Thursday, May 31, 2007

I Have Seen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Future, and It Is Monitored

Today I spoke at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ISS World Spring 2007 conference in Alexandria, VA. ISS stands for Intelligence Support Systems. The speakers, attendees, and vendors are part of or support legal and government agencies that perform Lawful Intercept (LI) and associated monitoring activities. Many attendees appeared to be from county, state, and federal law enforcement agencies (LEAs). Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs were wired and wireless service providers who are responsible for fulfilling LI requests.

This was a very different crowd. Even when cops attend security conferences (like Fed, I mean Black, Hat) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vibe is different. At security cons it's seen to be cool if one has mad offensive sk1llz. This group was all about acquiring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information needed to go to court to convict bad guys.

One cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me immediately grabbed my attention, and it's going to eventually affect every entity that provides technological services:

Today lawful intercept monitors lines. Tomorrow lawful intercept will monitor services.

I cannot emphasize this enough. What does it mean?

Today (and previously), if I wanted to perform surveillance against a target, I would tap his phone line. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very old days I would physically attach to phone lines, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days I work with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 telephone company to obtain electronic access. The telcom is a service provider and as such is subject to CALEA, which mandates providing various snooping capabilities for LEA use.

Also today, and definitely tommorow, targets are using VoIP. VoIP can be monitored by watching broadband lines, but "tapping a line" is not sufficient. The classic deficiency is call forwarding. As described at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference today, assume a LEA is watching all broadband traffic to and from a target. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target enables call forwarding through his VoIP provider, a LEA watching network traffic will not see a call come in if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VoIP provider forwards it elsewhere.

Therefore, gaining access to that critical information requires monitoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line.

Extend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 services to be monitored beyond VoIP. Suddenly you can probably imagine many scenarios where LEAs would want to essentially be inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service, or able to tap data directly from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service. The line to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target is secondary. For example, why try to follow a target from Internet cafe to Internet cafe if you can just watch his chat room, Web forum, or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r meeting place directly?

This seems less like Big Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and more like Embedded Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Any application wich law enforcement might consider a source of data on a target could be compelled by law to provide a means for LEA to perform lawful intercept. Already we are seeing signs of this through various data retention directives. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference panelists mentioned a story from Germany that makes this point. He said Germany (or at least part of it) has a system that tracks cars paying tolls. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system was deployed it was forbidden to use such data for tracking car owners, even if crimes were committed. However, a person was run down at a toll booth. After cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crime happened, an outcry erupted to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 toll logs to identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culprit. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sort of "emergency thinking" that results in powers be granted to LEAs to become ever deeper into technology services.

One financial note: consider buying stock in log management and storage vendors. All of this data needs to be managed and stored.

My previous thoughts on this subject appear in posts containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lines The Revolution Will Be Monitored.

In one of my classes I list cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons why people monitor, in this progression:

  1. Performance: is our service working well?

  2. Fault: why does our service fail?

  3. Security: is our service compromised?

  4. Compliance: is our service meeting legal and regulatory mandates?


Many companies are still at step 2. Step 3 might be leapfrogged and step 4 might be here sooner than you think. Hopefully data collected for step 4 will inform step 3, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby serving a non-LEA purpose as well.

Incidentally I did not hear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term encryption mentioned as a challenge for law enforcement. I'll let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conspiracy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365orists chew on that one. In a service-oriented lawful intercept world, I would imagine LEAs could access data unencrypted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service provider if end-to-end encryption were not part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, maybe your VoIP call is encrypted from you to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 provider, and from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 provider to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recipient, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LEA can intercept at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hub of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 communication.

Update: I want people to understand that me predicting this development does not mean I agree with it. I prefer privacy to what's going to happen.

Interview with Designing BSD Rootkits Author

If you like rootkits and/or FreeBSD try reading this interview with Designing BSD Rootkits author Joseph Kong. This amazes me:

Could you introduce yourself?

Joseph Kong: I am a relatively young (24 years old) self-taught computer enthusiast who enjoys working (or playing, depending on how you look at it) in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field of computer security; specifically, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 low-level...

When did you hear about rootkits for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time?

Joseph Kong: The first time I heard cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "rootkits" was in 2004--straight out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mouth of Greg Hoglund, who was at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time promoting his new book Exploiting Software: How to Break Code. That's actually how I got into rootkit programming. Thanks Greg. :)


Wow. Zero to book on rootkits in 3 years -- that's cool.

Now for a bit of wisdom:

Do you know any anti-rootkit tool/product for *BSD?

I know a lot of people who refer to rootkits and rootkit-detectors as being in a big game of cat and mouse. However, it's really more like follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leader--with rootkit authors always being cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leader. Kind of grim, but that's really how it is. Until someone reveals how a specific (or certain class of) rootkit works, nobody thinks about protecting that part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system. And when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rootkit authors just find a way around it...


Contrast that with this bit of marketing:



Guess which one is correct?

Finally, I appreciated seeing this:

Keep in mind that although I am extolling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 virtues of prevention, as ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r computer security professionals (such as, Richard Bejtlich) have said, prevention eventually fails (e.g., Loïc Duflot showed that you can bypass secure levels in SMM), and detection is just as important. The problem is rootkit detection, as I said earlier, is difficult.

This ties in to what I wrote concerning Joanna Rutkowska's views earlier this year.

Owning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Platform

At AusCERT last week one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speakers mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 regular autumn spike in malicious traffic from malware-infested student laptops joining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 university network. Apparently this university supports cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variety of equipment students inevitably bring to school, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y require or at least expect students to possess computing hardware. The university owns cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 students own cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 platform. This has been cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 norm at universities for years.

A week earlier I attended a different session where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "consumerization" of information technology was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject. I got to meet Greg Shipley from Neohapsis, incidentally -- great guy. This question was asked: if companies don't provide cellphones for employees, why do companies provide laptops? Extend this issue a few years into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future and you see that many of our cellphones will be as powerful as our laptops are now. If you consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possibility of server-centric, thin client computing, most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 horsepower will need to be elsewhere anyway. Several large companies are already considering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "no company laptop" approach, so what does that mean for digital security?

You must now see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection. University students are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporate employees of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 near future. If we want to learn some tricks for dealing with employee-owned hardware on company-owned infrastructure manipulating mixed-ownership data (business and personal), consider going back to college. I think we're going to have to focus on Enterprise Rights Management, which is a popular topic. That still won't make a difference if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 employee smartphone is 0wned by an intruder who is taking screen captures, unless some form of hardware-enforced Digital Rights Management frustrates this attack. Regardless, I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next corporate laptop you receive might be your last.

Electronic Discovery Resources

The Economist recently published Electronic discovery: Of bytes and briefs. To summarize:

As technology changes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way people communicate, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legal system is stumbling to keep up. The “discovery” process, whereby both parties to a lawsuit share relevant documents with each ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, used to involve physically handing over a few boxes of papers. But now that most documents are created and stored electronically, it is mostly about retrieving files from computers. This has two important consequences...

First, e-discovery is more intrusive than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traditional sort...

Second, e-discovery is more burdensome than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old sort.


I think I first mentioned ediscovery last year in Forensics Warnings from CIO Magazine. I am acquainting myself with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusiveness and burden of this process in preparation for some new work. The article mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Institute for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Advancement of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 American Legal System (IAALS), which published Navigating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hazards of E-Discovery: A Manual for Judges in State Courts Across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nation. This is a free .pdf. I am exceptionally interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir next report:

Later this summer, we will release a publication on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implications of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se changes for America’s businesses.

The IAALS article also mentions Suggested Protocol for
Discovery of Electronically Stored Information (“ESI”)
(.pdf), a Maryland document that elaborates on ediscovery.

MRAPs Lose to Arms Race

Three weeks ago I wrote about Vulnerability-Centric Security regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mine Resistant Ambush Protected (MRAP) vehicle, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US Army's replacement for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hummvee pictured at left. I consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MRAP an example of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 failures of vulnerability-centric security. This morning USA Today's story MRAPs can't stop newest weapon validates my thoughts:

New military vehicles that are supposed to better protect troops from roadside explosions in Iraq aren't strong enough to withstand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest type of bombs used by insurgents, according to Pentagon documents and military officials.

As a result, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vehicles need more armor added to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, according to a January Marine Corps document provided to USA TODAY...

"Ricocheting hull fragments, equipment debris and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 penetrating slugs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves shred vulnerable vehicle occupants who are in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir path," said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document...

EFPs are explosives capped by a metal disk. The blast turns cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disk into a high-speed slug that can penetrate armor.


Even with additional armor, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 augmented MRAPs will still be vulnerable. This is because attackers possess advantages that defenses cannot overcome. In April I wrote Threat Advantages, which describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strengths I see digital threats offering.

At least John Pike understands this problem.

It's doubtful new armor can stop all EFPs, said John Pike, director of Globalsecurity, a Washington-based defense think tank.

"Short of victory, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're going to continue to figure out ways to kill Americans," Pike said of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurgents. "In any war, it is measure and countermeasure."


Investor's Business Daily agrees:

[W]e know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurgency won't be put down with such defensive technologies. Better armor won't kill jihadists and suicide bombers. Better intelligence and better offensive tactics will.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital realm, offense means actions to deter, investigate, apprehend, prosecute, and incarcerate threats. Sitting behind higher, deeper walls is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer. Neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r is trusting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hardware, OS, application, or data) to defend itself.

Tuesday, May 29, 2007

Review of Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Machine Posted

Amazon.com just posted my four star review of Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Machine. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Let me say that I wish I could give this book 4 1/2 stars. It's just shy of 5 stars, but I couldn't place this book alongside some of my favorite 5-star books of all time. Still, I really enjoyed reading Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Machine -- it's a great book that will answer many questions for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 devoted technical reader.

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review I mention Scott Mueller's Upgrading and Repairing PCs. In a nice show of synchronicity, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chapter from Scott's book on Microprocessor Types and Specifications is available online in .pdf format.

Clueless Consultants

I'm seeing a common "business of security" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me today, following my post The Peril of Speaker-Sponsors. Ira Winkler writes in If You Have to Ask, You Shouldn't Be Asking:

[S]omeone once attended a presentation that I gave on penetration testing, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n contacted me a year later with an e-mail that basically said, “I finally talked a client into letting me perform a pen test. I don’t know what to do, how to do it, what to charge, or any special legal language that should be in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contract.” My response was basically, “You shouldn’t do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work...”

In today’s message, a consultant from a very large integration firm sent out a message saying that one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir clients wants to scope out integration of a NOC/SOC. He gave a very wide variety of requirements for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 facility, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n wanted feedback from a wide variety of people not associated with his company. While I am normally all for helping out a colleague, this person should have eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sought this info inside his own organization, which has access to such experts, or just told cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client he doesn’t have a clue and to go elsewhere.


I see this problem all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, in two forms. First, I am frequently asked to perform a variety of tasks for which I do not consider myself an expert. Blog visitors, book readers, and students sometimes expect me to be an expert in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r area of security after seeing my work in network security monitoring, network forensics, incident response, and related subjects. When asked to work outside those areas, I always refer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work to colleagues whom I consider to be experts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 task in question. In return, my colleages pass me work cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would prefer me to do.

Second, I know many service/consulting companies who will take any job, period. They are managed by people who only care about making "bodies chargeable," preferably over 100% for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week. (That means billing over 40 hours of work to a client, per consultant, per week.) The consultants (1) suffer silently, for fear of losing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir jobs; (2) think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can become experts in anything in "10 minutes" (I hear that often); or (3) don't realize that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are clueless, and probably never will. The end result is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service delivered to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client is sub-par at best, or a disaster at worst.

I agree with Ira' last statement:

[T]he mark of a good consultant is one who knows when to turn away work.

In light of that wisdom, consider asking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following question when shopping for a consultant:

What work would you not want to do?

If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer is "nothing," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n walk away.

Bejtlich on Sites Collide Podcast

Tyrel McMahan interviewed me at CONFidence for his Sites Collide podcast. It's in QuickTime format. We talk about what smaller businesses should do with regards to monitoring and I discuss ideas from my conference presentation. Thanks to Tyrel for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interview.

Security Language

Gunnar Peterson's post on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Common Attack Pattern Enumeration and Classification (CAPEC) project reminded me that MITRE is hosting a ton of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sorts of frameworks. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m are listed at measurablesecurity.mitre.org so I intend to refer to that portal from now on. It would be great to see related projects cooperate with MITRE's work. For example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web Application Security Consortium "Threat" Classification should be renamed to be an attack classification, consistent with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MITRE CAPEC enumeration. Similarly, it would be nice to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Web Application Security Project Top Ten speak in terms of "attacks" racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than "flaws."

Overall I would like to see some rigorous thought applied to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of security terms. For example, a recent SANS NewsBites said:

We are planning for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2007 Top20 Internet Security Threats report. If you have any experience with Top20 reports over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past six years, could you tell us whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r you think an annual or semi-annual or quarterly summary report is necessary or valuable?

Is this anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r identity crisis for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Top 20 (as covered in my post Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Thoughts on SANS Top 20) or is someone saying "threat" when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y mean "vulnerability," or...?

We need to have our terminology straight or we will continue to talk past each ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

The Peril of Speaker-Sponsors

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interesting aspects of being an independent consultant is having ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r companies think TaoSecurity exists as a mighty corporate entity with plenty of cash to spend. This has exposed me to some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seedier aspects of corporate life, namely "speaker-sponsorship." Have you ever attended a keynote address, or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r talk at a conference, and wondered how such a person could ever have been accepted to speak? There's a good chance that person paid for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slot.

Two instances of this come to mind. First, several months ago I was contacted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 producer of a television program to appear on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir show. The program was hosted by Terry Bradshaw (no kidding) and was looking for speakers to discuss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security market. This sounded like it was almost too good to be true, and guess what -- it was. A few minutes into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conversation with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 producer I learned that TaoSecurity would be expected to pay a $15,000 sponsorship fee to "defray costs" for Mr. Bradshaw, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r expenses. Essentially I would be buying a spot on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 show, but it would be a "fabulous marketing experience." I said forget it.

Second, I just received a call from someone organizing a "security event." This person was looking for "experts" on PCI and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r topics for briefings in September. I told him I was not available at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specified time, so he asked to be switched to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TaoSecurity marketing department since what he really wanted was "speaker-sponsors." In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, people speaking at this event will have paid for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir slots. Again, I said forget it.

Keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se thoughts in mind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next time you see a lame talk at a security conference by a marketing person.

Attacker 3.0

Gunnar Peterson mentioned a few terms that, for me, brilliantly describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem we face in digital security. To paraphrase Gunnar, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world consists of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  • Security 1.0

  • Web 2.0

  • Attacker 3.0


To that might I add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  • Government -1.0

  • User 0.5

  • Application Developer 2.5


What do I mean by all of this?

  • Government -1.0: in general, hopelessly clueless legislation leads to worse security than without such legislation -- often due to unintended consequences

  • User 0.5: users are largely unaware and essentially helpless, but I wouldn't expect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to improve -- I'm not an automobile designer or electrical engineer, yet I can drive my car and watch TV

  • Security 1.0: security tools and techniques are just about good enough to address yesterday's attacks

  • Web 2.0: this is what is here, with more on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way -- essentially indefensible applications all running over port 80 TCP (or at least HTTP) that no developer really understands and for which no one takes responsibility

  • Application Developer 2.5: by this I do not mean developers are ahead of anyone with respect to security; racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are introducing new features and capabilities without regard to security, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby exposing vulnerabilities no one (except intruders and some security researchers) really understand

  • Attacker 3.0: in Tao I said because some intruders are smarter than us and unpredictable, prevention eventually fails -- it's more true now than ever


The only way I know to deal with this problem is to stay aware of it through monitoring and to deter, prosecute, and incarcerate threats. Without Attacker 3.0 free to exploit at will without fear of attribution and retribution, I care less about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se problems.

Prof Starbird Macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matics Courses

I'm a big fan of courses produced by The Teaching Company, so I bet similarly-minded blog readers might also enjoy such courses. My favorite instructor is Prof Michael Starbird. I noticed that three of his four courses are on sale until 14 June:

When I say "sale" I mean "buy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se now or wait anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r year until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are on sale again," because a course currently selling for $69.95 will be $254.95 most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year.

I took all sorts of math courses through college and probability and statistics courses through graduate school, but I never developed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sense of understanding that Prof Starbird conveyed.

After watching Prof Starbird's first course, The Joy of Thinking: The Beauty and Power of Classical Macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matical Ideas, my wife and I visited Prof Starbird at his office at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 University of Texas. I don't think he ever had a "fan" visit before, because he gave us a prop from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course (triangles used to prove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pythagorean Theorem, I think).

I saw Prof Starbird published a new book titled Coincidences, Chaos, and All That Math Jazz: Making Light of Weighty Ideas. I have to admit I still haven't read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first edition of his book The Heart of Macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matics, so I should try to bring that book on a plane soon.

I also like history courses from The Teaching Company and I've even watched a course on music, but that's not what I expect my fellow technophiles to want to read in this blog.

Monday, May 28, 2007

Brief Thought on FreeBSD X.org Update

Since I do not run X on my FreeBSD servers, and my laptop now runs Ubuntu (heretical but productive, I know), I have not been affected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 update of X.org to 7.2 on FreeBSD. I read Updating Firefox 2 and FreeBSD 6.2 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response Not everybody will be happy with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 X.org upgrade. Basically cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a difference of opinion concerning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriateness of radically changing a key addition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operating system mid-stream, i.e., during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 life of 6.2.

If I were running FreeBSD 6.2 with X, I probably would have tried avoiding X.org 7.2 if possible. Losing X is a very disruptive event if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 upgrade fails, and with so many ports affected it would be very invasive. I would have waited until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release of FreeBSD 6.3 or 7.0 before using X.org 7.2. Alternatively, I might have reinstalled 6.2 without X.org, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n added it and all ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r software as packages.

I understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 developers wanting to get X.org 7.2 into users hands as soon as possible, given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of work involved and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir desire to have finished months ago. However, changing from a monolithic version of X.org to a modular one seems disruptive enough to have waited for coordination with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release of FreeBSD 6.3 and 7.0. I'm not a developer but that's my thoughts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matter. I would be curious to hear how ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs might be handling this issue.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Anti-Virus Problem, Again

In February I blogged about a vulnerability in a Trend Micro product that exposed systems "protected" by this anti-virus software to remote exploitation. Symantec provides anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r example that running anti-virus is not cost free: Symantec false positive cripples thousands of Chinese PCs.

Now, according to Symantec may compensate Chinese users hit by buggy update, Symantec may pay companies affected by its botched signature update. Trend Micro apparently had a similar problem in 2005, before I was blogging about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se dangers; it cost TM $8.2 million.

Please keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se stories in mind when you hear people claim that adding any security software to a system is automatically good and justified because of "defense in depth."

On a related note, this story pointed me towards cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 English language edition of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese Internet Security Response Team blog.

Sunday, May 27, 2007

Reminder: Time Running Out for Bejtlich at GFIRST

I'll be teaching and speaking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2007 GFIRST conference in Orlando, FL in June 2007. This is pro-bono since DHS isn't paying airfare, hotel, meals, or a speaking honorarium. On Monday 25 June 2007 I'll be teaching two half-day tutorials. The first will cover Network Incident Response and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second will cover Network Forensics. On Tuesday 26 June at 1415 I will deliver cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk I gave at Shmoocon -- Traditional IDS Should Be Dead. I spoke at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2006 and 2005 GFIRST conferences as well.

GFIRST still hasn't updated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir training page to reflect my class, but I will be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re teaching.

Reminder: Early Registration Ends Soon for Bejtlich at SANSFIRE 2007

I'll be teaching a special one-day course, Enterprise Network Instrumentation, at SANSFIRE 2007 in Washington, DC on 25 July 2007.

ENI is a one-day course designed to teach all methods of network traffic access. If you have a network you need to monitor, ENI will teach you what equipment is available (hubs, switch SPAN ports, taps, bypass switches, matrix switches, and so on) and how to use it effectively. Everyone else assumes network instrumentation is a given. ENI teaches cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reality and provides practical solutions.

Please register while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are still seats available. My class is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day before all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 six-day tracks begin. If you register before 6 June you will save $250. If you register by 27 June you will save $150. If you take this one-day class with a full SANS track my class only costs $450. Please note SANS set all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se prices and schedules.

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only time I'll be teaching this class in 2007. Thank you.

Update: I cancelled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. If you want reasons please email me privately. Thank you.

Bejtlich Teaching Network Security Operations in Chicago

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Chicago, IL on 27-29 August 2007. This is a public class, although I will be speaking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 30 August meeting of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chicago Electronic Crimes Task Force. Please register here. The early discount applies to registrations before midnight 27 July. ISSA members get an additional discount on top of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early registration discount.

Network Security Operations addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following topics:

  • Network Security Monitoring


    • NSM cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory

    • Building and deploying NSM sensors

    • Accessing wired and wireless traffic

    • Full content tools: Tcpdump, Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real/Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, Snort as packet logger, Daemonlogger

    • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude

    • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP

    • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records

    • Sguil (sguil.sf.net)

    • Case studies, personal war stories, and attendee participation


  • Network Incident Response


    • Simple steps to take now that make incident response easier later

    • Characteristics of intruders, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir motivation, skill levels, and
      techniques

    • Common ways intruders are detected, and reasons cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are often initially
      missed

    • Improved ways to detect intruders based on network security monitoring
      principles

    • First response actions and related best practices

    • Secure communications among IR team members, and consequences of negligence

    • Approaches to remediation when facing a high-end attacker

    • Short, medium, and long-term verification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remediation plan to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
      intruder out


  • Network Forensics


    • Collecting network traffic as evidence

    • Protecting and preserving traffic from tampering, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by careless
      helpers or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder himself

    • Analyzing network evidence using a variety of open source tools, based
      on network security monitoring (NSM) principles

    • Presenting findings to lay persons, such as management, juries, or judges

    • Defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conclusions reached during an investigation, even in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
      face of adversarial defense attorneys or skeptical business leaders



This is only one of two Network Security Operations courses left for 2007. Please consider attending this class if you want to understand how to detect, inspect, and eject network intruders.

Bejtlich Teaching Network Security Operations in Cincinnati

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Cincinnati, OH on 21-23 August 2007. The Cincinnati ISSA chapter is hosting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. Please register here. The early discount applies to registrations before 20 July. ISSA members get an additional discount on top of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early registration discount.

Network Security Operations addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following topics:

  • Network Security Monitoring


    • NSM cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory

    • Building and deploying NSM sensors

    • Accessing wired and wireless traffic

    • Full content tools: Tcpdump, Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real/Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, Snort as packet logger, Daemonlogger

    • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude

    • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP

    • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records

    • Sguil (sguil.sf.net)

    • Case studies, personal war stories, and attendee participation


  • Network Incident Response


    • Simple steps to take now that make incident response easier later

    • Characteristics of intruders, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir motivation, skill levels, and
      techniques

    • Common ways intruders are detected, and reasons cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are often initially
      missed

    • Improved ways to detect intruders based on network security monitoring
      principles

    • First response actions and related best practices

    • Secure communications among IR team members, and consequences of negligence

    • Approaches to remediation when facing a high-end attacker

    • Short, medium, and long-term verification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remediation plan to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
      intruder out


  • Network Forensics


    • Collecting network traffic as evidence

    • Protecting and preserving traffic from tampering, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by careless
      helpers or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder himself

    • Analyzing network evidence using a variety of open source tools, based
      on network security monitoring (NSM) principles

    • Presenting findings to lay persons, such as management, juries, or judges

    • Defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conclusions reached during an investigation, even in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
      face of adversarial defense attorneys or skeptical business leaders



This is only one of two Network Security Operations courses left for 2007. Please consider attending this class if you want to understand how to detect, inspect, and eject network intruders.

4000 Helpful Votes at Amazon.com

Last week cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Helpful Votes" count for my Amazon.com reviews reached cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 4,000 count. I hit 3,000 in January 2006 and 1,500 in December 2003. Since reaching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3,000 mark I've read and reviewed 55 additional books. Thank you to everyone who votes my reviews "helpful."

If you want to see what I have on my shelf and plan to read next, please check out my reading list. If you want to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 books I hope to see soon, please visit my Amazon.com Wish List.

If you want general recommendations read my Amazon.com Listmania Lists. In 2005 Bookbool published my favorite 10 books from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past 10 years.

My reading pace has slowed since becoming an independent consultant and facá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r of two, but I try to read when flying hicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and non.

Bejtlich Teaching at USENIX Security

USENIX just posted details on USENIX Security 2007, 6-10 August in Boston, MA. I will be teaching TCP/IP Weapons School, Layers 4-7 on 6-7 June.

This is a sequel to TCP/IP Weapons School, Layers 2-3 at USENIX Annual 2007 in Santa Clara, CA on 21-22 June and TCP/IP Weapons School, Layers 2-3 at Techno Security 2007 in Myrtle Beach, CA on 6-7 June.

The 2 day class I'm teaching at Black Hat on 28-29 and 30-31 July is a condensed version (2 days) of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 4 day series (broken into layers 2-3 and 4-7) for USENIX. I also plan to teach this condensed edition at ForenSec in Regina, SK in September.

Snort Report 6 Posted

My sixth Snort Report -- Output options for Snort data has been posted. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 introduction:

Output modes are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 methods by which Snort reports its findings when run in IDS mode. As discussed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first Snort Report, Snort can also run in sniffer and packet logger modes. In sniffer mode, Snort writes traffic directly to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 console. As a packet logger, Snort writes packets to disk in Libpcap format. This article describes output options for IDS mode, called via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -c [snort.conf] switch. Only IDS mode offers output options.

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first of two Snort Reports in which I address output options. Without output options, consultants and VARs can't produce Snort data in a meaningful manner. Because output options vary widely, it's important to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities and limitations of different features. In this edition of Snort Report, I describe output options available from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command line and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir equivalent options (if available) in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort.conf file. I don't discuss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Unix socket option (-A unsock or alert_unixsock). I will conclude with a description of logging directly to a MySQL database, which I don't recommend but explain for completeness.


In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next edition I will discuss Barnyard.

Friday, May 25, 2007

Heading Home from Australia

My whirlwind Australia trip is coming to a close. I'll be boarding a flight from Sydney to LAX soon. I'd like to thank Christian Heinrich and John Dale from Secure Agility for hosting me in Sydney and to everyone at AusCERT for helping me with my classes in Gold Coast.

I'd like to briefly record a few thoughts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AusCERT conference.

  • Andrea Barisani gave a great talk on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rsync1.it.gentoo.org compromise of December 2003. He emphasized that preventing incidents is nice, but security monitoring and awareness are absolutely critical. I need to try his Tenshi log monitoring tool.

  • Greg Castle introduced his Whitetrash whitelisting Web redirector for Squid. I think his approach is very innovative and I plan to try Whitetrash with my lab Squid proxy. Mike showed how Google Mobile could avoid some URL inspectors, with URLs like http://google.com/gwt/n?u=http:%3a%2f%2fslashdot.org.

  • Mike Newton from Stanford explained his Argus infrastructure, which collects 35 GB of data per day, which he reduces with bzip2 to 11 GB per day and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n 3 GB per day with custom filtering. He keeps 30 days online in raw format cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n compresses and stores 400 days. He watches 5 class B networks with 45,000 hosts. Based on his analysis Stanford is segmenting itself into 300 zones using virtual firewalls (?). He said that one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 important reasons to monitor with Argus is to avoid having to disclose incident details, because Argus data can show that compromise of sensitive data was unlikely or did not occur.

  • John McHugh (formerly of CERT) gave a great talk on network situational awareness using SiLK, right after my talk. I need to try some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Situational Awareness group at CERT. I had dinner with John and I hope to do a guest lecture at some point at his school.

  • Cristine Hoepers from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Brazil CERT spoke on spam research using open proxy honeypots. Her talk reminded me that I should consider honeypots as a way to collect threat information in locations where monitoring production traffic is sensitive. If I monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 honeypot only I can limit privacy complaints about seeing ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r people's traffic.

Sunday, May 20, 2007

Latest Plane Reading

I'm on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 road again, en route to Gold Coast for AusCERT, followed by a public course on Network Security Monitoring in Sydney on Friday 25 May 2007. There are still seats left -- check it out if you want to attend!

Here are a few thoughts on items I read on my flight from IAD to LAX.


  • The latest Cisco IP Journal article on DNS Infrastructure by Steve Gibbard is awesome. Read it if you really want to understand global DNS in a few pages.

  • The Hotbots paper Peer-to-Peer Botnets (.pdf) is awesome. I question cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of PerilEyez for forensic work, but I haven't tried it before. I need to check out Trojan.Peacomm and Kademlia.

  • Baller Herbst has helpful CALEA docs. I also liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Aqsacom LAWFUL INTERCEPTION FOR IP NETWORKS White Paper (.pdf).

  • Kudos to Matt Blaze for more cool research, specifically his co-authored paper The Eavesdropper's Dilemma. If you think you're doing network forensics you need to develop a strategy to address his conclusion:

    Internet eavesdropping systems suffer from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eavesdropper’s dilemma. For electronic wiretapping systems to be reliable, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y must exhibit correct behavior with regard to both sensitivity and selectivity. Since capturing traffic is a requisite of any monitoring system, considerable research has focused on preventing evasion attacks and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise improving sensitivity. However, little attention has been paid to enhancing selectivity or even recognizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet context. Traditional wisdom has held that eavesdropping is sufficiently reliable as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 communicating parties do not participate in a bilateral effort to conceal cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir messages.

    We have demonstrated that even in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 absence of cooperation between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 communicating endpoints, reliable Internet eavesdropping is more difficult than simply capturing packets. If an eavesdropper cannot definitively and correctly select cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pertinent messages from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 captured traffic, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 validity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reconstructed conversation can be called into question. By injecting noise into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 communication channel, unilateral or third-party confusion can make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 selectivity process much more difficult and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r diminishes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reliability of electronic eavesdropping.


    Life just got more complicated.

  • We need to take out Hackistan.

  • CIO Magazine has a good article with percentages of companies not in compliance with various rules and regulations. It contains gems like:

    Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation. How to (or, for some CIOs, even whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to) follow regulations is neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right thing means doing what’s right for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom line, not necessarily what’s right in terms of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 regulation or even what’s right for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer...

    “We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions: What’re cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most important things that are absolutely required by law?”...
    The CISO told Taylor that she had received an e-mail from one of her programmers informing her that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 school may have experienced a breach that may have exposed students’ personal information. The programmer was unsure if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 law required cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 school to report cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident and asked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISO for guidance.

    Taylor asked her what she did. She said she wrote back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 programmer telling him not to do anything. Taylor told cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISO that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 university should have reported cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach. The CISO disagreed, saying, essentially, that because very few people review system log files and because only one or two people at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 university understood cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systems and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, it was probable that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach would go unremarked and undiscovered...

    The cost to harden cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he suggests...


    All of this rings true to me.

  • Who's Had a Taste of Your Intellectual Property? in Information Security magazine is good.

    According to a 2006 report from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 office of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States Trade Representative (USTR), U.S. businesses are losing approximately $250 billion annually from trade secret cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft. Federal law enforcement officials say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most targeted industries include biotechnologies and pharmaceutical research, advanced materials, weapons systems not yet classified, communications and encryption technologies, nanotechnology and quantum computing...

    [I]t can take years until a trade secret cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft is detected, says Smith: "You wouldn't even know it [your IP] was missing for five years, when a competitor would suddenly introduce a product that sold for one-third to one-fifth of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 price of yours."..

    For organizations that depend heavily on commercializing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir R&D activities, trade secrets are particularly important. Patents are equally important, but trade secrets differ from patents in a significant way. They are--as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir name implies--secret. Whereas patents represent a set of exclusive rights granted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government in exchange for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public disclosure of an invention, a trade secret is internal information or knowledge that a company claims it alone knows, and which is a valuable intangible asset.

    While patent owners have certain legal protections from anyone using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir patents without permission, companies are responsible for proving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right to legal protection of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir trade secrets. According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UTSA, your company must demonstrate that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specific information or knowledge is not generally known to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore it derives independent economic value; and that you have made reasonable efforts to make sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 knowledge remains secret.

    A trade secret's validity can only be proven via litigation; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no automatic protection just because your company believes it possesses one. Ironically, a trade secret must be stolen or compromised before you can attempt to demonstrate it is legally a trade secret. Once in litigation, your company must convince cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 court of three points: secrecy, value and security. Inevitably, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most difficult element to demonstrate is that your company had reasonable controls in place to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secrecy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP in question...

    John Landwehr, Adobe's director of security solutions and strategy, believes that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best protection of sensitive data happens at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document level: "Given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 range of devices that IP can live on--from desktops, to laptops, to PDAs and mobile phones--we think that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only viable way to persistently protect that information is if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protection travels with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document."

    However, a word of caution about some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se products designed to protect confidential data: Because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority are based on rule-set driven engines, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of false positives cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y generate can be significant.


    Oh, that last point sounds too much like IDS. It must be bad?

Friday, May 18, 2007

It's Only a Flesh Wound

The slide above is from Gartner analyst Greg Young's 2006 presentation at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Gartner IT Security Summit 2006, Deconfusicating Network Intrusion Prevention (.pdf). "Deconfusicating" appears to be a fake synonym for simplifying. I bet that was supposed to confuse an IDS, but not an IPS. Funny that stopping an attack requires detecting it, but never mind.

Someone recently recommended I read this presentation, so I took a look. It's basically a push for Gartner's vision of "Next Generation Firewalls" (NGFW), which I agree are do-everything boxes that will eventually collapse into security switches or Steinnon-esque "secure network fabric." The funny thing about all those IPS deployments is that I continue to hear about organizations that utilize only a fraction or none of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPS blocking capability, and instead use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as -- wait for it -- IDS. Hmm.

That still doesn't account for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major problem with a prevention-only mindset. Let's face cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 facts: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are events which transpire on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network which worry you, but which you can't reliably make a policy-based allow or deny decision. When business realities rule (which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y always do) you let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic through. Where's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPS now? It's an IDS.

There are also events for which you have no idea how to identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m prior to nontechnical incident detection. If you care at all about security you're going to want to keep track of what's happening on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network so you can scope cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident once you know what to look for. I call that one form of Network Security Monitoring (NSM).

At about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2006 Gartner slides I read IDS in Mid-Morph, an interview with Gene Schultz, long time security veteran. The interview states:

Schultz says cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are already signs of new life. For one thing, IDS data is being used as part of intelligence-collection for forensics, he says. "People are gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ring a wide range of data about behavior in machines, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of memory, etc. and combining it to find patterns of attacks.

Intrusion detection is one rendition of going more toward cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 route of intelligence-collection. Instead of focusing on micro-details like packet dumps, [security analysts] are looking at patterns of activity through intensive system and network analysis on a global scale, to determine what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential threats are."

Schultz attributes this to a new breed of intrusion detection analyst, "more like an intelligence analyst, especially in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government."


I wonder if Gene read any of my books or articles? For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last five years I've defined NSM as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365

collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.

Chapter one from Tao is online and must say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word intelligence a dozen times.

Incidentally, if you're near Sydney I'll be teaching my NSM course on 25 May 2007. If you're near Santa Clara I'll be teaching at on 20 June 2007. Thank you.

Thoughts on Latest CISSP Requirements Change

You all know I am a big fan of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP certification. (If you don't recognize that as sarcasm, please read some old posts.) I wasn't going to comment on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press release (ISC)²® to Increase Requirements for CISSP® Credential to Validate Information Security Expertise, but no one else really has.

First, a little history. The last time a requirements change was announced was January 2002, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press release (ISC)² TO IMPLEMENT NEW CISSP REQUIREMENTS IN 2003. That article stated:

...new requirements for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Certified Information Systems Security Professional (CISSP) certification, effective Jan. 1, 2003.

As of that date, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 minimum experience requirement for certification will be four years or three years with a college degree or equivalent life experience. The current requirements for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP call for three years of experience...

The "equivalent life experience" provision is intended for mature professionals who did not obtain a college degree but are in positions where a college degree would normally be required...


You may remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se changed were announced about a month after 16 year old Namit Merchant passed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP exam, according to a December 2001 SecurityFocus report.

I passed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP in late 2001 as well (I was almost 30, not 16) so all I needed was three years of relevant work experience. Since 1 January 2003, you could have three years experience plus one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approved credentials. Those include many certs from SANS, for example.

The new requirements for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP, announced this week, are:

Effective 1 October 2007, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 minimum experience requirement for certification will be five years of relevant work experience in two or more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10 domains of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP CBK®, a taxonomy of information security topics recognized by professionals worldwide, or four years of work experience with an applicable college degree or a credential from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 (ISC)²-approved list.

Currently, CISSP candidates are required to have four years of work experience or three years of experience with an applicable college degree or a credential from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 (ISC)²-approved list, in one or more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10 domains of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP CBK.


I am not sure why (ISC)² is increasing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 experience requirement. I don't think an five years of "experience" are going to make that much of a difference when compared to four years of experience plus a degree or credential. Honestly, equating a degree with a certification like CompTIA Security+ (on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "approved list") is really a joke, or should be.

Experience is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only change:

Also effective 1 October, CISSP candidates will be required to obtain an endorsement of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir candidature exclusively from an (ISC)²-certified professional in good standing.

Currently, candidates can be endorsed by an officer from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 candidate’s organization if no CISSP endorsement can be obtained. The professional endorsing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 candidate can hold any (ISC)² base certification – CISSP, Systems Security Certified Practitioner (SSCP®) or Certification and Accreditation Professional (CAPCM).


This is an anti-fraud attempt. I think it is too late. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rumblings I've heard, cheating on exams like CISSP is not uncommon. One bad apple can "earn" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n "endorse" all his buddies.

Maybe (ISC)² is finally starting to behave like employed French workers, protecting those who already have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certification at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 expense of those on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside? In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re too many CISSPs chasing too few jobs? The latest press release states:

“With an estimated 1.5 million people working in information security globally, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nearly 50,000 CISSPs remain an elite group of professionals that are leading this industry,” Zeitler said. “(ISC)² will continue to assess its certification criteria and processes, as well its examinations and educational programs, to ensure that remains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case.”

50,000! Less than five years ago cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press release (ISC)² RECOGNIZES 10,000th CISSP said only 2,000 CISSPs were certified in 1999, and 10,000 was reached in October 2002.

I still think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP exam, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certification in general, is a waste of time. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest example why, read How I Prepared and Passed CISSP:

I chose a self study route, and devoted around 2 months for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 preparation. Locked myself in and had very little to no time for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 family, I’d told cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 physical and mental tensions I did 45 minutes yoga in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 morning and 20 minutes meditation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies.

That is ridiculous. I would expect someone who wants to be considered as a "security professional" to be well-enough versed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP material to not require seven straight days of 12 hour studying sessions, beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous seven weeks of study.

I prepared for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test in 2001 by reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first edition of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Krutz and Vines CISSP guide, followed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Exam Cram cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 night before. That was it. No boot camp, not study marathons, no weeks of study groups. I had about four years experience and I figured that if (ISC)² required three years, I should be ok. I finished cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test in 90 minutes and that was it.

If you're wondering how I would replace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP, please read my 2005 post What cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP Should Be. I think Peter Stephenson's requirements for certifications are good guidelines as well.

Database Forensics

Database ninja David Litchfield told me he posted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest in a series of lengthy articles on investigating Oracle database incidents. Specifically, he asked me to review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest article on Live Response (.pdf) given my background. I recommend checking out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole set of articles at Database Security.

Speaking of database security, I got a chance to see Alexander Kornbrust of Red-Database-Security GmbH talk about Oracle (in)security at CONFidence 2007. His talk reminded me of comments Thomas Ptacek once made about certain software being indefensible ten years ago, whereas now we have a fighting chance with some software. After hearing Alex's talk I think Oracle belongs in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 indefensible category. Oracle appears to be at least five years behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir peer group in terms of producing "secure" code.

(I put "secure" in quotation marks because I don't believe anything is really "secure," but on relative terms Oracle seems far behind those with more robust secure development lifecycles and patch response processes.)

Sunday, May 13, 2007

Third of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Three Wise Men

I just listened to my third of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Three Wise Men, Ross Anderson, courtesy of Gary McGraw's Silver Bullet Podcast. This is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r must-heed. During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 podcast Prof. Anderson mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  • With respect to secure software development: As tools improve, we continue to "build bigger and better disasters." That echoes a cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me in my previous posts.

  • "If someone is going to call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves a security engineer, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have to learn how things fail." This means studying history and contemporary security disasters. That's an argument for my National Digital Security Board.

  • Prof. Anderson mentioned potential compulsory registration for security professionals in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK as a consequence of legislation requiring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 registration of bouncers at clubs. Beware such an event here. Talk about unintended consequences.

  • Finally, Prof. Anderson warned of vulnerabilities in Near Field Communication (NFC) technology. For goodness sake, can we slow down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deployment of fundamentally broken technologies?


By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, not only is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 excellent Security Engineering now online, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first 7 chapters can be downloaded in .mp3 format.

Second of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Three Wise Men

I just blogged about a new podcast by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first of my Three Wise Men, namely Marcus Ranum. My second of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Three Wise Men for today is Dan Geer. I just noticed his testimony to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology last month has been published. This is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r must-heed collection of smart ideas. Brian Krebs summarized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hearing in his story Nation's Cyber Plan Outdated, Lawmakers Told. Dr. Geer's testimony included this gem:

I urge cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Congress to put explaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past, particularly for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of assigning blame, behind itself. Demanding report cards, legislating under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 influence of adrenaline, imagining that cybersecurity is an end racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than merely a means — all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se and more inevitably prolong a world in which we are procedurally correct but factually stupid.

Amen. Also:

Information security is perhaps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hardest technical field on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 planet. Nothing is stable, surprise is constant, and all defenders work at a permanent, structural disadvantage compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attackers. Because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 demands for expertise so outstrip cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 supply, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fraction of all practitioners who are charlatans is rising. Because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 demands of expertise are so difficult, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 training deficit is critical. We do not have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to create, as if from scratch, all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 skills required. We must steal
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r fields where parallel challenges exist.


I wonder if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fraction of all practitioners with CISSP certifications is rising too?

The opposition is professional. It is no longer joyriders or braggarts. Because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sheer complexity of modern, distributed, interdigitated, networked computer systems, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of hiding places for unwanted software and unwanted visitors is very large.

The complexity, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most part, comes from competitive pressure to add feature-richness to products; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no market-leading product where one or a small group of people knows it in its entirety, and components from any pervasive system tend to be used and re-used in ways that even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir designers did not anticipate.

Were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re no attackers, this would be a miracle of efficiency and goodness. But unlike any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r industrial product, information systems are at risk not from accident, not from cosmic radiation, and not from clumsy operation but from sentient opponents. The risk is not, as some would blicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ly say, “evolving” if by evolving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speaker means to invoke cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of Nature. The risk is due to intelligent design, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is nothing random about it.


This is why one cannot legislate "security" for computers as one could try to legislate "safety" for automobiles. If people were crushing cars with boulders off bridges, shooting out car windows with AK-47s, or running over cars with tanks, no one would be blaming car manufacturers. They would (rightly!) be blaming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats, as we should be doing with software and digital intruders.

I could easily cite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire published testimony. Please read it.

RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls

All you fans of mindlessly blocking ICMP traffic are going to be in trouble if you try that strategy with IPv6. Luckily this month RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls was just published. This Informational RFC provides concrete guidance using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se categories:

  • Traffic That Must Not Be Dropped

  • Traffic That Normally Should Not Be Dropped

  • Traffic That Will Be Dropped Anyway -- No Special Attention Needed

  • Traffic for Which a Policy Should Be Defined

  • Traffic That Should Be Dropped Unless a Good Case Can Be Made


This is a nice reference for those who wish to implement some degree of control over ICMPv6, which is an integral part of IPv6 and not something one can blindly block.

CONFidence Wrap-Up

This morning I delivered a talk at CONFidence 2007 in Krakow, Poland. I'd like to thank Andrzej Targosz and Jacek Artymiak for being cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best hosts I've met at any conference. They got me at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 airport, took me to dinner (along with dozens of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs), and will take me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 airport (at 0430 no less!) tomorrow. I spent a good amount of time with Anton Chuvakin, Daniel Cid, and Stefano Zanero, which was very cool.

I'd like to mention two talks. First, I watched Paweł Pokrywka talk about a neat way to discovery layer two LAN topology with crafted ARP packets. Unfortunately, his talk was in Polish and I didn't exactly learn how he does it! I spoke to Paweł briefly before my own talk, and he said he plans to release a paper (in English) and his code (called Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rbat), so I look forward to seeing both.

Second, I attended Dinis Cruz's talk on buffer overflows in .NET and ASP.NET. I'm afraid I can't say anything intelligent about his talk. Dinis is a coding ninja and I really only left his talk with one idea: all general-computing platforms can be broken. What's funny is I'm not even sure Dinis would agree with me. His point seemed to be that .NET and ASP.NET (as well as ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r managed code environments) are breakable, but if implemented "properly," could be made not breakable.

Let's think about that for a moment. I'm sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who dreamed up .NET and ASP.NET are really smart. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are problems that render cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m vulnerable to people like Dinis. "Fine," you say. "Let Dinis help Microsoft fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems." Ok, Dinis helps implement a new version of this framework. A year or so later someone with a different insight or skill comes along and breaks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new version. And so on. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 history of general purpose computing. I don't see a way to break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cycle if we continue to want developers to be able to write general purpose software. I am not speaking as a developer, but as an historian. We have been walking this path for over 20 years and I don't see any improvements.

Update: I forgot to mention that I liked Anton Chuvakin's definition of forensics:

Computer forensics is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scientific method to digital media to establish factual information for judicial review.

Thoughts on Rear Guard Security Podcast

I just listened to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first episode of Marcus Ranum's new podcast Rear Guard Security. A previous commenter got it right; it's like listening to an academic lecture. If that gives you a negative impression, I mean Marcus is a good academic lecturer. These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of lessons you might buy through The Teaching Company, for example.

Marcus isn't talking about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest and greatest m4d sk1llz that 31337 d00ds use to 0wn j00. Instead, he's questioning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very fundamentals of digital security and trying to equip cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 listener with deep understandings of difficult problems. Most vendors will hate what he says and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs will think he's far too pessimistic. I think Marcus is largely right because (although he doesn't say this outright) he believes vulnerability-centric security is doomed to failure. (I noticed Matt Franz thinks I may be right, too.) When you realize that nothing you do will ultimately remove all vulnerabilities, you've got to improve our ability to deter, investigate, apprehend, prosecute, and incarcerate threats. (I'll say a little more on this in a future post.)

One area in which I disagree with Marcus is penetration testing. I think he might accept my position if framed properly, since he is a proponent of "science" to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 degree we can aspire to that standard. In my post Follow-Up to Donn Parker Story I wrote:

Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than spending resources measuring risk, I would prefer to see
measurements like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  1. Time for a pen testing team of [low/high] skill with [external/internal] access to obtain unauthorized [stealthy/unstealthy] control of a specified asset using [public/custom] tools and [zero/complete] target knowledge. Note this measurement contains variables affecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to successfully compromise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset.

  2. Time for a target's intrusion detection team to identify said intruder (pen tester), and escalate incident details to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident response team.

  3. Time for a target's incident response team to contain and remove said intruder, and reconstitute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset.


These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operational sorts of problems that matter in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world.


Yes, I did slightly modify number one to clarify meaning.

In Answering Penetration Testing Questions I added a few more comments, specifically mentioning a source like SensePost Combat Grading as an example of how to rate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 [low/high] variable. That's not necessarily cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standard I would use (since I haven't seen it) but it shows professional pen testers do think about such issues. (Maybe I can chat with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m at Black Hat?)

Marcus defines pen testing as attempting to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of an unknown quantity using anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r unknown quantity and a constantly varying set of conditions. In my #1 metric I try to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of variables such that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unknown qualities are fewer. I don't think it's ever possible to eliminate those variables, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unit to be tested (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise, usually) is never in a fixed state.

That reflects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. The enterprise attacked on Tuesday may not be like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise on Wednesday. As much as I advocate knowing your network I recognize that comprehensive, perfect knowledge, simply due to complexity but aggravated by many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r factors, cannot be obtained. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same factors which complicate our defense can complicate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder's offense. Overall I do not see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem with finding out how long it takes for a pen testing team operating within my chosen parameters to achieve a specified objective.

This is why I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's room in Marcus' world for my point of view. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is value in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outcome of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se tests. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, a single test is worth a thousand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ories. I cannot say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of times I've dealt with security people who refuse to believe a given incident has occurred (i.e., cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir box is rooted, it had no patches, etc.). Once you show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m data, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no room for excuses.

If it takes 30 minutes for a pen testing team of low skill with external access to obtain unauthorized unstealthy control of a specified asset using public tools and zero target knowledge, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a problem.

If it takes an estimated 6 months for a pen testing team of high skill with internal access to obtain unauthorized stealthy control of a specified asset using private tools and full target knowledge, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation is a lot different! (I say "estimated 6 months" because few if any customers are going to hire a pen team for that long. It is possible for pen teams to survey an architecture and estimate how long it would take for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to research, develop, and execute a custom zero-day.)

There is a reason cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DoD and DoE staff robust red teams (i.e., pen testers). The report Defense Science Board Task Force on The Role and Status of DoD Red Teaming Activities is very helpful.

Incidentally, I'd racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r not be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guy who debates Marcus on this issue if he wants to argue with a "pen tester." I don't do pen tests for a living. If he just wants an opposing point of view, I can probably provide that.

LBNL/ICSI Enterprise Tracing Project

Thanks to ronaldo in #snort-gui I learned about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LBNL/ICSI Enterprise Tracing Project. According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site:

A goal of this project is to characterize internal enterprise traffic recorded at a medium-sized site, and to determine ways in which modern enterprise traffic is similar to wide-area Internet traffic, and ways in which it is quite different.

We have collected packet traces that span more than 100 hours of activity from a total of several thousand internal hosts. This wealth of data, which we are publicly releasing in anonymized form, spans a wide range of dimensions.


I decided to take a look at this data through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens of Structured Traffic Analysis, which I discuss in Extrusion Detection and (IN)SECURE Magazine. I downloaded lbl-internal.20041004-1303.port001.dump.anon and took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following actions.

First I ran capinfos to get a sense of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trace.

$ sha256 lbl-internal.20041004-1303.port001.dump.anon
> lbl-internal.20041004-1303.port001.dump.anon.sha256
$ capinfos lbl-internal.20041004-1303.port001.dump.anon
File name: lbl-internal.20041004-1303.port001.dump.anon
File type: libpcap (tcpdump, Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, etc.)
Number of packets: 84574
File size: 5907016 bytes
Data size: 33872987 bytes
Capture duration: 600.507393 seconds
Start time: Mon Oct 4 16:03:41 2004
End time: Mon Oct 4 16:13:41 2004
Data rate: 56407.28 bytes/s
Data rate: 451258.22 bits/s
Average packet size: 400.51 bytes

We can see this trace occupies 10 minutes in October 2004, at 451 Kbps, with 84574 packets.

Next I run Tcpdstat to learn a little more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic.

$ tcpdstat lbl-internal.20041004-1303.port001.dump.anon

DumpFile: lbl-internal.20041004-1303.port001.dump.anon
FileSize: 5.63MB
Id: 200410041603
StartTime: Mon Oct 4 16:03:41 2004
EndTime: Mon Oct 4 16:13:41 2004
TotalTime: 600.51 seconds
TotalCapSize: 4.34MB CapLen: 74 bytes
# of packets: 84574 (32.30MB)
AvgRate: 451.17Kbps stddev:304.48K

### IP flow (unique src/dst pair) Information ###
# of flows: 260 (avg. 325.28 pkts/flow)
Top 10 big flow size (bytes/total in %):
37.9% 18.0% 15.8% 7.4% 6.8% 5.0% 1.3% 1.1% 0.7% 0.7%

### IP address Information ###
# of IPv4 addresses: 143
Top 10 bandwidth usage (bytes/total in %):
56.1% 55.9% 35.0% 23.0% 12.5% 2.7% 1.7% 1.3% 1.3% 1.0%
### Packet Size Distribution (including MAC headers) ###
<<<<
[ 32- 63]: 12784
[ 64- 127]: 17662
[ 128- 255]: 27008
[ 256- 511]: 7531
[ 512- 1023]: 2416
[ 1024- 2047]: 17173
>>>>


### Protocol Breakdown ###
<<<<
protocol packets bytes bytes/pkt
------------------------------------------------------------------------
[0] total 84574 (100.00%) 33872987 (100.00%) 400.51
[1] ip 84514 ( 99.93%) 33859701 ( 99.96%) 400.64
[2] tcp 82817 ( 97.92%) 33278039 ( 98.24%) 401.83
[3] http(s) 1727 ( 2.04%) 1251300 ( 3.69%) 724.55
[3] http(c) 1579 ( 1.87%) 267624 ( 0.79%) 169.49
[3] imap 488 ( 0.58%) 122352 ( 0.36%) 250.72
[3] ssh 176 ( 0.21%) 26337 ( 0.08%) 149.64
[3] ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 78847 ( 93.23%) 31610426 ( 93.32%) 400.91
[2] udp 399 ( 0.47%) 88116 ( 0.26%) 220.84
[3] dns 50 ( 0.06%) 8669 ( 0.03%) 173.38
[3] ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 349 ( 0.41%) 79447 ( 0.23%) 227.64
[2] icmp 375 ( 0.44%) 35880 ( 0.11%) 95.68
[2] ipsec 923 ( 1.09%) 457666 ( 1.35%) 495.85
>>>>

You get some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same information as noted in Capinfos, but you also get some primitive protocol breakdowns. Unfortunately, 93.23% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP traffic is unrecognized "ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r."

Let's see if Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real does any better:

taosecurity:/home/analyst/lbl$ tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real -n -r lbl-internal.20041004-1303.port001.dump.anon -q -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: frame

frame frames:84574 bytes:33872987
eth frames:84574 bytes:33872987
ip frames:84514 bytes:33859701
tcp frames:82817 bytes:33278039
udp frames:399 bytes:88116
isakmp frames:176 bytes:53996
short frames:176 bytes:53996
short frames:207 bytes:32742
short frames:923 bytes:457666
icmp frames:375 bytes:35880
short frames:30 bytes:11340
arp frames:28 bytes:1792
===================================================================

Unfortunately, Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real statistics don't tell you really anything different from Tcpdstat. Usually Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real statistics are more informative, but not here. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sake of comparison, here is what Wireshark GUI statistics tell you.



Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 format is different (but more human-friendly), and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no way to copy or save it to a file. That would be a nice feature. (Tshark shows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same output as Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, incidentally.)

The next step is to let Argus parse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n let Argus summarize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocols it sees.

taosecurity:/home/analyst/lbl$ argus -r lbl-internal.20041004-1303.port001.dump.anon -w lbl.arg

taosecurity:/home/analyst/lbl$ ragator -r lbl.arg -w lbl.arg.ragator

taosecurity:/home/analyst/lbl$ racount -ar lbl.arg.ragator
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
tcp 234 82817 39423 43394
33203201 10825712 22377489
udp 84 399 341 58
87969 77032 10937
icmp 36 375 224 151
35682 21416 14266
arp 4 28 28 0
1792 1792 0
non-ip 4 32 32 0
11494 11494 0
sum 363 83651 40048 43603
33340138 10937446 22402692

The next step is to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP addresses involved in this trace.

taosecurity:/home/analyst/lbl$ rahosts -nr lbl.arg.ragator
13.59.236.185
33.115.84.19
56.173.106.169
57.161.221.95
57.172.228.116
59.11.88.73
59.79.189.88
59.133.234.45
59.152.11.128
59.214.234.155
59.223.4.38
59.223.8.17
69.152.121.223
92.1.70.86
92.2.245.156
118.123.53.121
118.132.250.187
118.133.86.156
118.133.157.28
118.160.89.230
118.172.218.242
128.3.2.67
128.3.44.26
128.3.44.90
128.3.44.94
128.3.44.98
128.3.44.101
128.3.44.112
128.3.44.167
128.3.44.242
128.3.45.7
128.3.45.10
128.3.45.84
128.3.45.105
128.3.45.128
128.3.45.164
128.3.45.225
128.3.45.232
128.3.46.51
128.3.46.146
128.3.46.165
128.3.46.179
128.3.46.190
128.3.46.202
128.3.46.232
128.3.46.246
128.3.46.252
128.3.47.46
128.3.47.49
128.3.47.58
128.3.47.114
128.3.47.119
128.3.47.161
128.3.47.183
128.3.47.191
128.3.47.207
128.3.47.209
128.3.47.255
128.3.70.147
128.3.71.140
128.3.95.149
128.3.96.157
128.3.96.230
128.3.97.58
128.3.97.204
128.3.99.54
128.3.99.102
128.3.99.118
128.3.100.81
128.3.100.204
128.3.148.125
128.3.161.74
128.3.161.96
128.3.161.98
128.3.161.165
128.3.161.182
128.3.161.223
128.3.161.230
128.3.162.146
128.3.164.191
128.3.164.194
128.3.164.203
128.3.189.187
128.3.189.248
128.3.190.85
128.3.193.169
128.3.193.172
128.3.194.133
128.3.194.169
128.3.194.231
128.3.204.42
128.3.209.152
128.3.212.21
128.3.212.208
131.243.63.245
131.243.89.55
131.243.89.131
131.243.91.153
131.243.91.229
131.243.140.105
131.243.140.156
131.243.141.187
131.243.160.216
131.243.208.56
131.243.208.210
131.243.219.216
137.107.86.84
148.184.171.6
148.184.171.104
148.184.175.97
148.184.191.214
159.29.113.169
163.27.195.211
163.27.232.226
167.130.77.99
169.182.111.161
172.16.34.231
194.80.36.186
198.166.39.133
201.52.39.133
202.46.87.173
203.13.173.243
204.116.246.71
205.103.33.197
207.215.132.184
207.235.114.53
207.235.115.253
207.235.214.252
207.235.255.108
207.245.43.126
208.0.11.26
208.233.189.150
208.235.59.226
216.192.122.101
218.105.16.20
218.131.115.53
218.165.163.184
218.195.4.173
218.201.93.0

That's a lot of addresses for a 10 minute trace. Given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 preponderance of 128.3.0.0/16 addresses, I'm guessing that is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HOME_NET.

The next step involves creating what I call session combinations. Essentially I remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source port as a factor and I group on source IP, destination IP, and destination port.

taosecurity:/home/analyst/lbl$ ra -nn -r lbl.arg.ragator -s
saddr daddr dport proto | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 |
uniq -c

1 a6:c6:c9:23:cc: a9:71:1d:9f:85: 321
1 3b:d:21:32:30:a 80:b:98:3b:b9:e 2457
1 33.115.84.19 128.3.47.46.5554 tcp
1 33.115.84.19 128.3.47.46.9898 tcp
1 33.115.84.19 128.3.44.101.5554 tcp
1 33.115.84.19 128.3.44.101.9898 tcp
1 33.115.84.19 128.3.45.105.5554 tcp
1 33.115.84.19 128.3.45.105.9898 tcp
1 33.115.84.19 128.3.46.146.5554 tcp
1 33.115.84.19 128.3.46.146.9898 tcp
1 33.115.84.19 128.3.46.202.5554 tcp
1 33.115.84.19 128.3.46.202.9898 tcp
1 33.115.84.19 128.3.46.232.5554 tcp
1 33.115.84.19 128.3.46.232.9898 tcp
1 33.115.84.19 128.3.47.209.5554 tcp
1 33.115.84.19 128.3.47.209.9898 tcp
1 34:c9:c8:fa:af: a9:71:1d:9f:85: 381
1 34:c9:c8:fa:af: a9:71:1d:9f:85: 390
1 69.152.121.223 128.3.46.179 icmp
1 118.132.250.187 128.3.44.112.1518 tcp
1 118.132.250.187 128.3.44.112.1525 tcp
4 128.3.44.26 128.3.190.85.143 tcp
1 128.3.44.26 128.3.47.255.138 udp
1 128.3.44.26 128.3.97.204.53 udp
4 128.3.44.26 128.3.164.194.143 tcp
1 128.3.44.26 128.3.189.187.138 udp
1 128.3.44.26 128.3.189.248 icmp
1 128.3.44.26 128.3.189.248.138 udp
1 128.3.44.26 128.3.189.248.139 tcp
1 128.3.44.26 128.3.189.248.2074 tcp
1 128.3.44.90 128.3.212.208.514 udp
1 128.3.44.98 128.3.97.204.53 udp
2 128.3.44.98 128.3.99.118.993 tcp
1 128.3.44.98 128.3.164.191.5730 tcp
1 128.3.44.101 128.3.97.58.123 udp
1 128.3.44.101 128.3.99.54.123 udp
2 128.3.44.112 59.11.88.73.80 tcp
5 128.3.44.112 59.223.4.38.80 tcp
2 128.3.44.112 59.223.8.17.80 tcp
1 128.3.44.112 128.3.47.255.137 udp
1 128.3.44.112 128.3.47.255.138 udp
3 128.3.44.112 128.3.97.204.53 udp
2 128.3.44.112 218.201.93.0.443 tcp
6 128.3.44.112 59.79.189.88.80 tcp
1 128.3.44.112 128.3.164.194.143 tcp
1 128.3.44.112 148.184.171.6 icmp
1 128.3.44.112 148.184.171.6.135 tcp
2 128.3.44.112 148.184.171.6.139 tcp
1 128.3.44.112 148.184.171.6.389 udp
2 128.3.44.112 148.184.171.6.445 tcp
2 128.3.44.112 218.105.16.20.80 tcp
2 128.3.44.112 218.195.4.173.80 tcp
2 128.3.44.112 118.133.157.28.80 tcp
4 128.3.44.112 118.133.86.156.80 tcp
2 128.3.44.112 148.184.175.97 icmp
1 128.3.44.112 148.184.175.97.135 tcp
1 128.3.44.112 148.184.175.97.139 tcp
2 128.3.44.112 148.184.175.97.389 udp
1 128.3.44.112 148.184.175.97.445 tcp
1 128.3.44.112 163.27.195.211.443 tcp
2 128.3.44.112 163.27.195.211.80 tcp
1 128.3.44.112 163.27.232.226.80 tcp
1 128.3.44.112 205.103.33.197.80 tcp
2 128.3.44.112 208.235.59.226.80 tcp
4 128.3.44.112 118.132.250.187.443 tcp
1 128.3.44.112 148.184.171.104 icmp
1 128.3.44.112 148.184.171.104.139 tcp
1 128.3.44.112 148.184.171.104.445 tcp
2 128.3.44.112 148.184.191.214.389 udp
2 128.3.44.112 207.235.214.252.80 tcp
1 128.3.44.112 207.235.255.108.5002 tcp
1 128.3.44.167 131.243.208.56.123 udp
1 128.3.44.242 128.3.212.208.514 udp
1 128.3.45.7 128.3.96.157.22 tcp
1 128.3.45.7 128.3.99.102.53 udp
1 128.3.45.10 208.0.11.26.80 tcp
1 128.3.45.10 128.3.47.255.137 udp
1 128.3.45.10 128.3.47.255.138 udp
1 128.3.45.10 128.3.97.204 icmp
2 128.3.45.10 128.3.97.204.53 udp
1 128.3.45.10 128.3.148.125.1521 tcp
26 128.3.45.10 137.107.86.84.80 tcp
1 128.3.45.10 203.13.173.243 icmp
1 128.3.45.10 203.13.173.243.53 udp
1 128.3.45.10 56.173.106.169.80 tcp
1 128.3.45.10 59.214.234.155.80 tcp
2 128.3.45.10 169.182.111.161.80 tcp
1 128.3.45.84 128.3.212.208.514 udp
1 128.3.45.105 128.3.96.157.67 udp
1 128.3.45.128 118.123.53.121.80 tcp
5 128.3.45.128 207.245.43.126.80 tcp
55 128.3.45.128 218.131.115.53.80 tcp
1 128.3.45.128 207.215.132.184.80 tcp
14 128.3.45.128 208.233.189.150.80 tcp
1 128.3.45.164 128.3.97.204.53 udp
1 128.3.45.164 128.3.161.182.139 tcp
1 128.3.45.164 128.3.161.223.138 udp
1 128.3.45.164 167.130.77.99.80 tcp
1 128.3.45.225 128.3.47.255.138 udp
1 128.3.45.225 128.3.70.147.161 udp
1 128.3.45.225 128.3.71.140.161 udp
6 128.3.45.225 128.3.97.204.53 udp
1 128.3.45.225 172.16.34.231.161 udp
1 128.3.45.232 202.46.87.173.80 tcp
1 128.3.46.51 128.3.212.208.514 udp
1 128.3.46.146 128.3.212.21 2054
1 128.3.46.146 128.3.96.230 2054
1 128.3.46.146 33.115.84.19 2054
1 128.3.46.146 128.3.162.146 2054
1 128.3.46.165 128.3.161.223.138 udp
1 128.3.46.165 128.3.161.223.139 tcp
1 128.3.46.165 128.3.161.223.2645 tcp
1 128.3.46.165 128.3.164.194.993 tcp
1 128.3.46.165 128.3.209.152 icmp
1 128.3.46.190 128.3.161.74 icmp
1 128.3.46.190 128.3.47.255.138 udp
1 128.3.46.190 128.3.161.165 icmp
1 128.3.46.190 128.3.161.223.139 tcp
1 128.3.46.190 128.3.161.230 icmp
1 128.3.46.190 128.3.164.194.993 tcp
1 128.3.46.190 131.243.141.187 icmp
1 128.3.46.246 128.3.209.152 icmp
4 128.3.46.252 128.3.95.149.111 udp
1 128.3.47.46 128.3.212.208.514 udp
1 128.3.47.49 131.243.219.216.137 udp
1 128.3.47.58 128.3.209.152 icmp
1 128.3.47.114 128.3.212.208.514 udp
1 128.3.47.119 128.3.47.255.138 udp
1 128.3.47.119 128.3.193.169.139 tcp
1 128.3.47.119 128.3.209.152 icmp
2 128.3.47.161 128.3.164.194.993 tcp
1 128.3.47.161 128.3.164.203.389 tcp
1 128.3.47.183 128.3.47.255.138 udp
1 128.3.47.183 128.3.189.248.139 tcp
1 128.3.47.183 204.116.246.71.1863 tcp
6 128.3.47.183 218.165.163.184.80 tcp
1 128.3.47.191 128.3.47.255.138 udp
1 128.3.47.191 131.243.89.131.161 udp
1 128.3.47.191 131.243.91.153.161 udp
1 128.3.47.191 131.243.91.229.161 udp
3 128.3.47.207 128.3.2.67.80 tcp
1 128.3.47.207 128.3.161.96.88 tcp
1 128.3.47.207 128.3.97.204.53 udp
1 128.3.47.207 128.3.164.194.993 tcp
1 128.3.47.207 128.3.193.169.139 tcp
1 128.3.47.207 128.3.193.169.80 tcp
2 128.3.47.207 128.3.193.172.80 tcp
1 128.3.47.207 128.3.194.133.161 udp
1 128.3.47.207 128.3.194.169.161 udp
1 128.3.47.207 128.3.194.231.161 udp
1 128.3.47.207 131.243.140.156 icmp
1 128.3.47.207 131.243.140.156.1026 tcp
1 128.3.47.207 131.243.140.156.135 tcp
1 128.3.47.207 131.243.140.156.445 tcp
1 128.3.96.157 128.3.45.105 icmp
1 128.3.96.230 128.3.47.46 icmp
1 128.3.96.230 128.3.44.101 icmp
1 128.3.96.230 128.3.45.105 icmp
1 128.3.96.230 128.3.46.146 icmp
7 128.3.96.230 128.3.46.146.161 udp
1 128.3.96.230 128.3.46.202 icmp
1 128.3.96.230 128.3.46.232 icmp
1 128.3.96.230 128.3.47.209 icmp
1 128.3.100.81 57.161.221.95.500 udp
1 128.3.100.81 59.133.234.45.500 udp
1 128.3.100.81 57.172.228.116.500 udp
1 128.3.100.81 118.172.218.242.500 udp
1 128.3.100.204 92.1.70.86.500 udp
1 128.3.100.204 92.2.245.156.500 udp
1 128.3.100.204 118.160.89.230.500 udp
1 128.3.100.204 131.243.63.245.500 udp
1 128.3.161.98 128.3.46.190.1050 tcp
1 128.3.161.165 128.3.46.190.1047 tcp
1 128.3.161.165 128.3.46.190.1048 tcp
1 128.3.161.223 128.3.46.165.139 tcp
1 128.3.162.146 128.3.46.146 icmp
1 128.3.164.191 128.3.44.98.4543 tcp
1 128.3.164.194 128.3.44.112.1395 tcp
1 128.3.204.42 128.3.44.26.38293 udp
1 128.3.209.152 128.3.47.58.38293 udp
1 128.3.209.152 128.3.46.165.38293 udp
1 128.3.209.152 128.3.46.246.38293 udp
1 128.3.209.152 128.3.47.119.38293 udp
1 128.3.212.21 128.3.46.146 icmp
1 128.3.212.208 128.3.44.90 icmp
1 128.3.212.208 128.3.44.94.137 udp
1 128.3.212.208 128.3.45.84 icmp
1 128.3.212.208 128.3.45.84.137 udp
1 128.3.212.208 128.3.46.51 icmp
1 128.3.212.208 128.3.46.51.137 udp
1 128.3.212.208 128.3.47.46 icmp
1 128.3.212.208 128.3.44.242 icmp
1 128.3.212.208 128.3.47.114 icmp
1 128.3.212.208 128.3.47.114.137 udp
1 131.243.89.55 128.3.47.58.139 tcp
1 131.243.140.105 128.3.46.190.1057 tcp
1 131.243.160.216 128.3.46.190.1119 tcp
1 131.243.208.210 128.3.44.167 icmp
1 148.184.191.214 128.3.44.112 icmp
1 194.80.36.186 128.3.46.232 icmp
1 207.235.114.53 128.3.47.183.4206 tcp
1 207.235.115.253 128.3.44.112.4973 tcp
1 216.192.122.101 128.3.44.94.49201 tcp
1 229.97.122.203 1 0 man

I like creating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se session combinations because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y show me connections to hosts and destination ports. I can review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se target ports, for example, to look for sessions which might be interesting. This is as far as we can go, because all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application layer details for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sessions have been eliminated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tcpmkpub anonymization tool.

At some point I plan to update this methodology using Argus 3.0, and automate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process.