Security News

Its bad enough when Google can’t keep their G-Mail servers up. Its worse when they screw up causing all search results to have a security warning. Its worse again when they force you to fill out a captcha to perform a search because some algorithm has decided that you’ve searched to much, or searched for a suspicious term.

Now for the second time in two months I’ve been banned from G-Mail for up to 24 hours.

This account has been locked down due to unusual account activity. It may take up to 24 hours for you to regain access.

Unusual account activity includes, but is not limited to:

Receiving, deleting, or downloading large amounts of mail via POP in a short period of time.
Sending a large number of undeliverable messages (messages that bounce back).
Using file-sharing or file-storage software, browser extensions, or third party software that automatically logs in to your account.
Leaving multiple instances of your Gmail account open.
Browser-related issues. Please note that if you find your browser continually reloading while attempting to access your Inbox, it’s probably a browser issue, and it may be necessary to clear your browser’s cache and cookies.
If you feel that you have been using your Gmail account according to the Gmail Terms of Use, you can troubleshoot your problem by clicking here.

As near as I can tell, the only activity I have performed is leaving Gmail open on two or three computers. This 24 hour lockout is bull.

Several of you have asked me to explain the difference between TCP/IP Weapons School (TWS), which I first taught at USENIX Security 2006, and TCP/IP Weapons School 2.0 (TWS2), which I first taught at Black Hat DC 2009 Training last week. This post will explain the differences, with an added bonus.

1. I have retired TWS, the class I taught from 2006-2008. I am only teaching TWS2 for the foreseeable future.
2. TWS2 is a completely brand-new class. I did not reuse any material from TWS, my older Network Security Operations class, or anything else.
3. TWS2 offers zero slides. Students receive three handouts and a DVD. The handouts include an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher’s guide. The DVD contains a virtual machine with all the tools and evidence needed to complete the labs, along with the network and memory evidence as stand-alone files.
4. TWS2 is heavily lab-focused. I’ve been teaching professionally since 2002, and I’ve recognized that students prefer doing to staring and maybe listening! Everyone who leaves TWS2 has had hands-on experience investigating computer incidents in an educational environment.
5. TWS2 is designed for beginner-to-intermediate attendees. Some advanced people will like the material too, although I can’t promise to please everyone. I built the class so that the newest people could learn by trying the labs, but follow the teacher’s guide (which they receive) if they need extra assistance. More advanced students are free to complete the labs any way they see fit, preferably never looking at the teacher’s guide until the labs are done. This system worked really well in DC last week.
6. TWS2 uses multiple forms of evidence. Solving the labs relies heavily on the network traffic provided with each case, but some questions can only be answered by reviewing Snort alerts, or session data, or system logs provided via Splunk, or even memory captures analyzed with tools like Volatility or whatever else the student brings to the case.
7. TWS2 comes home with the student and teaches an investigative mindset. Unlike classes that dump a pile of slides on you, TWS2 essentially delivers a book in courseware form. I use (*gasp*) whole sentences, even paragraphs, to describe how to solve labs. By working the labs the student learns how to be an investigator, rather than just watching or listening to investigative theories. I am using the same material to teach analysts on my team how to detect and respond to intrusions.

To provide a better sense of the class, I’ve posted materials from one of the labs at http://www.taosecurity.com/tws2_blog_sample_28feb09a.zip. The .zip contains the student workbook for the case, the teacher’s guide for the case, and the individual network trace file for the case. There is no way for me to include the 4 GB compressed VM that students receive, but by reviewing this material you’ll get some idea of the nature of this class.

My next session of TCP/IP Weapons School 2.0 will take place in Amsterdam on 14-15 April 2009 at Black Hat Europe 2009. Seats are already filling.

The last sessions of the year will take place in Las Vegas on 25-26 and 27-28 July 2009 at Black Hat USA 2009. Registration for training at that location will open this week, I believe.

I am not teaching the class publicly anywhere else in 2009. I do not offer private classes to anyone, except internally within GE (and those are closed to the public).

If you have any questions on these classes, please post them here. Thank you.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

I have a feeling my post Consensus Audit Guidelines Are Still Controls is not going to be popular in certain circles. While tidying the house this evening I came across my 2007 edition of the Economist’s Pocket World in Figures. Flipping through the pages I found many examples of inputs (think “control-compliant”) vs outputs (think “field-assessed”).

I’d like to share some of them with you in an attempt to better communicate the ideas my last post.

• Business creativity and research
• Input(s): Total expenditures on research and development, % of GDP
• Output(s): Number of patents granted (per X people)

• Education
• Input(s): Education spending, % of GDP; school enrolment
• Output(s): Literacy rate

• Life expectancy, health, and related categories
• Input(s): Health spending, % of GDP; population per doctor; number of hospital beds per citizen; (also add in air quality, drinking and smoking rates, etc.)
• Output(s): Death rates; infant mortality; and so on…

• Crime and punishment
• Input(s): Total police per X population
• Output(s): Crime rate

Is this making sense?

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Blog readers know that I think FISMA Is a Joke, FISMA Is a Jobs Program, and if you fought FISMA Dogfights you would always die in a burning pile of aerial debris.

Now we have the Consensus Audit Guidelines (CAG) published by SANS. You can ask two questions: 1) is this what we need? and 2) is it at least a step in the right direction?

Answering the first question is easy. You can look at the graphic I posted to see that CAG is largely another set of controls. In other words, this is more control-compliant “security,” not field-assessed security. Wait, you might ask, doesn’t the CAG say this?

What makes this document effective is that it reflects knowledge of actual attacks and defines controls that would have stopped those attacks from being successful. To construct the document, we have called upon the people who have first-hand knowledge about how the attacks are being carried out.

That excerpt means that CAG defines defensive activities that are believed to be effective by various security practitioners. I am not doubting that these practitioners are smart. I am not doubting their skills. What I am trying to say is that implementing the controls in CAG does not tell you the score of the game. CAG is all about inputs. After implementing CAG you still do not know any outputs. In other words, you apply controls (an “X”), but what is the outcome (the “Y”). The controls may or may not be wonderful, but if you are control-compliant you do not have the information produced by field-assessed security.

Does anyone real think we do not have controls already? The CAG itself shows how it maps against NIST SP 800-53 Rev 3 Controls. Five are shown below as an example.

For example, looking at CAG, how many of these strike you as something you didn’t already know about?

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Don’t get me wrong. If you are not implementing these controls already, you should do so. That will still not tell you the score of the game. If you want to see exactly what I proposed, I differentiated between control-compliance “security” and field-assessed security in my post Controls Are Not the Solution to Our Problem.

So, to answer my second question, CAG is a step in the right direction away from FISMA. It doesn’t change the game, especially if you are already implementing NIST guidance.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

On-Demand Webinar > Watch it now!SPONSORED BY: Qwest Business Solutions®Get a tactical approach to optimize your communications, without straining your budget. Enhance how your company communic…

In my post Black Hat DC 2009 Wrap-Up, Day 2 I mentioned enjoying Dan Kaminsky’s talk. His thoughts on the scalability of DNS made an impression on me. I thought about the way the Team Cymru Malware Hash Registry returns custom DNS responses for malware researchers, for example. In this post I am interested in knowing if any blog readers have encountered problems similar to the ones I will describe next, and if yes, did you / could you use DNS to help mitigate it?

When conducting security operations to detect and respond to incidents, my team follows the CAER approach. Escalation is always an issue, because it requires identifying a responsible party. If you operate a defensible network it will be inventoried and claimed, but getting to that point is difficult.

The problem is this: you have an IP address, but how do you determine the owner? Ideally you have access to a massive internal asset database, but the problems of maintaining such a system can be daunting. The more sites, departments, businesses, etc. in play, the more difficult it is to keep necessary information in a single database. Even a federated system runs into problems, since there must be a way to share information, submit queries, keep data current, and so on.

Dan made a key point during his talk: one of the reasons DNS scales so well is that edge organizations maintain their own records, without having to constantly notify the core. Also, anyone can query the system, and get results from the (presumably) right source.

With this in mind, would it make sense to internally deploy custom DNS records that identify asset owners?

In other words:

1. Mandate by policy that all company assets must be registered in the internal company DNS.
2. Add extensions of some type that provide information like the following, at a minimum:
• Asset owner name and/or employee number
• Owning business unit
• Date record last updated

3. Periodically, statistically survey IP addresses observed via network monitoring to determine if their custom DNS records exist and validate that they are accurate

These points assume that there is already a way to associate an employee name or number with a contact method such as email address and/or phone number, as would be the case with a Global Address List.

Is anyone doing this? If not, do you have ideas for identifying asset owners when the scale of the problem is measured in the hundreds of thousands?

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

HD Moore posted a great defense of full disclosure in his article The Best Defense is Information on the latest Adobe vulnerability.

The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn’t mean that these are new vulnerabilities. At this point, the best strategy is to raise awareness, distribute the relevant information, and apply pressure on the vendor to release a patch.

Adobe has scheduled the patch for March 11th. If you believe that Symantec notified them on February 12th, this is almost a full month from news of a live exploit to a vendor response. If the vendor involved was Microsoft, the press would be tearing them apart right now. What part of “your customers are being exploited” do they not understand?

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Now that that the stimulus package has passed, health care information security moves from an objection to a requirement. There is growing acceptance that, like it or not, electronic medical records will play a more important role in health-care service delivery.

Secunia has verified disabling javascript does not provide full protection against the zero day in all supported versions of Adobe Acrobat and Adobe Reader.

The current exploit seen in the wild uses javascript to perform a heap spray for code execution. The vulnerability is in in a non-javascript function call. The original alert put out by Shadowserver states:

There may be a method for populating the heap with the necessary shellcode without JavaScript, however if such a technique exists I am not aware of it.

Secunia reports that they have “managed to create a reliable, fully working exploit (available for Secunia Binary Analysis customers), which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.”

Even without this method of exploiting without javascript, a SANS commenter has pointed out the potential problem of disabling javascript. When a user opens a PDF containing javascript, they are prompted to re-enable javascript by clicking yes. How many users are really going to stop and consider the source of the file before re-enabling javascript.

The latest issue of the Information Assurance Technology Analysis Center’s IANewsletter features “Army, Navy, Air Force, and Cyber — Is It Time for a Cyberwarfare Branch of [the] Military?” by COL John “Buck” Surdu and LTC Gregory Conti. I found these excerpts enlightening.

The Army, Navy, and Air Force all maintain cyberwarfare components, but these organizations exist as ill-fitting appendages that attempt to operate in inhospitable cultures where technical expertise is not recognized, cultivated, or completely understood. The services have developed effective systems to build traditional leadership and management skills. They are quite good at creating the best infantrymen, pilots, ship captains, tank commanders, and artillerymen, but they do little to recognize and develop technical expertise. As a result, the Army, Navy, and Air Force hemorrhage technical talent, leaving the Nation’s military forces and our country under-prepared for both the ongoing cyber cold war and the likelihood of major cyberwarfare in the future…

[W]e are arguing that these cultures inhibit (and in some cases punish) the development of the technical expertise needed for this new warfare domain…. Only by understanding the culture of the technical workforce can a cyberwarfare organization hope to succeed… High-and-tight haircuts, morning physical training runs, rigorously enforced recycling programs, unit bake sales, and second-class citizen status are unlikely to attract and retain the best and brightest people.

I agree with almost all of this article. When I left the Air Force in early 2001, I was the 31st of the last 32 eligible company grade officers in the Air Force Information Warfare Center to separate from the Air Force rather than take a new nontechnical assignment. The only exception was a peer who managed to grab a job at NSA. The other 31 all left to take technical jobs in industry because we didn’t want to become protocol officers in Guam or logitisics officers in a headquarters unit.

Please read the whole article before commenting, if you choose to do so. I selected only a few points but there are others.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Another payment processor has fallen victim to hackers, Visa confirmed on Monday.

Another payment processor has fallen victim to hackers, Visa confirmed on Monday.

I saw this linked from Lenny Zeltser’s Twitter. Securology’s So you think you want a job in computer security.

The security operations all too true. Here’s part:

The worst part about SecOps is that you’ll either realize you’ve hit your Peter Principle with that job, in which case it’s time to spend all of your free time on backyard barbecues and retirement planning (nothing necessarily wrong with that — ignorance is bliss), OR, you’ll want out immediately because everyone around you has hit their Peter Principle highest job and you want more.

The post should be read in its entirety.

A new worm targeting mobile devices running Nokia’s Symbian OS is spreading in China in a unique way: through malicious links contained in text messages.

A new worm targeting mobile devices running Nokia’s Symbian OS is spreading in China in a unique way: through malicious links contained in text messages.

Attackers are actively exploiting a gaping zero-day hole in versions 9 and earlier of Adobe Acrobat and Reader, the company has warned.

Attackers are actively exploiting a gaping zero-day hole in versions 9 and earlier of Adobe Acrobat and Reader, the company has warned.

What will the Information Technology world look like in a hundred years? Here are five predictions for the state of data transport, storage, e-commerce, and security in the year 2109. Each prediction is soundly based on our current scientific theories and understandings plus a healthy dose of imagination. I’ll be posting this as a two part series. The first part includes: Unhackable Payment and Identification Solution and Secure Spontaneous Data Transport.

Read more

The RSA FraudAction Research Lab has recently traced a new tool designed by criminals that validates compromised payment cards (e.g. credit cards) that are illegally obtained through the underground fraud supply chain. Fraudsters usually test the viability of illegally obtained payment cards before they are used, and to this end, they use a variety of "card checkers" – which are fraudster services or tools that enable them to check the accuracy of compromised payment card data.

Click to Download/Listen (7:29)

RSA Conference ‘09 is fast approaching. This week’s Speaking of Security podcast provides an update on what to expect at this year’s event.