Halvar was denied entry to the US on his way to Black Hat. This screws a good number of people including Halvar since his class was sold out. I know, I tried to register for it back in May.
But don't worry about me. David Litchfield has my brain on full and the "really meaty" stuff is coming tomorrow. So I'm calling it a night.
Monday, July 30, 2007
BH2K7
Made it to Black Hat yesterday (well, today, really) despite the delays and cancellations due to the <ahem> "bad weather." Class starts in two hours, so right now I am desperately trying to figure out my coffee situation. Caesar's has me in a gorgeous room with a bathroom you could play racquetball in, but there's no coffee maker. So if you see me in the lobby this morning without a Starbuck's Venti something-or-other in hand, steer clear. I'm a little unstable at the moment.
Thursday, July 26, 2007
Certified Pre-Owned 0-Days
Monday, July 23, 2007
Penny Arcade So Closely Resembles My Life It's a Little Freaky
You know, they hire real medical examiners and forensics technicians to consult on movies and TV shows (like CSI) to achieve a hopefully-fascinating level of realism. Which is why I sometimes wonder if Hollywood just has an exceedingly low opinion of infosec, because they clearly don't hire infosec consultants.
Thursday, July 19, 2007
Play-By-Play: I Get Into It w/ Richard Bejtlich Over Metrics
So I commented yesterday about a post Richard made about outcome-based security metrics.
In short, Richard likes outcome-based security metrics because they "mean something." I like them, too, but they can be hard to define and even harder to gather good data for. So I guess I don't like them that much.
He replied in the form of a new blog post. And I just had to comment.
This time, Richard takes issue with my point that it's possible to have bad security and outcome-based metrics that don't realistically represent the poor state of your security. He's probably right that if breaches are really bad or even moderately bad very frequently, that you can't help but detect them. Eventually. But in my opinion, metrics don't help you here. And that was my point.
And then he rags on compliance metrics. And this is where I draw the line. OK, not really. Compliance metrics suck, but we do them because they have value. Actual business value. Contrived, soulless, perhaps even pointless value. But I can tie dollars to them, so they have value. But Richard doesn't believe in ROI for security, either, so... :-)
Anyway, I respect Richard and enjoy his books and his blog. This dialog is healthy for infosectarians to have. If by some freak accident you read my blog but not his, definitely check it out.
In short, Richard likes outcome-based security metrics because they "mean something." I like them, too, but they can be hard to define and even harder to gather good data for. So I guess I don't like them that much.
He replied in the form of a new blog post. And I just had to comment.
This time, Richard takes issue with my point that it's possible to have bad security and outcome-based metrics that don't realistically represent the poor state of your security. He's probably right that if breaches are really bad or even moderately bad very frequently, that you can't help but detect them. Eventually. But in my opinion, metrics don't help you here. And that was my point.
And then he rags on compliance metrics. And this is where I draw the line. OK, not really. Compliance metrics suck, but we do them because they have value. Actual business value. Contrived, soulless, perhaps even pointless value. But I can tie dollars to them, so they have value. But Richard doesn't believe in ROI for security, either, so... :-)
Anyway, I respect Richard and enjoy his books and his blog. This dialog is healthy for infosectarians to have. If by some freak accident you read my blog but not his, definitely check it out.
Good HIPAA Resource
HIPAA isn't new, but - and maybe because I work in an environment where it's the primary regulatory standard - I regularly have conversations with colleagues and vendors about how we adhere to HIPAA standards and specifically the nuances of how we believe it translates into actual best practices on the ground. Like anything that is both legal and technical, HIPAA is riddled with self-referencing jargon, and defining these terms is useful to any serious conversation about HIPAA compliance. To that end, I stumbled on a really nice encyclopedia of HIPAA terms at U of Miami's med school. Too useful not to share.
Tuesday, July 17, 2007
Malware vs. Anti-Virus
Interesting, but scary story:
http://www.reuters.com/article/domesticNews/idUSN1638118020070717
"What is most worrying is that this particular sample of malware wasn't recognized by existing antivirus software. It was able to slip through enterprise defenses,"
Like I said, the AV industry is getting its ass kicked.
http://www.reuters.com/article/domesticNews/idUSN1638118020070717
"What is most worrying is that this particular sample of malware wasn't recognized by existing antivirus software. It was able to slip through enterprise defenses,"
Like I said, the AV industry is getting its ass kicked.
The Most Valuable ArcSight Filters of The Summer
Without a doubt, 2007 will be remembered by infosec professionals as the year that malware came into its own. Client-side exploits and malware are nothing new. But this year there is a lot more of it, it's a lot better put together, the malware authors are handily kicking the anti-virus industry's ass, but most of all its being run like a business. If you doubted it before, ecard should be proof positive that very smart, very organized people are behind malware distribution. That's not to say that they can't be beaten, but it's definitely an arms race, and if you aren't doing your part to gather intel, well, what you don't know can definitely send your docs to .ru.
These days, I spend a lot of my time in front of two ArcSight grids ("active channels") because they are the best tools I have for finding malware as it's on its way in to the environment. So here they are.
First, this filter is built to look for McAfee ePolicy Orchestrator (ePO) events that involve an actual virus signature. When a VirusScan alert event is passed back to ePO, it stores the signature name in a device string.
(Device_Product = "ePolicy Orchestrator" And Device_Vendor = "McAfee" And Device_Custom_String1 NOT Is "NULL")
The second filter should work for any proxy or firewall log where URLs are present in the log. In my case the source is Check Point firewalls using WebSense for content filtering. Even if WebSense doesn't block them, the URLs are recorded in the log. Basically, we want to know about all of the standard executable file types and then look for suspicious downloads. Depending on your network's configuration and size, you may need to tune this to make it useful. For instance, if you don't have a WSUS server and your workstations get updates directly over the Internet, this channel will be very busy for 2-3 days every month.
(Request_Url EndsWith [IgnoreCase] ".exe" OR Request_Url EndsWith [IgnoreCase] ".msi" OR Request_Url EndsWith [IgnoreCase] ".pif" OR Request_Url EndsWith [IgnoreCase] ".cmd" OR Request_Url EndsWith [IgnoreCase] ".bat")
Update: Someone told me that he didn't think it made sense to monitor anti-virus alerts when trying to combat malware, after all this is the stuff that your anti-virus did detect and stop. Aren't we interested in the stuff that got through?
Yes, absolutely. It has been my experience (and perhaps yours, too) that it is common for a dropper to attempt to install multiple pieces of malware. The malware authors are regularly repacking to defeat AV detection, but they can't win every time. It is common, at least 50% of cases I've handled since March, for the anti-virus to detect and remove some, but not all of the malware being dropped. It's my advice that AV detects should be investigated to see if there were other downloads, suspicious network traffic, etc. from machines that did generate alerts, as they may still be compromised.
These days, I spend a lot of my time in front of two ArcSight grids ("active channels") because they are the best tools I have for finding malware as it's on its way in to the environment. So here they are.
First, this filter is built to look for McAfee ePolicy Orchestrator (ePO) events that involve an actual virus signature. When a VirusScan alert event is passed back to ePO, it stores the signature name in a device string.
(Device_Product = "ePolicy Orchestrator" And Device_Vendor = "McAfee" And Device_Custom_String1 NOT Is "NULL")
The second filter should work for any proxy or firewall log where URLs are present in the log. In my case the source is Check Point firewalls using WebSense for content filtering. Even if WebSense doesn't block them, the URLs are recorded in the log. Basically, we want to know about all of the standard executable file types and then look for suspicious downloads. Depending on your network's configuration and size, you may need to tune this to make it useful. For instance, if you don't have a WSUS server and your workstations get updates directly over the Internet, this channel will be very busy for 2-3 days every month.
(Request_Url EndsWith [IgnoreCase] ".exe" OR Request_Url EndsWith [IgnoreCase] ".msi" OR Request_Url EndsWith [IgnoreCase] ".pif" OR Request_Url EndsWith [IgnoreCase] ".cmd" OR Request_Url EndsWith [IgnoreCase] ".bat")
Update: Someone told me that he didn't think it made sense to monitor anti-virus alerts when trying to combat malware, after all this is the stuff that your anti-virus did detect and stop. Aren't we interested in the stuff that got through?
Yes, absolutely. It has been my experience (and perhaps yours, too) that it is common for a dropper to attempt to install multiple pieces of malware. The malware authors are regularly repacking to defeat AV detection, but they can't win every time. It is common, at least 50% of cases I've handled since March, for the anti-virus to detect and remove some, but not all of the malware being dropped. It's my advice that AV detects should be investigated to see if there were other downloads, suspicious network traffic, etc. from machines that did generate alerts, as they may still be compromised.
Friday, July 13, 2007
Guest Spot on Security Skeptic
Security Skeptic Dave Piscitello has reposted to his blog (with my blessing) one of my posts to the fw-wiz mailing list. It's a couple of lessons-learned from my days of implementing Entercept and CSA for clients. I recommend that you read Dave's blog. He's like Mike Rothman without the book deal. To say he's a veteran is to understate his expertise and experience. He was doing network programming for Unisys back in '82, when I was still watching the Electric Company and wearing my Members Only jacket. :-)
Members Only: VM Security
If you're not going to Black Hat this year, but you'd still like to hear what Matasano has to say about VM security, attacks, security architecture, and the continuing saga of the $400K rootkit, then look no further. Tom Ptacek and Dave Goldsmith, in conjunction with the Institute for Applied Network Security, gave a webinar on Tuesday that is now online. Members only, I'm afraid, but it's still gotta be cheaper than airfare, hotel, and registration.
I vattended (not a typo, I'm trying to coin a new word for remote spectatorship of things like webinars) their talk on Tuesday and it was quite good. We invited our infrastructure teams even though I was worried they wouldn't get much out of it. But they did. Unlike what I presume Tom and Nate's Black Hat talk will be like, Tom and Dave talked about high-to-medium- level stuff like network blind spots, the risks of access to the host/hypervisor CPU.
Along those same lines, Jeff Mayrand gave a nice preso on VI3 security to Grand Rapids ISSA back in February. Those of you interested in the specifics of network blind spots and VM networking best practices should read Jeff's slide deck. Members only again, but joining the GR-ISSA mailing list is free.
I vattended (not a typo, I'm trying to coin a new word for remote spectatorship of things like webinars) their talk on Tuesday and it was quite good. We invited our infrastructure teams even though I was worried they wouldn't get much out of it. But they did. Unlike what I presume Tom and Nate's Black Hat talk will be like, Tom and Dave talked about high-to-medium- level stuff like network blind spots, the risks of access to the host/hypervisor CPU.
Along those same lines, Jeff Mayrand gave a nice preso on VI3 security to Grand Rapids ISSA back in February. Those of you interested in the specifics of network blind spots and VM networking best practices should read Jeff's slide deck. Members only again, but joining the GR-ISSA mailing list is free.
On Wireless Hackers and The Law (Again)
This week, an appeals court upheld the sentence of one of the Lowe's hackers. He got 9 years, the longest sentence given to a hacker in the U.S. ever!
In case you don't already know, two hackers broke into a Detroit Lowe's store via open WiFi access point and were attempting to steal credit card numbers from Lowe's transactions. By all accounts, this attack would have worked but for the fact that the 2 men were arrested before they could return to collect the card numbers.
As I read this, it put into perspective for me just how completely dumb the arrest of Sam Peterson (also in Michigan) was.
In case you don't already know, two hackers broke into a Detroit Lowe's store via open WiFi access point and were attempting to steal credit card numbers from Lowe's transactions. By all accounts, this attack would have worked but for the fact that the 2 men were arrested before they could return to collect the card numbers.
As I read this, it put into perspective for me just how completely dumb the arrest of Sam Peterson (also in Michigan) was.
Thursday, July 12, 2007
My Feeds
Hi, my name is Paul, and I'm an addict.
So, I've been using Sage for Firefox for a couple of years now, and it's become a problem. It's a problem because if a web site that I find interesting has an RSS feed, I add it to my Sage feeds instead of bookmarking it. As part of the first step toward recovery, I know I must admit that I have a problem. And here is the scope of said problem:
And of course, if you have Sage, or if your RSS reader supports feed discovery, you can automagically add all of my feeds to your feeds. Share the love. Spread the disease.
So, I've been using Sage for Firefox for a couple of years now, and it's become a problem. It's a problem because if a web site that I find interesting has an RSS feed, I add it to my Sage feeds instead of bookmarking it. As part of the first step toward recovery, I know I must admit that I have a problem. And here is the scope of said problem:
- InfoSec
- Alerts & Vulns
- Newsy Stuff
- Logs/Analysis
- Tastes Good
- Good For You
- Aviv Raff On .NET - Security
- CastleCops Web Malware Links
- Checkmate
- honeyblog
- Jeremiah Grossman
- Mark's Blog
- Matasano Chargen
- Michael Sutton's Blog
- Offensive Computing blogs
- Open Source Information Security
- OSX, and other stuff
- rdist: setuid just for you
- SecuriTeam Blogs
- Security Sauce
- Support Intelligence
- TaoSecurity
- The Ethical Hacker Network RSS News Feed
- Uninformed Journal
- Websense Security Labs Blog
- Zero in a bit
And of course, if you have Sage, or if your RSS reader supports feed discovery, you can automagically add all of my feeds to your feeds. Share the love. Spread the disease.
Tuesday, July 10, 2007
Arrests in TJX, Polo Breaches
Evan Schumann at The Hack Report reports today that some Cuban nationals were arrested in Florida with card dumps from the Polo and TJX breaches. The interesting thing to note is that the Secret Service says these guys in FL received the data from Eastern Europe. But from what we already know about TJX, the original hackers weren't from Europe, they were in and likely from Minnesota.
It'd be pretty cool to see a path analysis of these card numbers if one could be put together. How many times are the cards sold before they're actually used?
It'd be pretty cool to see a path analysis of these card numbers if one could be put together. How many times are the cards sold before they're actually used?
Vegas, Baby!
I'm starting to get excited about Black Hat and DefCon.
I'm confirmed, reserved, committed, and all that, so see you there!
I'm confirmed, reserved, committed, and all that, so see you there!
Thursday, July 5, 2007
Welcome Back!
Welcome back from the holiday! Pffft. I enjoyed the day off, but I'm starting to dread coming back to work after holidays. New Years. Superbowl Sunday. Lately, any random weekend. And now Independence Day.
So for those keeping score, we're now on variant 4 of ecard.exe, all new for July 4th! And look, with the new version, no two binaries are exactly the same:
So for those keeping score, we're now on variant 4 of ecard.exe, all new for July 4th! And look, with the new version, no two binaries are exactly the same:
Monday, July 2, 2007
Little Stuff
So in between playing whack-a-mole with ecard.exe urls and trying to figure out which BlackHat talk you're going to now that The Brothers Kumar have backed out of their talk on bypassing TPM (BTW, these guys are kinda tipping the shady-meter, no?), you're looking for something interesting to read.
Try http://www.securls.com/
And since I mentioned ecard, here's a write-up on some other oft-repacked malware that won't go away. Lyberty Miller does a nice job of pointing out practical countermeasures, something researchers don't always do.
Also, more ecard. Guess what I'm neck-deep in today. It's all new since the weekend!
Try http://www.securls.com/
And since I mentioned ecard, here's a write-up on some other oft-repacked malware that won't go away. Lyberty Miller does a nice job of pointing out practical countermeasures, something researchers don't always do.
Also, more ecard. Guess what I'm neck-deep in today. It's all new since the weekend!