecting the first 8 of 13 variants... OK, they still suck
  • BUT we don't have ecard problems because we had a variety of defensive measures available to protect local and mobile users until the storm subsided.
So there are two take-aways from this. First is that defense in depth still works today as long as you are monitoring and managing it. Just buying products and plunking them in won't save you. And your super-cool security gadgetry won't always be the most effective tool for addressing a new threat. Second is that despite proving Bruce Potter wrong about defense in depth, ecard proves him right about his second point, "You Can't Train Everybody." So there you go.

Tuesday, August 14, 2007

Playing Catch-Up

Did you know that it's possible to overwhelm a Treo be simply ignoring your e-mail for two weeks? :-) Now you do.

OK, first of all I want to get some thank-you's out. Thank you to Jeff Moss and the Black Hat staff for putting on an amazing conference. Thank you to OWASP, Microsoft, and especially Don Donzal and for buying the bar. Thanks (and congrats!) to the 1@stPlace guys for hanging out Thursday night. It was great to meet you all and nice job on your 2nd consecutive win! Oh, and thank you to Dateline producer Michelle Madigan for sending me home from Vegas with a story I could tell to people that don't grok '%48%45%58'.

And second, here are my pictures. All taken with my Treo, so they pretty much look horrible.

David Litchfield teaching "Breakable: ..."

(L-R) Peter Ferrie, Tom Ptacek, Nate Lawson, Dino Dai Zovi

Free Shirts !
(Note the rare and prized ArcSight Ace & Gary shirt)

Alexander Tereshkin, Joanna Rutkowska


Bruce Schneier

Tim und das Grosse Bier
( @ Hofbrauhaus - thanks again Don Donzal!)

CTF !@#!!
(Kenshoto ninjas surrounded me and demanded the SD card, but I escaped)

Lockpicking races

Priest kicking folks out of Bruce Potter's very popular talk

S'mores rule!
(Vegas to Pentwater was opposite ends of the spectrum, but just what I needed!)

Wednesday, August 1, 2007

VMWare Escape Public (Finally!)

Lots of good an interesting stuff, plus pictures coming from BlackHat. I'll post them hopefully by the end of the week. In the mean time, check this out:

No, I didn't have any specific knowledge of this beforehand. I only knew that a group of REALLY smart people were working on it and when asked, "Is it possible to break out of VMWare?" they would smirk wryly and say things like, "I don't know, and if I did, I couldn't tell you." Yeah, well, I knew better than to bet against them.

Monday, July 30, 2007

This Just Plain Sucks

Halvar was denied entry to the US on his way to Black Hat. This screws a good number of people including Halvar since his class was sold out. I know, I tried to register for it back in May.

But don't worry about me. David Litchfield has my brain on full and the "really meaty" stuff is coming tomorrow. So I'm calling it a night.


Made it to Black Hat yesterday (well, today, really) despite the delays and cancellations due to the <ahem> "bad weather." Class starts in two hours, so right now I am desperately trying to figure out my coffee situation. Caesar's has me in a gorgeous room with a bathroom you could play racquetball in, but there's no coffee maker. So if you see me in the lobby this morning without a Starbuck's Venti something-or-other in hand, steer clear. I'm a little unstable at the moment.

Thursday, July 26, 2007

Certified Pre-Owned 0-Days

A piece of advice if you're going to try and sell exploits via e-mail. They had better be your own work and most importantly...

They shouldn't get picked up by anti-virus scanners.

Monday, July 23, 2007

Penny Arcade So Closely Resembles My Life It's a Little Freaky

You know, they hire real medical examiners and forensics technicians to consult on movies and TV shows (like CSI) to achieve a hopefully-fascinating level of realism. Which is why I sometimes wonder if Hollywood just has an exceedingly low opinion of infosec, because they clearly don't hire infosec consultants.

Thursday, July 19, 2007

Play-By-Play: I Get Into It w/ Richard Bejtlich Over Metrics

So I commented yesterday about a post Richard made about outcome-based security metrics.

In short, Richard likes outcome-based security metrics because they "mean something." I like them, too, but they can be hard to define and even harder to gather good data for. So I guess I don't like them that much.

He replied in the form of a new blog post. And I just had to comment.

This time, Richard takes issue with my point that it's possible to have bad security and outcome-based metrics that don't realistically represent the poor state of your security. He's probably right that if breaches are really bad or even moderately bad very frequently, that you can't help but detect them. Eventually. But in my opinion, metrics don't help you here. And that was my point.

And then he rags on compliance metrics. And this is where I draw the line. OK, not really. Compliance metrics suck, but we do them because they have value. Actual business value. Contrived, soulless, perhaps even pointless value. But I can tie dollars to them, so they have value. But Richard doesn't believe in ROI for security, either, so... :-)

Anyway, I respect Richard and enjoy his books and his blog. This dialog is healthy for infosectarians to have. If by some freak accident you read my blog but not his, definitely check it out.

Good HIPAA Resource

HIPAA isn't new, but - and maybe because I work in an environment where it's the primary regulatory standard - I regularly have conversations with colleagues and vendors about how we adhere to HIPAA standards and specifically the nuances of how we believe it translates into actual best practices on the ground. Like anything that is both legal and technical, HIPAA is riddled with self-referencing jargon, and defining these terms is useful to any serious conversation about HIPAA compliance. To that end, I stumbled on a really nice encyclopedia of HIPAA terms at U of Miami's med school. Too useful not to share.

Tuesday, July 17, 2007

Malware vs. Anti-Virus

Interesting, but scary story:

"What is most worrying is that this particular sample of malware wasn't recognized by existing antivirus software. It was able to slip through enterprise defenses,"

Like I said, the AV industry is getting its ass kicked.

The Most Valuable ArcSight Filters of The Summer

Without a doubt, 2007 will be remembered by infosec professionals as the year that malware came into its own. Client-side exploits and malware are nothing new. But this year there is a lot more of it, it's a lot better put together, the malware authors are handily kicking the anti-virus industry's ass, but most of all its being run like a business. If you doubted it before, ecard should be proof positive that very smart, very organized people are behind malware distribution. That's not to say that they can't be beaten, but it's definitely an arms race, and if you aren't doing your part to gather intel, well, what you don't know can definitely send your docs to .ru.

These days, I spend a lot of my time in front of two ArcSight grids ("active channels") because they are the best tools I have for finding malware as it's on its way in to the environment. So here they are.

First, this filter is built to look for McAfee ePolicy Orchestrator (ePO) events that involve an actual virus signature. When a VirusScan alert event is passed back to ePO, it stores the signature name in a device string.

(Device_Product = "ePolicy Orchestrator" And Device_Vendor = "McAfee" And Device_Custom_String1 NOT Is "NULL")

The second filter should work for any proxy or firewall log where URLs are present in the log. In my case the source is Check Point firewalls using WebSense for content filtering. Even if WebSense doesn't block them, the URLs are recorded in the log. Basically, we want to know about all of the standard executable file types and then look for suspicious downloads. Depending on your network's configuration and size, you may need to tune this to make it useful. For instance, if you don't have a WSUS server and your workstations get updates directly over the Internet, this channel will be very busy for 2-3 days every month.

(Request_Url EndsWith [IgnoreCase] ".exe" OR Request_Url EndsWith [IgnoreCase] ".msi" OR Request_Url EndsWith [IgnoreCase] ".pif" OR Request_Url EndsWith [IgnoreCase] ".cmd" OR Request_Url EndsWith [IgnoreCase] ".bat")

Update: Someone told me that he didn't think it made sense to monitor anti-virus alerts when trying to combat malware, after all this is the stuff that your anti-virus did detect and stop. Aren't we interested in the stuff that got through?

Yes, absolutely. It has been my experience (and perhaps yours, too) that it is common for a dropper to attempt to install multiple pieces of malware. The malware authors are regularly repacking to defeat AV detection, but they can't win every time. It is common, at least 50% of cases I've handled since March, for the anti-virus to detect and remove some, but not all of the malware being dropped. It's my advice that AV detects should be investigated to see if there were other downloads, suspicious network traffic, etc. from machines that did generate alerts, as they may still be compromised.

Friday, July 13, 2007

Guest Spot on Security Skeptic

Security Skeptic Dave Piscitello has reposted to his blog (with my blessing) one of my posts to the fw-wiz mailing list. It's a couple of lessons-learned from my days of implementing Entercept and CSA for clients. I recommend that you read Dave's blog. He's like Mike Rothman without the book deal. To say he's a veteran is to understate his expertise and experience. He was doing network programming for Unisys back in '82, when I was still watching the Electric Company and wearing my Members Only jacket. :-)

Members Only: VM Security

If you're not going to Black Hat this year, but you'd still like to hear what Matasano has to say about VM security, attacks, security architecture, and the continuing saga of the $400K rootkit, then look no further. Tom Ptacek and Dave Goldsmith, in conjunction with the Institute for Applied Network Security, gave a webinar on Tuesday that is now online. Members only, I'm afraid, but it's still gotta be cheaper than airfare, hotel, and registration.

I vattended (not a typo, I'm trying to coin a new word for remote spectatorship of things like webinars) their talk on Tuesday and it was quite good. We invited our infrastructure teams even though I was worried they wouldn't get much out of it. But they did. Unlike what I presume Tom and Nate's Black Hat talk will be like, Tom and Dave talked about high-to-medium- level stuff like network blind spots, the risks of access to the host/hypervisor CPU.

Along those same lines, Jeff Mayrand gave a nice preso on VI3 security to Grand Rapids ISSA back in February. Those of you interested in the specifics of network blind spots and VM networking best practices should read Jeff's slide deck. Members only again, but joining the GR-ISSA mailing list is free.