Twenty Years of Network Security Monitoring: From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT to Corelight

I am really fired up to join Corelight. I’ve had to keep my involvement with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team a secret since officially starting on July 20th. Why was I so excited about this company? Let me step backwards to help explain my present situation, and forecast cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future.

Twenty years ago this month I joined cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Computer Emergency Response Team (AFCERT) at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n-Kelly Air Force Base, located in hot but lovely San Antonio, Texas. I was a brand new captain who thought he knew about computers and hacking based on experiences from my teenage years and more recent information operations and traditional intelligence work within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Intelligence Agency. I was desperate to join any part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n-five-year-old Information Warfare Center (AFIWC) because I sensed it was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most exciting unit on “Security Hill.”

I had misjudged my presumed level of “hacking” knowledge, but I was not mistaken about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exciting life of an AFCERT intrusion detector! I quickly learned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tenets of network security monitoring, enabled by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 custom software watching and logging network traffic at every Air Force base. I soon heard cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were three organizations that intruders knew to be wary of in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 late 1990s: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Fort, i.e. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Security Agency; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force, thanks to our Automated Security Incident Measurement (ASIM) operation; and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 University of California, Berkeley, because of a professor named Vern Paxson and his Bro network security monitoring software.

When I wrote my first book in 2003-2004, The Tao of Network Security Monitoring, I enlisted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 help of Christopher Jay Manders to write about Bro 0.8. Bro had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reputation of being very powerful but difficult to stand up. In 2007 I decided to try installing Bro myself, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 introduction of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “brolite” scripts shipped with Bro 1.2.1. That made Bro easier to use, but I didn’t do much analysis with it until I attended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2009 Bro hands-on workshop. There I met Vern, Robin Sommer, Seth Hall, Christian Kreibich, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Bro users and developers. I was lost most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class, saved only by my knowledge of standard Unix command line tools like sed, awk, and grep! I was able to integrate Bro traffic analysis and logs into my TCP/IP Weapons School 2.0 class, and subsequent versions, which I taught mainly to Black Hat students. By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time I wrote my last book, The Practice of Network Security Monitoring, in 2013, I was heavily relying on Bro logs to demonstrate many sorts of network activity, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 high-fidelity nature of Bro data.

In July of this year, Seth Hall emailed to ask if I might be interested in keynoting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 upcoming Bro users conference in Washington, D.C., on October 10-12. I was in a bad mood due to being unhappy with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job I had at that time, and I told him I was useless as a keynote speaker. I followed up with anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r message shortly after, explained my depressed mindset, and asked how he liked working at Corelight. That led to interviews with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Corelight team and a job offer. The opportunity to work with people who really understood cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for network security monitoring, and were writing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world’s most powerful software to generate NSM data, was so appealing! Now that I’m on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team, I can share how I view Corelight’s contribution to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security challenges we face.

For me, Corelight solves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems I encountered all those years ago when I first looked at Bro. The Corelight embodiment of Bro is ready to go when you deploy it. It’s developed and maintained by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who write cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, Bro is front and center, not buried behind someone else’s logo. Why buy this amazing capability from anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r company when you can work with those who actually conceptualize, develop, and publish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code?

It’s also not just Bro, but it’s Bro at ridiculous speeds, ingesting and making sense of complex network traffic. We regularly encounter open source Bro users who spend weeks or months struggling to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir open source deployments to run at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speeds cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need, typically in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tens or hundreds of Gbps. Corelight’s offering is optimized at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hardware level to deliver cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest performance, and our team works with customers who want to push Bro to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 even greater levels. 

Finally, working at Corelight gives me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chance to take NSM in many exciting new directions. For years we NSM practitioners have worried about challenges to network-centric approaches, such as encryption, cloud environments, and alert fatigue. At Corelight we are working on answers for all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se, beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 usual approaches — SSL termination, cloud gateways, and SIEM/SOAR solutions. We will have more to say about this in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future, I’m happy to say!

What challenges do you hope Corelight can solve? Leave a comment or let me know via Twitter to @corelight_inc or @taosecurity.

A Brief History of Network Security Monitoring

Last week I was pleased to deliver cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keynote at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first Security Onion Conference in Augusta, GA, organized and hosted by Doug Burks. This was probably my favorite security event of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year, attended by many fans of Security Onion and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network security monitoring (NSM) community.

Doug asked me to present cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 history of NSM. To convey some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 milestones in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 development of this operational methodology, I developed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se slides (pdf). They are all images, screen captures, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like, but I promised to post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. For example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 image at left is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first slide from a Webinar that Bamm Visscher and I delivered on 4 December 2002, where we presented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 formal definition of NSM cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time. We defined network security monitoring as

cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.

You may recognize similarities with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intelligence cycle and John Boyd's Observe - Orient - Decide Act (OODA) loop. That is not an accident.

During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentation I noted a few key years and events:

• 1986: The Cliff Stoll intrusions scare cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government, military, and universities supporting gov and mil research.
• 1988: Lawrence Livermore National Lab funds three security projects at UC Davis by supporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Prof Karl Levitt's computer science lab. They include AV software, a "security profile inspector," and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "network security monitor."
• 1988-1990: Todd Heberlein and colleagues code and write about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM platform.
• 1991: While instrumenting a DISA location suffering from excessive bandwidth usage, NSM discovers 80% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clogged link is caused by intruder activity.
• 1992: Former FBI Director, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n assistant AG, Robert Mueller writes a letter to NIST warning that NSM might not be legal.
• 1 October 1992: AFCERT founded.
• 10 September 1993: AFIWC founded.
• End of 1995: 26 Air Force sites instrumented by NSM.
• End of 1996: 55 Air Force sites instrumented by NSM.
• End of 1997: Over 100 Air Force sites instrumented by NSM.
• 1999: Melissa worm prompts AFCERT to develop dedicated anti-malware team. This signaled a shift from detection of human adversaries interacting with victims to detection of mindless code interacting with victims.
• 2001: Bamm Visscher deploys SPREG, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 predecessor to Sguil, at our MSSP at Ball Aerospace.
• 13 July 2001: Using SPREG, one of our analysts detects Code Red, 6 days prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public outbreak. I send a note to a mailing list on 15 July.
• February 2003: Bamm Visscher recodes and releases Sguil as an open source NSM console.

As I noted in my presentation,. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk was to share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that NSM has a long history, some of which happened when many practitioners (including myself) were still in school.

This is not a complete history, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. For more information, please see my 2007 post Network Security Monitoring History and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreword, written by Todd Heberlein, of my newest book The Practice of Network Security Monitoring.

Finally, I wanted to emphasize that NSM is not just full packet capture or logging full content data. NSM is a process, although my latest book defines seven types of NSM data. One of those data types is full content. You can read about all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first first chapter of my book at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 publisher Web site.

Tweet

Lessons from NETOPS vs CND

Volume 13 Issue 2 of IATAC's IA Newsletter features an article titled Apples and Oranges: Operating and Defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Global Information Grid by Dr Robert F Mills, Maj Michael Birdwell, and Maj Kevin Beeker. The article nicely argues for refocusing DoD's "NETOPS" and "CND" missions, where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former is defined currently as

activities conducted to operate and defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Global Information Grid

and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latter is defined currently as

actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.

After spending years to "converge" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two missions, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors argue DoD needs to separate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m (as I understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force has done, bringing back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT for example).

I'd like to present selected excerpts with my own emphasis.

Cyberspace is a contested, warfighting domain, but we’re not really treating it as such, partly because our language and doctrine have not matured to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point that allows us to do so.

One reflection of our immature language is our inability to clearly differentiate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concepts of network operations (NETOPS) and computer network defense (CND). This creates confusion about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 roles and responsibilities for provisioning, sustaining, and defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network — much less actually using it.

Only by separating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se activities can we more effectively organize, train, and equip people to perform those tasks...

Effective CND uses a defense-in-depth strategy and employs intelligence, counterintelligence, law enforcement, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r military capabilities as required. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CND culture is largely one of information assurance (e.g., confidentiality, integrity, and availability), system interoperability, and operations and maintenance (O&M).

Many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that we routinely call ‘cyberspace defense’ in cyberspace are really just O&M activities — such as setting firewall rules, patching servers and workstations, monitoring audit logs, and troubleshooting circuit problems...

[W]e do not treat cyberspace operations like those conducted in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r domains... [T]housands of systems administrators routinely count and scan computers to ensure that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir software and operating system patches are current. The objective is 100% compliance, but even if we could achieve that, this is a maintenance activity.

(Indeed, do we even really know how many computers we have, let alone how many are compliant?)

This is no more a defensive activity than counting all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rifles in an infantry company and inspecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to ensure that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are properly cleaned and in working order.

Our current NETOPS/CND mindset is intentionally focused inward... Contrast this with a traditional warfighting mentality in which we study an adversary’s potential courses of action, develop and refine operational plans to meet national and military objectives, parry thrusts, and launch counter attacks.

While we do worry about internal issues such as security, force protection, logistics, and sustainment, our focus remains outward on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary.

Does that sound familiar? An "outward focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary" reminds me of my concept of threat-centric security instead of "inward" or vulnerability-centric security.

Our intent is not to diminish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of NETOPS activities... But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not defensive activities — at least not in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 classical understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept. Turning to Carl von Clausewitz, we see a much different concept of defense than is currently applied to cyberspace:

"Pure defense, however, would be completely contrary to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of war, since it would mean that only one side was waging it....

But if we are really waging war, we must return cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy’s blows; and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se offensive acts in a defensive war come under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 heading of ‘defense’ – in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, our offensive takes place within our own positions or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ater of operations.

Thus, a defensive campaign can be fought with offensive battles, and in a defensive battle, we can employ our divisions offensively... So cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defensive form of war is not a simple shield, but a shield made up of well-directed blows."

I find it interesting to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se authors cite Clauswitz. Anyone notice attrition.org blast Sun Tzu but speak better of Clauswitz recently?

These definitions of defense do not sound like our current approach to NETOPS and CND. Clausewitz might say we have a shield mentality about cyber defense...

An active defense — one that employs limited offensive action and counterattacks to deny cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary — will be required to have a genuinely defensive capability in cyberspace.

Our recommendations to remedy this situation are as follows:

1. Redefine NETOPS as “actions taken to provision and maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyberspace domain.” This would capture cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current concepts of operations and maintenance while removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ambiguity caused by including defense within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NETOPS construct.


2. Leverage concepts such as ‘mission assurance’ and ‘force protection’ to help change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culture and engage all personnel — users, maintainers, and cyber operators. Everyone has a role in security and force protection, but we are not all cyber defenders. Force protection and mission assurance are focused inward on our mission.


3. Redefine our CND construct to be more consistent with our approach to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of ‘defense’ in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r domains of warfare, to include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of active defense. This would shift cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept from maintenance to operations, from inward to outward (to our adversaries). CND is about delivering warfighting effects (e.g., denying, degrading, disrupting, and destroying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyber capabilities of our adversaries).

I like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se three recommendations from a corporate point of view:

1. IT provides "NETOPS".


2. User and management training and awareness are "force protection" activities.


3. CIRTs with Red capabilities, authorized to perform "active defense" against adversaries, perform "CND."

What do you think?

Answers Regarding Military Service

Once in a while I'm asking my Thoughts on Military Service. An anonynous blog reader sent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following questions. It's been a while since I wore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 uniform, but at least some of you readers might care to offer your own thoughts? I'll try to answer what I can.

I got into IT after graduating from college with non-technical majors and decided that I was actually interested in areas of practical science, such as: physical computing, engineering (mechanical, electrical, and design), robotics, aerospace, and programming. IT was a great primer for some practical work experience, but after my stint with [a security company] I'm evaluating if I want to acquire more direct technical training with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things I'm passionate about.

So, here's my barrage of questions; please feel free to answer however you want, I'm simply organizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 thoughts rumbling around in my head. If I left anything relevant out, which I'm certain I did, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n please mention it.

1) What was your technical experience in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force? Would you recommend it?

I spent a little over two years as a "real" intelligence officer, with my technical skills directed towards selecting targets in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former Yugoslavia and planning information warfare campaigns. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fall of 1998 I managed to be reassigned to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT where I did hands-on technical incident detection, until I left cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service in February 2001.

I owe my subsequent career in this field to my time in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force, although no one handed me anything on a silver platter. I'll say more about recommendations shortly.

2) Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ROTC an appropriate program for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical skills I want to build? Would I be able to get hands on experience but also have support, primarily financial, for requisite schooling?

ROTC does not teach anything technical. The goal is to prepare you to be an officer, not provide any specialist skills. You wouldn't attend ROTC anyway since you have a degree. More on that later.

3) What particulars about Air Force technical training would you focus on?

I'm not sure I follow this question. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force and all military services follow a three-step process for training. First you enjoy some sort of entry-level training, involving "basic training" where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goal is to transform you into a lean mean fighting machine. My entry into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 USAF was through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Academy, which was a four year degree program. Next comes training for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specialty you will perform in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service, although this is really just an introduction. My specialty training was military intelligence, which was a nine month program. Finally you will get on-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-job training, where you learn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specifics of your first assignment. That happened at Air Intelligence Agency in my case.

4) What are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 glaring weaknesses that you encountered?

If you're talking about training, I guess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest problem is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disconnect between what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 school house thinks is important vs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. That's not unique to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military, but it places a burden on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 on-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-job trainers, none of whom are really trainers! If you don't find a good initial mentor, you can be lost. I can thank Jesse Coultrap in my first planning role and Cheryl Knecht at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT for watching out for me.

5) Is a military program preferable over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alternatives, such as civilian work experience or going back to school? I.e. Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 this type of program a good way to save me time and money in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se pursuits? I'm 23 years old if that gives you some idea.

At 23, with a degree, military service is still an option. Don't join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military just for training. We are fighting two wars with plenty ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r action occurring. Join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military to join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military.

6) Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re flexibility to pick up ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r skills? Let's say I do some electrical/computer engineering, would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea that I also want to program or learn about aerospace be encouraged?

Some will disagree, but I bet a lot of readers will agree that, once you join, you become cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 property of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military. Some people I know tend to live charmed lives where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y go from one awesome job to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs can't wait to leave, once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir commitment expires. This tends to result in senior leaders saying "isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service awesome?" They can't understand why some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir juniors aren't happy, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir careers have been so great!

7) Do you know anything about Naval equivalents regarding technical skills (or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r program out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re)?

Navy?!? Are you kidding me?!? Seriously, all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 services are ramping up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir "cyber" arms. I'm even going to speak at Annapolis soon. I can put you in touch with some Middies if you want.

8) How's Air Force life, generally?

Wow, big question. I could use some input from active duty folks here. Let me say that I personally found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 burden on my family too heavy to stay in uniform. That was before Iraq and Afghanistan, and I was in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army or Marine Corps. I don't know how those guys can manage. They sacrifice everything.

9) Would it be better to go through an officer program or enlist straight up?

Since you have a degree, you should apply for Officer Candidate School or Officer Training School, depending on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service. I'm not disrespecting enlisted people, but if you have your degree I think many enlisted people would recommend getting your commission. The pay differential alone is worth it.

I'd appreciate comments from any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r readers. Thank you.

Historical Video on AFCERT circa 2000

I just uploaded a video that some readers might find entertaining. This video shows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States Air Force Computer Emergency Response Team (AFCERT) in 2000. Kelly AFB, Security Hill, and Air Intelligence Agency appear. The colonel who leads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 camera crew into room 215 is James Massaro, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n commander of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Information Warfare Center. The old Web-based interface to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Automated Security Incident Measurement (ASIM) sensor is shown, along with a demo of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "TCP reset" capability to terminate TCP-based sessions.

We have a classic quote about a "digital Pearl Harbor" from Winn Schwartau, "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nation's top information security analyst." Hilarious, although Winn nails cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attribution and national leadership problems; note also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 references to terrorists in this pre-9/11 video. "Stop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology madness!" Incidentally, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 programs shown were "highly classified," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y wouldn't be in this video!

I was traveling for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT when this video was shot, so luckily I am not seen anywhere...

Review of Martin Libicki's Cyberdeterrence and Cyberwar

Amazon.com just posted my three star review of Martin Libicki's Cyberdeterrence and Cyberwar. I've reproduced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review in its entirety here because I believe it is important to spread cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word to any policy maker who might read this blog or be directed here. I've emphasized a few points for readability.

As background, I am a former Air Force captain who led cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion detection operation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT before applying those same skills to private industry, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sectors. I am currently responsible for detection and response at a Fortune 5 company and I train ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs with hands-on labs as a Black Hat instructor. I also earned a master's degree in public policy from Harvard after graduating from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Academy.

Martin Libicki's Cyberdeterrence and Cyberwar (CAC) is a weighty discussion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 policy considerations of digital defense and attack. He is clearly conversant in non-cyber national security history and policy, and that knowledge is likely to benefit readers unfamiliar with Cold War era concepts. Unfortunately, Libicki's lack of operational security experience undermines his argument and conclusions. The danger for Air Force leaders and those interested in policy is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will not recognize that, in many cases, Libicki does not understand what he is discussing. I will apply lessons from direct experience with digital security to argue that Libicki's framing of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "cyberdeterrence" problem is misguided at best and dangerous at worst.

Libicki's argument suffers five key flaws. First, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summary Libicki states "cyberattacks are possible only because systems have flaws" (p xiii). He continues with "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end, no forced entry in cyberspace... It is only a modest exaggeration to say that organizations are vulnerable to cyberattack only to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to be. In no ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r domain of warfare can such a statement be made" (p. xiv). I suppose, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is "no forced entry" when a soldier destroys a door with a rocket, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owners of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 building are vulnerable "to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to be"? Are aircraft carriers similarly vulnerable to hypersonic cruise missiles because "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to be"? How about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 human body vs bullets?

Second, Libicki's fatal understanding of digital vulnerability is compounded by his ignorance of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of vendors and service providers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security equation. Asset owners can do everything in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir power to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir resources, but if an application or implementation has a flaw it's likely only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor or service provider who can fix it. Libicki frequently refers to sys admins as if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have mystical powers to completely understand and protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir environments. In reality, sys admins are generally concerned about availability alone, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are often outsourced to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lowest bidder and contract-focused, or understaffed to do anything more than keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lights on.

Third, this "blame cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim" mentality is compounded by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 completely misguided notions that defense is easy and recovery from intrusion is simple. On p 144 he says "much of what militaries can do to minimize damage from a cyberattack can be done in days or weeks and with few resources." On p 134 he says that, following cyberattack, "systems can be set straight painlessly." Libicki has clearly never worked in a security or IT shop at any level. He also doesn't appreciate how much cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military relies on civilian infrastructure from everything to logistics to basic needs like electricity. For example, on p 160 he says "Militaries generally do not have customers; thus, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir systems have little need to be connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public to accomplish core functions (even if external connections are important in ways not always appreciated)." That is plainly wrong when one realizes that "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public" includes contractors who design, build, and run key military capabilities.

Fourth, he makes a false distinction between "core" and "peripheral" systems, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former controlled by users and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 later by sys admins. He says "it is hard to compromise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 core in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same precise way twice, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 periphery is always at risk" (p 20). Libicki is apparently unaware that one core Internet resource, BGP, is basically at constant risk of complete disruption. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r core resources, DNS and SSL, have been incredibly abused during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last few years. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are known problems that are repeatedly exploited, despite knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir weaknesses. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, Libicki doesn't realize that so-called critical systems are often more fragile that user systems. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world, critical systems often lack change management windows, or are heavily regulated, or are simply old and not well maintained. What's easier to reconfigure, patch, or replace, a "core" system that absolutely cannot be disrupted "for business needs," or a "peripheral" system that belongs to a desk worker?

Fifth, in addition to not understanding defense, Libicki doesn't understand offense. He has no idea how intruders think or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 skills cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y bring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arena. On pp 35-6 he says "If sufficient expenditures are made and pains are taken to secure critical networks (e.g., making it impossible to alter operating parameters of electric distribution networks from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside), not even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most clever hacker could break into such a system. Such a development is not impossible." Yes, it is impossible. Thirty years of computer security history have shown it to be impossible. One reason why he doesn't understand intruders appears on p 47 where he says "private hackers are more likely to use techniques that have been circulating throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hacker community. While it is not impossible that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have managed to generate a novel exploit to take advantage of a hicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rto unknown vulnerability, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are unlikely to have more than one." This baffling statement shows Libicki doesn't appreciate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 skill set of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 underground.

Libicki concludes on pp xiv and xix-xx "Operational cyberwar has an important niche role, but only that... The United States and, by extension, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Air Force, should not make strategic cyberwar a priority investment area... cyberdefense remains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force's most important activity within cyberspace." He also claims it is not possible to "disarm" cyberwarriors, e.g., on p 119 "one objective that cyberwar cannot have is to disarm, much less destroy, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 absence of physical combat, cyberwar cannot lead to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 occupation of territory." This focus on defense and avoiding offense is dangerous. It may not be possible to disable a country's potential for cyberwar, but an adversary can certainly target, disrupt, and even destroy cyberwarriors. Elite cyberwarriors could be likened to nuclear scientists in this respect; take out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scientists and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole program suffers.

Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, by avoiding offense, Libicki makes a critical mistake: if cyberwar has only a "niche role," how is a state supposed to protect itself from cyberwar? In Libicki's world, defense is cheap and easy. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best defense is 1) informed by offense, and 2) coordinated with offensive actions to target and disrupt adversary offensive activity. Libicki also focuses far too much on cyberwar in isolation, while real-world cyberwar has historically accompanied kinetic actions.

Of course, like any good consultant, Libicki leaves himself an out on p 177 by stating "cyberweapons come relatively cheap. Because a devastating cyberattack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive (especially if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force can leverage investments in CNE), an offensive cyberwar capability is worth developing." The danger of this misguided tract is that policy makers will be swayed by Libicki's misinformed assumptions, arguments, and conclusions, and believe that defense alone is a sufficient focus for 21st century digital security. In reality, a kinetically weaker opponent can leverage a cyber attack to weaken a kinetically superior yet net-centric adversary. History shows, in all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365atres, that defense does not win wars, and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best defense is a good offense.

24th Air Force to be Headquartered at Lackland AFB

Congratulations to Lackland AFB in San Antonio, Texas for being chosen to host cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 headquarters for 24th Air Force, a "cyber numbered Air Force." Lackland is home to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AF ISR Agency (previously AIA), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AF Information Operations Center (previously AFIWC), and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 33rd Network Warfare Squadron (previously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 33 IOS, and before that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT).

It's been six years since I visited cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 place, but I think it's a great choice for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 24th.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Thoughts on Air Force Blocking Internet Access

Last year I wrote This Network Is Maintained as a Weapon System, in response to a story on Air Force blocks of blogging sites. Yesterday I read Air Force Unplugs Bases' Internet Connections by Noah Shachtman:

Recently, internet access was cut off at Maxwell Air Force Base in Alabama, because personnel at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 facility "hadn't demonstrated — in our view at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 headquarters — cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir capacity to manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network in a way that didn't make everyone else vulnerable," [said] Air Force Chief of Staff Gen. Norton Schwartz.

I absolutely love this. While in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT I marvelled at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Marine Corps' willingness to take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same actions when one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir sites did not take appropriate defensive actions.

Let's briefly describe what needs to be in place for such an action to take place.

1. Monitored. Those who wish to make a blocking decision must have some evidence to support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir action. The network subject to cutoff must be monitored so that authorities can justify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir decision. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network to be cut off is attacking ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r networks, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 targets of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks should also be monitored and use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir data to justify action.


2. Inventoried. The network to be cut off must be inventoried. The network must be understood so that a decision to block gateways A and B doesn't leave unknown gateways C and D free to continue conducting malicious activity.


3. Controlled. There must be a way to implement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 block.


4. Claimed. The authorities must know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owners of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misbehaving network and be able to contact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.


5. Command and Control. The authorities must be able to exercise authority over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misbehaving network.

You might notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first four items are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first four elements of my Defensible Network Architecture 2.0 of a year ago.

Number five is very important. Those deciding to take blocking action must be able to exercise a block despite objections by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site. The site is likely to use terms like "mission critical," "business impact," "X dollars per hour," etc. The damage caused by leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious network able to attack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise must exceed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact of lost network connectivity to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misbehaving network.

It is usually much easier to wrap impact around a network outage than it is to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost of sustaining and suffering network attacks. Loss of availability is usually easier to measure than losses of confidentiality or integrity. The easiest situation is one where downtime confronts downtime, i.e., cutting off a misbehaving site will allow its targets to restore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir networks. This would be true of a malicious site conducting a DoS attack against ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs; terminating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offending denies his network availability but restores cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim's availability. That is why sites are most likely to allow network cutoffs when rogue code in one site is aggressively scanning or DoS'ing a target, resulting in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target losing services.

Does your enterprise have a policy that allows cutting off misbehaving subnets?

---

Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Proposed Air Force Cyber Badge

The Air Force published New cyberspace career fields, training paths, badge proposed earlier this month. I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proposed cyber badge to be interesting. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story:

The badge features: lightning bolts to signify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyberspace domain; center bolts taken from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 navigator badge and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Seal to signify cyberspace's worldwide power and reach and its common lineage and history of electronic warfare officers; and orbits to signify cyberspace's space-related mission elements. And, like ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r specialty badges, it will identify skill (certification) levels. Final approval and specifics of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wear criteria is under review at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 air staff.

For comparison I've posted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intelligence badge I used to wear. Wikipedia's Badges of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US Air Force is a nice reference.

The Air Force also published a proposed Cyberspace Training Path for Operators and Specialists.

Since we're talking military cyber operations, a blog reader asked for my opinion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new story U.S. Army challenges USAF on network warfare. I saw this first hand at a cyber conference recently. The Air Force colonel who will be vice commander of Cyber Command, Tony Buntyn, spoke, followed by an Army colonel, John Blaine, from NetCom. Col Blaine said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army had been doing cyber operations for years, seemingly in contrast to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "new" Air Force Cyber Command. Of course, my previous history post noted that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Information Warfare Center was established in 1993, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT was created cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year earlier. Air Force cyber history is very extensive, especially if you expand to electronic warfare in Vietnam.

Wireshark 1.0.0 Released

I'd like to congratulate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wireshark team for releasing Wireshark 1.0.0. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 news item
says, it's been nearly 10 years in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 making. I started using Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real in 1999 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT with data collected from our ASIM sensors.

It's a great time for network security monitoring right now! With Sguil 0.7.0 released cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a lot of attention from high level players. It's cool.

Network Security Monitoring for Fraud, Waste, and Abuse

Recently a blog reader asked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

You frequently mention "fraud, waste, and abuse" in your writing (for example), most often to say that NSM is not intended to address FWA. One thing I've been wondering though--why is fraud in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re? I can see waste (employee burning time/resources on ESPN.com or Google Video) or abuse (pornography, etc), but Fraud seems to be in a different class. If someone is using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network to commit a crime, why shouldn't that be in scope? Indeed, preventing loss (monetary, reputational, of intellectual property) is really cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom line for a strong security program, correct?

My stance on this question dates back to my days in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT. Let me explain by starting with some definitions from AFI90-301 (.pdf):

Fraud: Any intentional deception designed to unlawfully deprive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force of something of value or to secure from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force for an individual a benefit, privilege, allowance, or consideration to which he or she is not entitled. Such practices include, but are not limited to:

1. The offer, payment, acceptance of bribes or gratuities, or evading or corrupting inspectors of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r officials.


2. Making false statements, submitting false claims or using false weights or measures.


3. Deceit, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by suppressing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 truth or misrepresenting material facts, or to deprive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force of something of value.


4. Adulterating or substituting materials, falsifying records and books of accounts.


5. Conspiring to carry out any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above actions.


6. The term also includes conflict of interest cases, criminal irregularities, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unauthorized disclosure of official information relating to procurement and disposal matters.

For purposes of this instruction, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definition can include any cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft or diversion of resources for personal or commercial gain.

Waste: The extravagant, careless, or needless expenditure of Air Force funds or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consumption of Air Force property that results from deficient practices, systems controls, or decisions. The term also includes improper practices not involving prosecutable fraud.

Abuse: Intentional wrongful or improper use of Air Force resources. Examples include misuse of rank, position, or authority that causes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loss or misuse of resources such as tools, vehicles, computers, or copy machines.

Given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se definitions, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first reason I do not think counter-FWA is an appropriate NSM mission is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 identification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se actions. Security analysts perform NSM. Security analysts are not human resources, legal, privacy, financial audit, or police personnel. Trying to identify FWA (aside from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 obvious, like wasting bandwidth or visiting pornography sites) is outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security analyst's profession. If any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 aforementioned parties want to use some content inspection method to identify FWA, that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir job. Security analysts are generally tasked with identifying violations of confidentiality, integrity, and availability.

Second, in many organizations cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inclusion of FWA would crowd out ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security tasks. I have heard of some monitoring shops who do nothing but FWA because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 volume of inappropriate activity seems to dwarf traditional security concerns. I think that is a poor allocation of resources.

Third, I think NSM for FWA is shaky on privacy grounds. Employees really have no expectation of privacy in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 workplace, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 degree of monitoring required to identify non-obvious FWA is very invasive. Security analysts avoid reading email and reconstructing Web pages, but FWA investigations essentially rely on that very task. FWA is seldom easily detected using alert-based mechanisms, so identifying real FWA can turn into a fishing expedition where all content is analyzed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "hope" of finding something bad. I think this is a waste of resources as well.

Having said that, in some cases NSM data can be used to support FWA tasks. However, I do not think FWA investigation should be a routine part of NSM operations.

What do you think?

Max Ray Butler in Trouble Again

In my first book I wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following on p 170:

WHO WROTE PRIVMSG?

The author of Privmsg served one year in prison after pleading guilty in a U.S. District Court to a single count of computer intrusion. In May 1998 he compromised numerous government, military, and academic servers running BIND and installed back doors on those systems. He was caught thanks to skillful use of session data by analysts at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT and by Vern Paxson from Lawrence Berkeley Labs. See http://www.lbl.gov/Science-Articles/Archive/bro-cyber.html for more information on Paxson’s use of Bro and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “boastful and self-justifying” e-mail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder sent to Paxson. For details on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder, see Wired’s account at http://www.wired.com/news/culture/0,1284,54838,00.html. Kevin Poulsen’s story at http://www.securityfocus.com/news/203 has more details.

The bottom line is it does not pay to infiltrate government machines -- especially Air Force servers or computers monitored by IDS researchers.

I didn't name Max Ray Butler (aka "Max Vision") as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of Privmsg, but if you followed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stories you would have figured that out yourself.

I also didn't publicize this August 2002 post by Max to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurityFocus Jobs mailing list, subject line bay area security professional, $6.75/hr... Please read below!:

Greetings security employers:

I have an unusual situation that I would like to describe to you, and in doing so I am asking that anyone who can immediately employ me in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 San Fransisco Bay Area, please read this email and consider taking advantage of my availablity and temporarily low cost.

I am...
o a seasoned professional with extensive security skills and experience
o a once convicted hacker (DOD, 1998)
o local to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 San Fransisco Bay Area, I live in Oakland
o willing to work for mimimum wage (for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next two months)
o eager to work 60 hour weeks; I don't mind nights/weekends/holidays...

My Conviction (why I am desperate)

I am not proud of being convicted of a felony, but it is important that a potential employer know of my status. Apparently if you have FDIC insurance cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a clause stating that you cannot hire a convicted hacker on your projects. It is also because of my status that I am desperate for security-related or even internet-related work.

The truth is, I am living in a federal halfway house transitioning out of prison back into society. I have to find local work to meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir requirements, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y haven't approved any telecommute offers I have had so far. The director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 facility told me that if I don't find a job in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next week or so he will send me back to prison (my sentence actually ends October 12th)...

Sincerely,

Max Vision

That's one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 saddest and most pacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365tic posts I've ever read.

So where are we now, five years later? Check out Max Vision charged with hacking -- again:

In a five-count indictment unsealed on Tuesday, federal prosecutors allege that Butler ran a scheme to hack into computers at financial institutions and credit-card processing centers, stealing account information and selling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs. Butler also ran cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 online carders' forum, CardersMarket, under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name "Iceman" and "Aphex" as a way to coordinate illegal activities and meet people with similar interests, according to an affidavit penned by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Secret Service, which spearheaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigation...

During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 16-month investigation, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Secret Service maintained two confidential informants, one of which was an administrator on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CardersMarket forum. The informants gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigators an eye-opening view of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inner workings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 carders' world, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 affidavit stated.

Butler purportedly used at least five different handles -- including "Iceman," "Aphex," and "Digits" -- in an attempt to confuse law enforcement and keep his administrative activities on CardersMarket separate from his outright illegal activities, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 affidavit maintains...

A federal grand jury indicted Butler on charges of wire fraud and identity cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft. If Butler is found guilty of all five charges, he could face up to 70 years in prison and a fine of $1.5 million, according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Attorney's Office in Pittsburgh. Butler is currently being held in San Francisco until he appears in court on Monday.

I know Mr Butler is innocent until proven guilty in US courts, but human evidence gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red by informants is going to be tough to beat.

Show this post to your kids if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y think "[malicious] hacking is cool." If you think "[malicious] hacking is cool," remember Mr Butler's fate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next time you break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 law.

Goodbye AIA

A friend from my AFCERT days left a comment indicating that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 33 IOS split into two different squadrons, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 33 NWS (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old AFCERT) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 91 NWS. This prompted me to look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organizational structure of my old Air Force units.

I realized that last month what used to be Air Intelligence Agency is now Air Force Intelligence, Surveillance and Reconnaissance Agency, according to this story. AFISR now works as a field operating agency for AF/A2, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance, Lt. Gen. David A. Deptula. AIA was part of 8th Air Force, but that experiment has been reversed.

It looks like AFISR has lost information operations duties since it's now an "ISR" agency. According to Air Force ISR Agency, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AF/A2 says:

"Air Intelligence Agency was traditionally focused on a particular intelligence discipline, signals intelligence," said General Koziol. "Now we are expanding our capabilities into geo-spatial-intelligence, imagery, human intelligence, and measurement and signature intelligence disciplines. As an integral member of our nation's combat forces, we are focused on integrating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information derived by those capabilities and delivering critical information to combatant commanders and national level decision makers."

That's news to me. I think AIA was doing those missions previously, but Deptula wants a single agency responsible for all of it. He gets that with AFISR. Information operations are now part of Air Force Cyber Command, which apparently will become active this fall.

I have mixed feelings about AIA's fate. Lt. Gen. Deptula is a three-star, which outranks previous top intel generals (who were two-stars). Putting a three-star with ISR responsibilities at HQ AF will probably give ISR greater attention. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word "intel" appears three times in Deptula's bio -- all in relation to his existing job. He's a career F-15 driver, so once again we have a pilot as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force's "top intel guy." This is sad. Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re no good Air Force intel generals available? Hopefully cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new AFISR commander, Maj. Gen. John C. Koziol, will be able to step up when Deptula moves on.

The only saving grace in this situation is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 king of all intel officers continues to be Gen. Michael Hayden, Director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Central Intelligence Agency.

Thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Memories Sys Admin Magazine

David Bianco clued me in to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that, after 15 years, Sys Admin magazine is shutting down. (I was on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 road this week and found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue in my mail when I returned.) The August 2007 issue, pictured at left, is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last. Appropriately for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security community, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue topic is Information Security. I bought my first issue of Sys Admin in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fall of 1999, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where I was finally coming to grips with my work at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT. I had spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous year-plus climbing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steep learning curve associated with becoming a network security analyst and I was ready to learn more about system administration. Looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 copy in my hands, I see where I underlined (using a straight edge, a practice I continue to this day) content I believed was useful. That issue featured articles like:

• Maintaining Patch Levels with Open Source BSDs by Michael Lucas


• Landmining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cracker's Playing Field by Amy Rich


• Hardening a Host by Dave D. Zwieback


• Intrusion Detection Strategies and Design Considerations by Ronald McCarty


• Practical Packet Sniffing by John Mechalas

No wonder I bought that issue! Michael Lucas, if you're reading this -- I marked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 heck out of your article. It's one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first artifacts I have of my involvement with FreeBSD.

After subscribing to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magazine for several years, I managed to get my first article into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 April 2004 issue -- Integrating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Security Monitoring Model. This introduced NSM to a wide audience prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 publication of my first book. That was followed in February 2005 with More Tools for Network Security Monitoring. I covered Dhcpdump, PADS, and SANCP. Funny, I'd forgotten all about Dhcpdump, but I might be able to use it for a certain problem. This demonstrates one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main reasons I write -- I can't remember everything that might be helpful! In February 2006 I was confident enough to try writing about FreeBSD, so I contributed Keeping FreeBSD Up-to-Date. This detailed a variety of means to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD OS up-to-date, including all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old methods plus new ones some people haven't heard about or are unwilling to try. It's nice to see many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se new methods integrated into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 base OS in later versions of FreeBSD 6.x. My last article appeared in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 August 2006 issue, called Tuning Snort. I talked about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 essential tasks one should perform for any Snort installation.

I hope Sys Admin publishes a final CD with all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magazine's issues. Sys Admin, thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 memories, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 learning, and for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to contribute.

One Review, One Pre-Review

Amazon.com just published my four-star review of Exploiting Software. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I read Exploiting Software (ES) last year but realized I hadn't reviewed it yet. Having read ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r books by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se authors, like McGraw's Software Security and Hoglund's Rootkits, I realized ES was not as good as those newer books. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time ES was published (2004) it continued to define cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software exploitation genre begun in Building Secure Software. However, I don't think it's necessary to pay close attention to ES when newer books by McGraw and Hoglund are now available.

I'm looking forward to reading Network Warrior by Gary A. Donahue. This book has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second-best subtitle of all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical books on my shelves:

Everything you need to know that wasn't on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CCNA exam

I quickly skimmed this book at USENIX and I think it will be valuable. I like books that take nontraditional look at networking issues.

If you're wondering what my favorite subtitle is, it appears in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nearly ten-year-old book The Next World War by James Adams, original founder of iDefense. The book makes silly mistakes (discussing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Iraqi printer virus") but it was cool to see it talk about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT and name one of our lieutenants (who was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re before I arrived). It was published in 1998 (not 2001 as indicated at Amazon.com) with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subtitle:

Computers are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Weapons and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Front Line Is Everywhere

That is still true today.

Management by Fact: Flight Data Recorder for Windows

Whenever I fly I use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to read ;login: magazine from USENIX. Chad Verbowksi's article The Secret Lives of Computers Exposed: Flight Data Recorder for Windows in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 April 2007 issue was fascinating. (Nonmembers can't access it until next year -- sorry.) Chad describes FDR:

Flight Data Recorder (FDR) collects events with virtually no system impact, achieves 350:1 compression (0.7 bytes per event), and analyzes a machine day of events in 3 seconds (10 million events per second) without a database. How is this possible, you ask? It turns out that computers tend to do highly repetitive tasks, which means that our event logs (along with nearly all ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r logs from Web servers, mail servers, and application traces) consist of highly repetitive activities. This is a comforting fact, because if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were truly doing 28 million distinct things every day it would be impossible for us to manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Ok, that's cool by itself. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insights gained from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se logs is what I'd like to highlight.

Before investigating my own computer’s sordid life, I wanted to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of what ought to be well-managed and well-maintained systems. To understand this I monitored hundreds of MSN production servers across multiple different properties. My goal was to learn how and when changes were being made to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se systems, and to learn what software was running. Surely machines in this highly controlled environment would closely reflect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intentions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir masters? However, as you’ll see in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following, we found some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m sneaking off to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 back of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server room for a virtual cigarette.

When I read this I remembered what I said in my recent Network Security Monitoring History post. The Air Force in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early 1990s thought it was pretty squared away. The idea behind deploying ASIM sensors was to "validate" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 common belief that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force network was "secure." When ASIM started collecting data, AFIWC and AFCERT analysts realized reality was far different.

In my post Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Thoughts on Engineering Disasters I mentioned management by belief (MBB) vs management by fact (MBF). With MBB you make decisions based on what you assume is happening. With MBF you make decisions based on what you measure to be happening. It's no accident cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 M in ASIM stands for Measurement.

This is exactly what Chad is doing with FDR -- moving from MBB to MBF:

To avoid problems, administrators form a secret pact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y call lockdown, during which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y all agree not to make changes to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 servers for a specific period of time. The cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory is that if no changes are made, no problems will happen and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can all try to enjoy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir time outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hum of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 temperature-controlled data center.

Using FDR, I monitored cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se servers for over a year to check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resolve of administrators by verifying that no changes were actually made during lockdown periods. What I found was quite surprising: Each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five properties had at least one lockdown violation during one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eight lockdown periods. Two properties had violations in every lockdown period.

We’re not talking about someone logging in to check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server logs; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are modifications to core Line-Of-Business (LOB) and OS applications. In fact, looking across all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hundreds of machines we monitored, we found that most machines have at least one daily change that impacts LOB or OS applications. (emphasis added)

That is an ITIL or Visible Ops nightmare. It gets better (or worse):

We would all expect server environments to be highly controlled: The only thing running should be prescribed software that has been rigorously tested and installed through a regulated process.

Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FDR logs collected from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hundreds of monitored production servers, I learned which processes were actually running. Without FDR it is difficult to determine what is actually running on a system, which is quite different from what is installed. It turns out that only 10% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files and settings installed on a system are actually used; consequently, very little of what is installed or sitting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard drives is needed.

Brief aside -- what a great argument for building a system up from scratch instead of trying to strip out unnecessary components!

Reviewing a summary of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 running processes, we found several interesting facts. Fully 29% of servers were running unauthorized processes. These ranged from client applications such as media players and email clients to more serious applications such as auto-updating Java clients. Without FDR, who can tell from where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 auto-updating clients are downloading (or uploading?) files and what applications cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y run? Most troubling were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eight processes that could not be identified by security experts.

Again, facts show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world is not as it was assumed. Now remediation can occur.

Chad's closing thoughts are helpful:

For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past 20 years, systems management has been more of a “dark art” than a science or engineering discipline because we had to assume that we did not know what was really happening on our computer systems. Now, with FDR’s always-on tracing, scalable data collection, and analysis, we believe that systems management in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 20 years can assume that we do know and can analyze what is happening on every machine. We believe that this is a key step to removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “dark arts” from systems management.

The next step is to get some documentation posted on how to operationally use FDR, which is apparently in Vista. Comments are appreciated!

Update: MBB and MBF are concepts I learned from Visible Ops.

Network Security Monitoring History

Recently a network forensics vendor was kind enough to spend some time on a WebEx-type session describing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir product. I try to stay current with technology so I can offer suggestions to clients with budgets for commercial products.

During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presenter was very excited by his company's capability to collect all traffic and examine it later for troubleshooting and security purposes. He implied this was a "new capability in this space," so I asked if he had read any of my books. He said no, but he did read my blog. It occurred to me that it might be helpful to reprint cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 history of NSM I wrote for Tao of Network Security Monitoring.

I'm doing this for three reasons. First, I want people to know that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ideas I've been publicly evangalizing since 2002 actually date back 10, perhaps 13 years earlier. I take credit for paying attention to smart people with whom I worked when I first started in this field. I don't take credit for inventing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea that we need high quality network traffic to perform security investigations!

Second, I want to provide a public record of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se historical capabilities. As I talk to more vendors I don't want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to think I'm "stealing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir ideas," since many of "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir ideas" were invented before some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir programmers graduated from elementary school.

Third, one day (perhaps in 2008 or 2009) I would like to blog again and link back to this post. Hopefully I'll have commercial tools providing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se capabilities to anyone who wants cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, and plenty of companies will be declaring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "world's first blah" and "pioneers of blah" and so forth. I'll be happy that customers will finally have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to understand what is happening in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir enterprise, whatever weird, long, and contentious road was followed.

I can testify to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following history of network security monitoring because I participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se events or have spoken directly with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 participants who made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 events happen. I base my understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early days of NSM on information learned from Todd Heberlein and on my work with pioneers like Larry Shrader and Roberto Garcia.

NSM began as an informal discipline with Todd Heberlein’s development of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Security Monitor. The Network Security Monitor was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first intrusion detection system to use network traffic as its main source of data for generating alerts. Heberlein and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs worked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 University of California at Davis from 1988 through 1995 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Security Monitor, although by 1991 initial Network Security Monitor system research and development was complete.

The Air Force Computer Emergency Response Team (AFCERT) was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first organization to informally follow NSM principles. The AFCERT was created on October 1, 1992, partially as a result of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1988 Morris Worm. The team began work as part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Cryptologic Support Center at Kelly Air Force Base in San Antonio, Texas. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Information Warfare Center (AFIWC) was activated on September 10, 1993, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT joined that unit. The AFCERT’s mission during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1990s was to conduct Computer Network Defense (CND) operations to secure and protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 global Air Force communication and computer (C2) weapon system.

The Air Force had long recognized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for intrusion detection systems, initially funding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Haystack host-based audit trail intrusion detection system. In 1993 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT worked with Heberlein to deploy a version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Security Monitor as an Automated Security Incident Measurement (ASIM) system. The Air Force’s intent was
to measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of malicious activity on its networks as a way to perform threat assessment. By gaining an accurate idea of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities and intentions of its adversaries, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT could position itself to acquire cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 funding, personnel, and responsibilities needed to properly monitor Air Force networks.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid-1990s cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force’s network consisted of well over 100 Internet points- of-presence, but by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of 1995 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT monitored only 26 installations. By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of 1996 coverage had doubled to 52 Air Force bases and three “Joint” or multi-service locations. By mid-1997 ASIM sensors watched all officially sanctioned Air Force Internet points-of-presence. (Like any large organization, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT struggled to deal with local base commanders, or “management,” who bypassed authorized Internet connections by installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own Internet links.) In 1998 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT added cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wheel Group’s NetRanger sensors to its toolbox, using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 request of Central Command to monitor its forward locations in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Middle East.

The AFCERT implemented network security monitoring through products, people, and processes. ASIM was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tool used to generate indications and warnings. AFCERT analysts worked in real-time or batch cells, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r reviewing near-real-time alerts or daily session records. Both teams had access to full content or transcript data collected by ASIM for certain high-value services, such as Telnet, rlogin, FTP, HTTP, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r protocols. Analysts escalated evidence of suspected intrusions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Incident Response Team (IRT), which validated and investigated intrusions. After cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Melissa virus hit in March 1999, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT formed a dedicated virus team to specifically handle malware outbreaks.

In late 2000, Ball Aerospace & Technologies Corporation (BATC) asked Robert “Bamm” Visscher and myself to help transition intrusion detection techniques to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 commercial sector. Bamm and I had worked with Larry Shrader in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT, and we set about creating an NSM operation from scratch. Working on a tight budget, and realizing available commercial IDS products didn’t suit our needs, Bamm developed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort Personal Real-time Event GUI (SPREG).

SPREG began its life as a Tcl/Tk program to watch attacks on Bamm’s cable modem connection. As I trained analysts to take on 24 by 7 monitoring duties, Bamm refined SPREG to meet our NSM needs. SPREG relied on Snort for its alert and full content data. John Curry, acting as a consultant, wrote code to collect session data. All three elements were integrated, and by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spring of 2001 BATC offered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first true commercial NSM operation to nongovernment customers. Our 12 analysts interpreted alert, session, and full content data to discover intruders.

In June 2001 I “hacked” a copy of Congressman Lamar Smith’s Web page while Bamm demonstrated our monitoring capability. On July 13, 2001, one of our analysts, LeRoy Crooks, detected cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Code Red worm -- six days before it struck cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general Internet population. I posted his findings to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurityFocus Incidents list on July 15, 2001.

In April 2002, I left BATC to become a consultant with Foundstone. While performing incident response duties I employed emergency NSM to investigate intrusions against several Fortune 100 companies. I began using Argus to collect session data because I no longer had access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proprietary code BATC bought to collect session data. I began teaching NSM principles to students of Foundstone’s “Incident Response” and “Ultimate Hacking” classes. I also taught NSM to two sessions’ worth of SANS intrusion detection track attendees who responded to my request to abandon cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 formal material in favor of something more relevant.

On December 4, 2002, Bamm and I presented a Webcast for SearchSecurity.com titled “Network Security Monitoring” (www.taosecurity.com/news.html). This presentation offered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first formal definition of NSM as “cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collection, analysis, and escalation of indications and warnings (I&W) to detect and respond to intrusions.” At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time I was only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365orizing about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of statistical information and limited NSM to event, session, and full content data. (I began using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term “alert” racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than “event” data when writing this book in fall 2003.)

In late 2002 Bamm began work on an open source NSM product called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort GUI for Lamerz (SGUIL). (Sguil’s name was born in an IRC session and was not designed with marketing in mind!) Bamm registered sguil.sourceforge.net and announced Sguil’s initial availability in January 2003. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most popular open source GUI for Snort was ACID. Throughout 2003 Sguil gained momentum, and it appeared in a second NSM Webcast on August 21, 2003. During 2003 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fourth edition of Hacking Exposed was published. It featured a case study I wrote, which included cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM definition and this nod to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “facá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r of NSM”:

“Inspired in name by Todd Heberlein’s ‘Network Security Monitor,’ NSM is an operational model based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force’s signals intelligence collection methods. NSM integrates IDS products, which generate alerts; people, who interpret indications and warning; and processes, which guide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 escalation of validated events to decision makers."

I'd like to add a few more points to that original script. First, in 1999-2000, I remember using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT's Common Intrusion Detection (CID) Java console to right-click and call Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real to decode Libpcap data for alerts or sessions of interest. The Libpcap data was collected by our ASIM (Automated Security Incident Measurement) sensors independent of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alerts or sessions. This year you are going to see IDS/IPS vendors tying into network forensic appliance application programming interfaces to do this same trick, only eight years later.

I may try to add to this as I remember more details. Any old Air Force guys out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re with memories to add, please feel free to leave comments. Thank you.

Ubiquitous Monitoring on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Horizon

In January I wrote The Revolution Will Be Monitored. Today I read Careful, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Boss Is Watching:

Recently, software vendor Ascentive LLC installed its new BeAware employee monitoring application on all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCs at one of its new corporate clients. The corporation notified its employees that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Web surfing habits -- as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir email, instant messaging, and application usage -- were now being monitored and recorded.

"Internet usage at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporation dropped by 90 percent almost overnight," recalls Adam Schran, CEO of Ascentive. "As soon as employees knew cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were being monitored, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y changed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir behavior."

Wow, what a bandwidth saver. Who needs to upgrade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 T-3 when you actually take measures to enforce your stated security policy? The story continues:

While tools for tracking employee network usage have been available for years, emerging products such as BeAware take monitoring to a whole new level. The new BeAware 6.7 lets managers track workers' activity not only on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network or in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 browser, but also in email, chatrooms, applications, and shared files. And at any unannounced moment, a manager can capture an employee's screen, read it, and even record it for posterity.

Such exhaustive monitoring may seem a bit draconian to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 uninitiated, but analysts and vendors all say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of such "Big Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r" software can make a drastic impact on productivity and security. In a recent study by AOL and Salary.com, 44.7 percent of workers cited personal Internet use as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir top distraction at work. A Gallup poll conducted in 2005 indicated that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average employee spends more than 75 minutes a day using office computers for non-business purposes.

Once employees know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir activities are being monitored, however, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir personal computer use is quickly curtailed, Schran observes.

This reminds me of an event that happened when I was working cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 night shift at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT in 1999. We had witnessed a rash of attacks against vulnerable Microsoft Front Page installations. Around 2 or 3 am I noticed someone altering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web site of an Air Force base in Florida. Looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source IP it looked like it might belong to someone who worked on base. I managed to tie a home telephone number to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP and I called, asking if so-and-so was currently modifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 af.mil Web site. I remember a surprised lady answering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phone and asking, "So you can see what I'm doing right now?"

I have never been a fan of monitoring network traffic to reduce what .mil and .gov call "fraud, waste, and abuse." You won't read recommendations for using Network Security Monitoring to intercept questionable Web surfing, for example. However, this story is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r data point for my prediction that we are moving to a workplace where everything is monitored, all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time.

If you try to implement this sort of activity, you better be sure to have an ironclad policy and support from your legal staff. I would call this level of invasion of privacy a wiretap.

Air Force Cyberspace Command

According to Air Force Link, 8th Air Force will become cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Air Force Cyberspace Command. This appears to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next step following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creation of a Air Force Network Operations Command structure in August. That came on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 heels of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Information Warfare Center being redesignated as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Information Operations Center. That was a result of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Tactical Fighter Weapons Center being redesignated as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Warfare Center. In a related move, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former 67th Information Operations Wing is now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 67th Network Warfare Wing. Follow all that?

It also appears cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force is centralizing control of network operations and security centers, according to this article:

All Air Force network operations security centers, which were previously decentralized among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major commands, will consolidate under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 67th with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stand-up of two integrated network operations and security centers, or I-NOSCs, located at Langley AFB, Va., and at Peterson AFB, Colo.

Apparently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former AFCERT, now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Network Operations and Security Center Network Security Division (AFNOSC NSD) in San Antonio, TX, is adding 191 MacAulay-Brown contractors.

For some higher level insights into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se changes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest version of AFI 33-115v1: Network Operations (.pdf) might be interesting.

Returning to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Cyberspace Command -- remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force was once part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States Army. I see no reason why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States should maintain independent services that fight on land, sea, air, and space, but have cyber forces scattered throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r services. (You might make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 counter-argument that each service maintains its own "air forces," but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir parent service.)

I think within my lifetime we will see an independent Cyber Force to centralize information warfare capabilities alongside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army, Navy, Air Force, and Marines. If it happens within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 10 years, I think Col Greg Rattray might be in charge. (Yes, I'm assuming he continues to be promoted!) Before that happens, I'd like to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Cyberspace Command sponsor a new Air Force Specialty Code (AFSC) for information warriors. The current Intel or Comm paradigm isn't suitable.

DoD CyberCrime Conference Wrap-Up

I attended two conferences last week. The first was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2006 DoD Cybercrime Conference in Palm Harbor, FL. I spoke cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re in 2000 while still a captain at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT, and in 2005 as a civilian. This year I delivered presentations on network incident response and network forensics.

I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference on Tuesday afternoon by listening to Alan Paller from SANS. His talk included a "hacking demo" showing a firewall compromised by an IMAP vulnerability, followed by a Red Hat 4.2 box allowing a direct root login with no password, thanks to an unspecified exploit. He also displayed a screen shots of rootshell.com, warforge.com, and NetBus 1.6. What do all of those items have in common? How about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y all went out of style prior to 2000?

In reality, I'm not sure which of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following worries me more:

1. Seeing Alan present a demo where an OS from 1997 is 0wn3d.


2. Seeing law enforcement, military, and government audience members taking notes as if something new was being described.

Apart from his demo, I thought Alan made a few interesting remarks, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

• "A firewall is a steel door on a cardboard house." That is an interesting twist on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old "crunchy perimeter" cliche.


• "The national cyber defense strategy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States it to blame cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user." Alan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n asked "Which user -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 grandmocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eight-year-old?" Good point.


• "Network owners, ISPs, system and software vendors are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only ones who can make cyberspace significantly safer for all of us." Alan also blames system integrators who deliver "solutions" to agencies.

I had a chance to ask Alan why he praises cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force contract with Microsoft, while never mentioning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Navy's move to thin clients. Alan was kind enough to call me "one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good guys," and to say that thin clients are an option that should be explored.

After hearing Alan speak I wandered around until I met a few friends from my AFCERT days. Next I attended Johnny Long's expose of hacking as portrayed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 movies. Parts of it were hilarious. He put a ton of work into that presentation. I next saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screenwriter of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 movie "Enemy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 State" talk about how to portray villains on screen. After an uncomfortably long video clip showing Hitler rant about "one People, one Reich, one Fuehrer," I decided to leave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk early to visit some friends in St. Petersburg.

I started Wednesday by presenting my own material at 0930. I wanted to see Kerry Long from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army Research Lab discuss a project called Interrogator, but I missed it. Thankfully Kerry tracked me down and even sat through my second presentation. During lunch he described his talk.

Interrogator is a means to filter, collect, compress, and centrally store network traffic. The problem his project addresses is one I hadn't considered before. Let's say you are a network security vendor. If you want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military to test your product, you probably want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to deploy your gear on a production network. That is usually your only deployment model.

The military does not want to put your device on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. They would racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r test it in a lab. However, lab traffic usually doesn't match production traffic very well. Interrogator allows Kerry to pull large quantities of traffic to a central, trusted location (his lab), where it can be replayed on an isolated network. A security device in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lab can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n inspect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic.

After lunch I gave a second talk, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I listened to Jennifer Christianson discuss tips and tricks for host-based forensics. She basically reminded me that anybody can talk cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk of doing forensics (or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r technical job), but you have to do it on a daily basis to really know what you are doing. It's been a while since I had to do any host-based forensics, so I was reminded of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of regular hands-on problem-solving tasks. The next talk absolutely justified me paying my way to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference and not leaving immediately after my talks. I listened to Dr. Nasir Memon from Polytechnic University in Brooklyn, NY describe ForNet. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coolest project I have heard of in years.

ForNet summarizes network traffic it observes on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wire. Dr. Memon described summarizing 1-2 TB of network traffic down to 20 GB. He uses a system of hashing and statistical probabilities involving Bloom Filters to describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic. This does not mean one can inspect that 20 GB of traffic and see original packets. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, one can query ForNet and ask "have you ever seen traffic that looks like this?" "This" could be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 payload of a worm, part of an email, a movie, and so on.

Beyond summarizing traffic, ForNet tracks a variety of characteristics about what it sees. It collects a form of extended session data called NeoFlow that includes a judgment about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 type of data seen. For example, if ForNet samples traffic from a stream it can identify it as being encrypted, or text, or audio, or video, and so on. One could cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n query for "all audio sessions" and find people trading music. The ForNet team has used this function to query for forms of data that should not be expected from certain systems. If a server should not communicate with encryption, but it does, perhaps it is compromised.

This is an amazing achievement. I suggest reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 papers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ForNet Web site. You may also find this .ppt interesting. Keep an eye on this blog as well; Dr. Memon invited me to visit his lab in New York and see ForNet in action. He hopes to release ForNet (written in C, maybe runs on BSD already!) as an open source project.

I found Interrogator and ForNet to be exciting ways to focus network security monitoring on application-level data, in an age where bandwidth is always an issue. Products like Sniffer InfiniStream work by collecting vast amounts of traffic in raw form, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y tend to be expensive. These projects also reminded me to watch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Trace Archival and Retrieval (NTAR) project for developments.

I ended Wednesday by participating in a book signing. I sat for an hour, signed one book, and gave copies of my three books away to a few stalwart visitors.

On Thursday I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day learning of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hoops that legal folk have to jump through to get data from ISPs and online companies like Yahoo!. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n listened to Michael Davis from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army Developmental Test Command talk about IPv6.

The IPv6 talk reminded me to ask this question: who reading this blog has a native IPv6 connection? In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, you're not talking IPv6 through a tunnel. If you have such a connection, would anyone be willing to give me a shell account on a box with native IPv6 connectivity? I could figure out how to use a tunnel service to escape my IPv4 Comcast connection and connect to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shell account. I am looking for a place to learn more about IPv6.

After cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPv6 presentation I heard researchers from Lucent describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir "RouterShield," which was unfortunately more boring than I expected. The pair did make a good point when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y said too much or too little traffic from a host can be suspicious. I also heard news of a project at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 University of Wisconsin called Nemean that received press for creating Snort signatures.

Cynthia Hecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rington's talk was very good. She outlined ways to gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r information on people using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet and pay-for-use databases. She also explained six steps to take to reduce one's public profile. She said we will have to begin using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 techniques pioneered by "celebrities and fraud artists" if we wish to protect our identities.

I ended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 say seeing Kevin Mandia discuss malware analysis. He said a recent foresnics case involved 54 binaries, of which 29 were non-public, 44 were not detected by anti-virus, and 10 were packed by four different methods. He reported anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r case where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder overwrote IIS Web logs. Kevin described cases where dumping memory with dd revealed indicators of many compromised systems. Kevin also said he's used dd to duplicate hard drives of live machines, which he cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n analyzed using EnCase. He mentioned a tool called PEView and Immunity's libdisassemble.

Before I left for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 airport I got a chance to discuss future directions for Kevin's company. I recommend keeping an eye on Red Cliff's Web site, especially in mid-February, for some exciting changes.

Overall I thought DoD Cybercrime was a great conference. I hope to speak next year. Did anyone else attend? If so, what are your thoughts?