The same IP address can host www.myawesomehost.net and plenty of other Web sites. With HTTPS the Feds would just track the CONNECT and Host: fields since those are in the clear.
Bejtlich mentions that CDX participants were given a budget for the exercise. This means it cost them "marks" (in exercise language) to replace the Windows images NSA provided with alternative systems like FreeBSD or Linux. That decision caused the team to have less resources for other tasks.
The Army didn't win just because they used Linux. Bejtlich posts reasons why they won here:
Just as I posted my last story on New Zealand I noticed the following in Editorial: The spy business is alive and well:
SIS head Warren Tucker said government computer systems had been hacked into by foreign states. Information had been stolen and hard-to-detect software installed that could be used to take control of computer systems, he said.
Mr Tucker would not name the culprits. But he did refer to recent comments by Canada's security service about Chinese spying. Canada's spy-meister, Jim Judd, has said that almost half his security intelligence efforts were focused on that country's spies.
Canada, eh? Next I found China is top espionage risk to Canada: CSIS:
Almost half the effort the country's spy-watchers put into monitoring suspicious foreign activity in Canada is devoted to Chinese operatives... Jim Judd, director of the Canadian Security Intelligence Service, said... 15 countries account for most of the concern when it comes to foreign intelligence-gathering or interference in Canadian affairs.
He wouldn't identify all those countries, but did tell senators that China tops the list...
Prime Minister Stephen Harper, when he was still Opposition leader, claimed there were up to 1,000 Chinese agents in Canada.
He quoted a CSIS official as saying that Chinese spies stole $1 billion worth of technological secrets every month...
From TFA:...police are still trying to find others who may have been involved in the attacks, although the investigation is complicated since the attackers are likely outside Estonia...
As far as open source goes (ch 6), the author makes several statements which show he does not understand the open source world. First, on p 247 the author states "While a binary is easy for a computer to read, it is tremendously difficult for a person -- even the original developer -- to understand." This is absolutely false, and the misunderstandings continue in the same paragraph. Reverse engineering techniques can determine how binaries operate, even to the point that organizations like the Zeroday Emergency Response Team (ZERT) provide patches for Microsoft vulnerabilities without having access to source code!
Second, on p 248 the author states "The essence of open source software is the exact opposite of proprietary software. Open source software is largely an innovation after-the-fact; that is, open source software builds upon an idea already in the marketplace that can be easily replicated or copied." On what planet?
Third, on p 263 the author states "[O]pen source projects are almost always threatened by foreclosure," meaning if the developer loses interest the users are doomed. That claim totally misses the power of open source. When a proprietary software vendor stops coding a product, the customers are out of luck. When an open source software developer stops coding a product, the customers are NOT out of luck. They can 1) hope someone else continues the project; 2) try continuing the project themselves; or 3) hire someone else to continue developing the product. Finally, if the author is worried about open source projects not having an organization upon which liability could be enforced, he should consider the many vendors who sell open source software.
That's hardly a "business case." And as another poster (unfortunately not being modded up) pointed out, IPv6 supports fragmentation. It's just that end hosts have to fragment and reassemble, and not intermediary routers. So, your firewall will see fragments anyway.
Wrong -- RTFA and check out the capabilities listed in the two presentations:
Free to DHS & federal government From Dept. of State [and DHS US-CERT] Like EnCase Enterprise edition Network forensics "grep" Examine system state Remotely search multiple systems - files, ports, processes, file headers, hashes, MACs, ADS Search all files changed in this time frame Search all files with this hash regardless of name 155KB agent runs, then deletes itself Windows only Fairly forensically safe - does not change file MACs Root kit detection to come later
The key points are "155KB agent runs, then deletes itself" and "Windows only". SandStorm Enterprises did not create this product.
That's why most people mirror ports to a faster port, e.g., a few 100 Mbps ports onto a single 1 Gbps port. Companies like Net Optics also sell so-called aggregation taps that send multiple tapped links (full-duplex) to a single output, so your sensor only needs one interface. In production I tend to use traditional two-output (two TX) taps anyway, since they are about half the cost of the comparable aggregators.
"DONT install an extra service pack (they can offer perfromance and reliability improvements on faster computers but on old computers with few tasks they are just a bloat). Make sure your Windows installation CD isn't already 'slipstreamed' with a service pack."
and
"How to use the computer on a daily basis...Don't apply O/S patches for security stability or other things."
This is advice from an idiot for other idiots. I'm sure the worms and other malware you invite onto this system will make great use of the "more than 10 MB RAM left for your applications."
Re:Won't somebody please think of the ATM machines
on
IBM Officially Kills OS/2
·
· Score: 0, Redundant
Here's Abe Singer's;login: article on Life Without Firewalls... and how he learned he was Tempting Fate by advertising the fact. Both are.pdf's, but the second requires a USENIX membership until February '06. Essentially he says he was right to operate an enterprise without firewalls, even though he was compromised.
Slashdot Mirror
Some intruders download Windows service packs to check the bandwidth available.
You said
"HTTPS only works one IP per host, so that gives a positive track to where they were going."
That is not correct. If you inspect HTTPS traffic you'll see that clients issue something like the following:
The same IP address can host www.myawesomehost.net and plenty of other Web sites. With HTTPS the Feds would just track the CONNECT and Host: fields since those are in the clear.
"I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection)."
"Sacred cows" have nothing to do with it. The book just isn't that interesting.
Richard Bejtlich from the TaoSecurity Blog was invited by NSA's Tony Sager to visit the CDX in person:
http://taosecurity.blogspot.com/2009/05/thoughts-on-2009-cdx.html
Bejtlich mentions that CDX participants were given a budget for the exercise. This means it cost them "marks" (in exercise language) to replace the Windows images NSA provided with alternative systems like FreeBSD or Linux. That decision caused the team to have less resources for other tasks.
The Army didn't win just because they used Linux. Bejtlich posts reasons why they won here:
http://taosecurity.blogspot.com/2009/05/lessons-from-cdx.html
Watch for a report from Melissa Hathaway, who is leading the effort. The linked .pdf is from GAO and was published 10 March.
As a result of this discussion, the Association of Former Information Warriors was created.
LinkedIn Group:
http://www.linkedin.com/groups?about=&gid=1847393
Blog:
http://aofiw.blogspot.com/
This topic was discussed on March 31 2001 at @lanta.con in Atlanta, Georgia.
Ref Canada v China:
Just as I posted my last story on New Zealand I noticed the following in Editorial: The spy business is alive and well:
SIS head Warren Tucker said government computer systems had been hacked into by foreign states. Information had been stolen and hard-to-detect software installed that could be used to take control of computer systems, he said.
Mr Tucker would not name the culprits. But he did refer to recent comments by Canada's security service about Chinese spying. Canada's spy-meister, Jim Judd, has said that almost half his security intelligence efforts were focused on that country's spies.
Canada, eh? Next I found China is top espionage risk to Canada: CSIS:
Almost half the effort the country's spy-watchers put into monitoring suspicious foreign activity in Canada is devoted to Chinese operatives... Jim Judd, director of the Canadian Security Intelligence Service, said... 15 countries account for most of the concern when it comes to foreign intelligence-gathering or interference in Canadian affairs.
He wouldn't identify all those countries, but did tell senators that China tops the list...
Prime Minister Stephen Harper, when he was still Opposition leader, claimed there were up to 1,000 Chinese agents in Canada.
He quoted a CSIS official as saying that Chinese spies stole $1 billion worth of technological secrets every month...
You don't know what you're talking about. I am a military academy graduate and I had absolutely zero political ties.
From TFA: ...police are still trying to find others who may have been involved in the attacks, although the investigation is complicated since the attackers are likely outside Estonia...
If you have a router with 2 1/2 years of uptime there's a good chance you're not the only person with administrator access now.
Iran is not disconnected, according to a company that monitors routing tables.
This Amazon.com review mentions Mr. Rice's opinions on open source:
Geekonomics reviewed by Richard Bejtlich:
As far as open source goes (ch 6), the author makes several statements which show he does not understand the open source world. First, on p 247 the author states "While a binary is easy for a computer to read, it is tremendously difficult for a person -- even the original developer -- to understand." This is absolutely false, and the misunderstandings continue in the same paragraph. Reverse engineering techniques can determine how binaries operate, even to the point that organizations like the Zeroday Emergency Response Team (ZERT) provide patches for Microsoft vulnerabilities without having access to source code!
Second, on p 248 the author states "The essence of open source software is the exact opposite of proprietary software. Open source software is largely an innovation after-the-fact; that is, open source software builds upon an idea already in the marketplace that can be easily replicated or copied." On what planet?
Third, on p 263 the author states "[O]pen source projects are almost always threatened by foreclosure," meaning if the developer loses interest the users are doomed. That claim totally misses the power of open source. When a proprietary software vendor stops coding a product, the customers are out of luck. When an open source software developer stops coding a product, the customers are NOT out of luck. They can 1) hope someone else continues the project; 2) try continuing the project themselves; or 3) hire someone else to continue developing the product. Finally, if the author is worried about open source projects not having an organization upon which liability could be enforced, he should consider the many vendors who sell open source software.
David Rice responds on his blog.
You have clearly never worked in a government agency.
RTFA -- Spielberg doesn't work for Universal Studios.
George Kurtz would be a good internal CEO replacement candidate.
Mod parent up: here is the IEEE citation from 2001.
Check out www.google.com/psearch. This is a beta feature.
That's hardly a "business case." And as another poster (unfortunately not being modded up) pointed out, IPv6 supports fragmentation. It's just that end hosts have to fragment and reassemble, and not intermediary routers. So, your firewall will see fragments anyway.
Wrong -- RTFA and check out the capabilities listed in the two presentations:
Free to DHS & federal government
From Dept. of State [and DHS US-CERT]
Like EnCase Enterprise edition
Network forensics "grep"
Examine system state
Remotely search multiple systems - files, ports, processes, file headers, hashes, MACs, ADS
Search all files changed in this time frame
Search all files with this hash regardless of name
155KB agent runs, then deletes itself
Windows only
Fairly forensically safe - does not change file MACs
Root kit detection to come later
The key points are "155KB agent runs, then deletes itself" and "Windows only". SandStorm Enterprises did not create this product.
Helevius
"To me, this doesn't seem like the 'massive Internet outage' risk that Michael was talking about..."
That's because it's not the right vulnerability.
Helevius
Helevius
"DONT install an extra service pack (they can offer perfromance and reliability improvements on faster computers but on old computers with few tasks they are just a bloat). Make sure your Windows installation CD isn't already 'slipstreamed' with a service pack."
and
"How to use the computer on a daily basis...Don't apply O/S patches for security stability or other things."
This is advice from an idiot for other idiots. I'm sure the worms and other malware you invite onto this system will make great use of the "more than 10 MB RAM left for your applications."
Helevius
Helevius