Time Issues in Libpcap Traces

Time is an important aspect of Network Security Monitoring. If you don't pay close attention to the time shown in your evidence, and recognize what it means, it's possible you could misinterpret the values you see.My students and I encountered this issue in TCP/IP Weapons School at Black Hat this week. Let's look at the first ICMP packet in one of our labs. I'm going to show the output using the Hd tool and then identify and decode the field that...

Read More

Review of Digital Forensics for Network, Internet, and Cloud Computing Posted

Amazon.com just published by two star review of Digital Forensics for Network, Internet, and Cloud Computing by Terrence V. Lillard and company. From the review:Digital Forensics for Network, Internet, and Cloud Computing (DFFNIACC) is one of the worst books I've read in the last few years. You may wonder why I bothered reading a two star book. Blame a flight from the east coast to Las Vegas and not much else to read during those five hours! DFFNIACC...

Read More

Review of Virtualization and Forensics Posted

Amazon.com just published my three star review of Virtualization and Forensics by Dianne Barrett and Gregory Kipper. From the review:"Virtualization and Forensics" (VAF) offers "a digital forensic investigator's guide to virtual environments" as its subtitle. Eric Cole's introduction says "How do we analyze the [virtual] systems forensically since standard methods no longer work? Let me introduce a key piece of research and literature, VAF." I disagree...

Read More

Review of Digital Triage Forensics Posted

Amazon.com just published my two star review of Digital Triage Forensics: Processing the Digital Crime Scene by Stephen Pearson and Richard Watson. From the review:I have to preface this review by saying my criticism of this book should not be taken as criticism of the brave men and women who put their lives on the line fighting for our freedom in Southwest Asia (SWA). I'm reviewing the book "Digital Triage Forensics" (DTF), not the people who wrote...

Read More

Dell Needs a PSIRT

It's clear to me that Dell needs a Product Security Incident Response Team, or PSIRT. Their response to the malware shipping with R410 replacement motherboards is not what I would like to see from a company of their size and stature.Take a look at this Dell Community thread to see what I mean. It's almost comical.These are a few problems I see:They are informing the public of this malware problem using phone calls, not a posting on a Web site....

Read More

Review of The Watchman Posted

Amazon.com just posted my three star review of The Watchman by Jonathan Littman. From the review:The Watchman by Jonathan Littman is a tough book to review. The author states that he started writing a book about Kevin Poulsen (The Watchman), then delayed that project to write a book about Kevin Mitnick (The Fugitive Game, or TFG). After finishing TFG, the author returned to the Poulsen book. Unfortunately, it seems that the approach that the author...

Read More

Review of The Fugitive Game Posted

Amazon.com just posted my four star review of The Fugitive Game by Jonathan Littman. From the review:"The Fugitive Game" (TFG) recounts author Jonathan Littman's discussions with Kevin Mitnick, largely while the latter evaded authorities in the mid-1990s. This book is unlike others about Kevin, because the author describes multiple lengthy telephone conversations. As much as one can trust the author to reproduce them faithfully, these exchanges...

Read More

Review of At Large Posted

Amazon.com just posted my four star review of At Large by David H. Freedman and Charles C. Mann. From the review:"At Large" is a "hacking" book published during the mid-1990s, but it doesn't address the characters usually considered to be the "stars" of that era. Rather, At Large tells the tale of a single-minded and possibly mentally-challenged intruder who infiltrated a large number of sensitive US networks. While I didn't find the characters...

Read More

Review of The Cuckoo's Egg Posted

Amazon.com just posted my five star review of The Cuckoo's Egg by Cliff Stoll. From the review:Cliff Stoll's "The Cuckoo's Egg" (TCE) is the best real-life digital incident detection and response book ever written. I know something about this topic; I've written books on the subject and have taught thousands of students since 2000. I've done detection and IR since 1998, starting in the military, then as a consultant and defense contractor, and now...

Read More

Review of Code Version 2.0 Posted

Amazon.com just posted my four star review of Code Version 2.0 by Lawrence Lessig. From the review:Code Version 2.0 (CV2) is a compelling and insightful book. Author Lawrence Lessig is a very deep thinker who presents arguments in a complete and methodical manner. I accept his thesis that "cyberspace" has abandoned its tradition as an ungovernable, anonymous playground and risks becoming the most regulated and "regulable" "place" in which one could...

Read More

Review of Crypto Posted

Amazon.com just posted my four star review of Crypto by Steven Levy. From the review:Steven Levy's "Crypto" is a fascinating look at part of the story of modern cryptography, at least from the point of view of key non-government cryptographers. The author clearly conducted plenty of research into the lives of certain individuals, such as Whit Diffie and Marty Hellmen, the RSA trio, and other entrepreneurs. Unlike some other reviewers, I thought...

Read More

Review of The Illusion of Due Diligence Posted

Amazon.com just posted my two star review of The Illusion of Due Diligence by Jeffrey Bardin. From the review:I have mixed feelings about Jeffrey Bardin's "The Illusion of Due Diligence" (TIODD). I did read the whole book. However, I am not sure I would advise others to read it. TIODD struck me as a collection of stories describing how bad choices can lead to difficult situations. Some of the bad choices are the author's, so I have trouble sympathizing...

Read More

Human Language as the New Programming Language

If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think both approaches are needed, but I find a lot of security shops ignore threat-centric approaches. But in this brief post I'd like to talk about one skill you're likely to need in a threat-centric team.Clearly knowledge of programming languages is helpful for vulnerability-centric security. Those who can program in...

Read More

Brief Thoughts on WEIS 2010

Last month I attended my first Workshop on the Economics of Information Security (WEIS 2010) at Harvard. It was cool to visit and it reminded me that I probably spent too much time playing ice hockey and learning martial arts during graduate school, and not enough time taking advantage of the "Hah-vahd experience." Oh well, as Mr Shaw said, "Youth is wasted on the young."So what about WEIS? I attended because of the "big brains" in the audience....

Read More

Brief Thoughts on SANS WhatWorks Summit in Forensics and Incident Response 2010

Last week I spoke at the third SANS WhatWorks Summit in Forensics and Incident Response in DC, organized and led by Rob Lee. As usual, Rob did a wonderful job bringing together interesting speakers and timely topics. I thought my presentation on "CIRT-level Response to Advanced Persistent Threat" went well and I enjoyed participating on the "APT Panel Discussion." I wanted to share a few thoughts from the event. This is just the sort of event...

Read More

Network Forensics Vendors: Get in the Cloud!

I know some of us worry that the advent of the "cloud" will spell the end of Network Security Monitoring and related network-centric visibility and instrumentation measures. I have a proposal for any network forensics vendors reading this blog: get in the cloud! For example, imagine you are a proxy-in-the-cloud (PITC) provider, like ScanSafe, now owned by Cisco. You provide a Web portal to your customers so they can see what bad sites employees...

Read More

Gartner on CSIRTs

I know some of you pay attention to what Gartner says, or more probably, your management does. I found this new report How to Build a Computer Security Incident Response Team by Jeffrey Wheatman, Rob McMillan, and Andrew Walls helpful if you need external validation from a source your management is likely to recognize. You need a Gartner account to breach the paywall.I wanted to provide a few reasons why you might want to buy it and share it:It...

Read More

My Article on Advanced Persistent Threat Posted

My article Understanding the Advanced Persistent Threat provides an overview of APT. It's the cover story in the July 2010 Information Security Magazine. From the article:The term advanced persistent threat, or APT, joined the common vocabulary of the information security profession in mid-January, when Google announced its intellectual property had been the victim of a targeted attack originating from China. Google wasn't alone; more than 30 other...

Read More

A Little More on Cyberwar, from Joint Pub 1

Everyone's been talking about cyberwar this week, thanks in part to the Economist coverage. Many of the comments on my posts and elsewhere discuss the need for definitions. I thought it might be useful to refer to an authoritative source on war for the United States: DoD Joint Publication 1: Doctrine for the Armed Forces of the United States (.pdf), known as JP 1. Incidentally, back in 1997 as an Air Force 1Lt straight from intelligence school,...

Read More

Thoughts on "Application SOC" and New MSSPs

I'd like to briefly comment on a few ideas that appeared on lists I read.First, in this Daily Dave post from June, Dave Aitel writes:So when I gave the FIRST talk, one of the questions was "What is the solution?" ...Immunity sees lots of success (and has for many years) with organizations that have done high level instrumentations [sic] against their applications, and then used powerful data mining tools to look at that data...So what you see is...

Read More

Ponemon Institute Misses the Mark

Today the Ponemon Institute announced results of a survey they conducted titled Growing Risk of Advanced Threats: Study of IT Practitioners in the United States. Unfortunately, this survey looks like it is mainly the blind asking the blind to describe a threat neither really understands. For example, the survey states:While the definition of what constitutes an advanced threat still varies within the industry, for purposes of this research we have...

Read More

Joint Strike Fighter -- Face of Cyberwar?

Does anyone remember this story from April 2009?Computer Spies Breach Fighter-Jet Project Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials familiar with the attacks...In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design...

Read More

Cyberwar Is Real

A number of people, inside and outside the security world, think that any discussion of real threats is a manufactured justification for intrusive government action. Their argument is simple. The government wants to control the people, or obtain a resource, or pursue some objective that could not be reasonably achieved if transparently presented to the citizenry.The government "propaganda machine," sometimes in coordination with "the media" and...

Read More

Security Is Never Free -- Ask DNSSEC

Volume 13 Number 1 of the Cisco IP Journal features a fascinating DNS troubleshooting article titled "Rolling Over DNSSEC Keys" by George Michaelson, APNIC, Patrick Wallstrõm, .SE, Roy Arends, Nominet, and Geoff Huston, APNIC. It's one of the best articles I've ever read in IPJ. You should subscribe (it's free) if you like this blog.In the article, the authors investigate a surge of DNS traffic suffered by a secondary DNS server that is authoritative...

Read More

Lessons from NETOPS vs CND

Volume 13 Issue 2 of IATAC's IA Newsletter features an article titled Apples and Oranges: Operating and Defending the Global Information Grid by Dr Robert F Mills, Maj Michael Birdwell, and Maj Kevin Beeker. The article nicely argues for refocusing DoD's "NETOPS" and "CND" missions, where the former is defined currently asactivities conducted to operate and defend the Global Information Gridand the latter is defined currently asactions taken to...

Read More

Secunia Survey of DEP and ASLR

At the FIRST conference last month, Dave Aitel said something to the effect that DEP and ASLR are the only two noteworthy technologies produced by Microsoft since starting their security initiative. Forgive me Dave if I messed that up, and feel free to respond! I thought that was interesting after reading the post DEP / ASLR Neglected in Popular Programs by Secunia. The figure at left summarizes their findings over time. The report concludes...

Read More