Showing posts with label conferences. Show all posts
Showing posts with label conferences. Show all posts

Monday, March 05, 2012

Bejtlich's Take on RSA 2012

Last week I attended RSA 2012 in San Francisco. I believe it was my third RSA conference; I noted on my TaoSecurity News page speaking at RSA in 2011 and 2006.

This year I spoke at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Executive Security Action Forum on a panel moderated by PayPal CISO Michael Barrett alongside iDefense GM Rick Howard and Lockheed Martin CISO Chandra McMahon. I thought our panel offered value to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience, as did much of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remainder of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event.

Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speakers and attendees (about 100 people) appeared to have accepted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message that prevention eventually fails and that modern security is more like a counterintelligence operation than an IT operation.

After ESAF (all day Monday) I divided my time among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following: speaking to visitors to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mandiant booth, discussing security issues with reporters and industry analysts, and walking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RSA exposition floor. I also attended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wednesday panel where one of our VPs, Grady Summers, explained how to deal with hacktivists.

Speaking of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RSA floor, I took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 photo at left praising cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 55 new vendors appearing at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exposition for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time. I counted 13 I recognized as "established" companies or organizations (Airwatch, CyberMaryland, Diebold, FireHost, Fluke Networks, Global Knowledge, GoDaddy.com, Good Technology, Nexcom, PhishMe, Prolexic Technologies, Qosmos, and West Coast Labs). I didn't recognize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 42. There were probably dozens more who were not first-time RSA vendors that I wouldn't recognize eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

I suppose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are different ways to think about this situation. A positive way would be to view cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se new companies as signs of innovation. However, I didn't really see much that struck me as new or innovative. For example, a company specializing in password resets doesn't really get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 heart pumping.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r point of view could be that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of so many new companies means venture capital is active again. I saw plenty of that at work for certain companies who I know have just rebranded, relaunched, or have been resuscitated in recent months. Several of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m sported mammoth booths and plenty else. They must figure that if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have 7 or 8 figures to spend, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're going to put it into marketing!

I was in some ways overwhelmed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of attendees. I saw references to over 20,000 people attending RSA 2012. I believe many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m wore $100 (or even free, courtesy of vendors) "expo only" passes. With 20,000 people willing to participate in a security event, that tells me my @taosecurity Twitter follower count (over 11,000 today) has more room to grow. I would not have expected to rise much beyond 10,000 when I started Tweeting.

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best aspects of RSA 2012 was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Bloggers Meetup, which I was able to attend in person as I blogged previously.

My buzzphrase of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference was "big data." To me, "big data" sounds like SIEM warmed over. I'll have more to say on this topic in future posts.

I'll probably return to RSA next year on behalf of my company, and again I will focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exposition and non-session activities. It's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only place where you can see so many security vendors in one place.

What did you think of RSA this year?

Thursday, February 04, 2010

DFRWS, VizSec, and RAID 2010 Calls for Papers

I'm involved in one degree or anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with three somewhat academically-oriented conferences this year. I wanted to post notices of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 call for papers for each event.

First is DFRWS 2010 on 2-4 Aug in Portland, Oregon. I am on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Technical Program Committee but will not attend due to a family conflict. The CFP ends 28 Feb.

Next is VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Program Committee and plan to attend. The CFP for full papers ends 30 Apr.

Last but not least is RAID 2010 on 15-17 Sep in Ottawa, Ontario. I like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact this conference is held in conjunction with VizSec, so I will probably attend. The CFP ends 4 Apr.

Tuesday, August 21, 2007

Abe Singer Highlights from USENIX Class

I didn't get to attend Abe Singer's talk Incident Response eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, but again I managed to get a copy of his slides. They confirmed what I planned to do with my new company CIRT (fortunately), but I wanted to highlight some elements that I hadn't given much thought until I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in Abe's slides.

Abe pointed out that it's important to have incident response policies in place prior to an incident. I had always thought in terms of a plan, tools, and team, but not policies. Let me list a few items to explain.

Using language Abe secured for his university as a template, I plan to try to gain approval for something like this as a blanket incident detection and response policy at my company:

The Director of Incident Response and authorized designees have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authority to take actions necessary to contain, detect, and respond to computer incidents involving company assets.

These actions will be consistent with company policies and applicable laws.


Please note cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original language said "prevent" instead of "contain," but my company has a separate security services arm. "Contain," as in "limit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 damage," is more appropriate for my team's scope.

Abe also recommends explicit policies for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  • Monitoring

  • Data collection and retention (I would add destruction too)

  • Node blocking and disconnection

  • Account suspension

  • Password changes

  • Reinstallation

  • Data sharing


Abe's point is that pre-coordination is essential to giving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIRT cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to rapidly execute its response and containment mission during an incident. Signing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se policies also sets expectations for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 businesses as CIRT customers.

Marcus Ranum Highlights from USENIX Class

Because I was teaching at USENIX Security this month I didn't get to attend Marcus Ranum's tutorial They Really Are Out to Get You: How to Think About Computer Security. I did manage to read a copy of Marcus' slides.

Because he is one of my Three Wise Men of digital security, I thought I would share some of my favorite excerpts. Some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material paraphrases his slides to improve readability here.

  • Marcus asked how can one make decisions when likelihood of attack, attack consequences, target value, and countermeasure cost are not well understood. His answer helps explain why so many digital security people quote Sun Tzu:

    The art of war is a problem domain in which successful practitioners have to make critical decisions in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 face of similar intangibles.

    I would add that malicious adversaries are also present in war, but not present in certain ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r scenarios misapplied to security (like car analogies) where intelligent adversaries aren't present.

  • Marcus continues this thought by contrasting "The Warrior vs The Quant":

    Statistics and demographics (i.e., insurance industry analysis of automobile driver performance by group) [fails in digital security] because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no enemy perturbing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actuarial data... and "perturbing your likelihoods" is what an enemy does! It's "innovation in attack or defense. (emphasis added)

  • Marcus offers two definitions for security which I may quote in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future:

    A system is secure when it behaves as expected; no less and certainly no more.

    A system is secure when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of trust we place in it matches its trustworthiness.

  • Marcus debunks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 de-perimeterization movement by explaining that a perimeter isn't just a security tool:

    A perimeter is a complexity management tool.

    In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, a perimeter is a place where one makes a stand regarding what is and what is not allowed. I've also called that a channel reduction tool.

  • Here's an incredible insight regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 many "advanced" inspection and filtering devices that are supposed to be adding "security" by "understanding" more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network and making blocking decisions:

    At a certain point cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 complexity [of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall/filter] makes you just as likely to be insecure as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original application.

    He says you're replacing "known bugs" (in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 app) with "unknown bugs" (in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "prevention" device).

  • I love this point:

    Insiders and counter-intelligence: What to do about insider threat?

    • Against professionals: lose

    • Against idiots: IDS (Idiot Detection System) works; detect stupidity in action


This is so true. I'd extend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "idiot" paradigm furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by adding EDS (Eee-diot Detection System). (Cue "Stimpy, you eee-diot!" if you need pronunciation help here.)
  • Finally, Marcus slams cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea that one can use an equation to quantify risk. He calls "Risk = Threat X Vulnerability X Asset Value" one wild guess times anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r wild guess times anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r wild guess. I agree with this but I would say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of separating out those variables helps one understand how Risk changes as one variable changes with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs held constant.

    Marcus also offers two approaches to dealing with risk:


    1. Think of all possible disasters, rank by likelihood, prepare for Top 10. (9/11 showed this doesn't work.

    2. Build nimble response teams and command/control structures for fast and effective reaction to threats as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y materialize.


  • Regarding number one, Marcus obviously thinks that is a waste of time. However, one could argue that if policymakers had paid attention to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intelligence that was available and prepared, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation could have been different. That's where threat intelligence on capabilities and intentions and attack patterns can be helpful for modeling attacks.

    Regarding number two, I am so pleased to read this. It's why I'm building a CIRT at my new job. This comment also resonates with something Gadi Evron said during his talk on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Estonia Cyberwar":

    No one is judged anymore by how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y prevent incidents. Everyone gets hacked. Instead, organizations are judged by how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y detect, respond, and recover.

    Monday, August 06, 2007

    Black Hat Final Thoughts

    Based on my summaries of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks I saw on day one and two of Black Hat USA 2007, some of you have called me "depressed" or "negative." I call it realistic and largely historic. Nothing I described was brand new cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day I saw it. Most if not all of everything I saw was already discussed in public forums or private groups. Sometimes it takes a live explanation by a real expert to syncá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365size and demonstrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technique to make it come to life and help attendees connect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dots. This was certainly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case for me and I expect ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r people too.

    I've spent almost my whole career watching defenses fail and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n trying to contain and remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mess. The fact that nothing has reduce my workload during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last decade indicates our approach to this problem is not working. I attend Black Hat so I can get semi-clued-in to attack techniques, and I recommend everyone else who cares about how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are already being abused attend or ask someone who attended to summarize what he or she learned.

    The fact that you do not know you are being compromised does not mean it is not happening. This is a fundamental problem with digital security. Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analog world.

    • If a house is robbed by amateurs while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner is away, upon return even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most ignorant person will likely notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach.

    • If a house is bugged by professionals while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner is away, upon return even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most vigilant person will likely miss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach.


    Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital equivalent.

    • If a digital asset is compromised by amateurs while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner is away, upon return cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ignorant person will definitely not notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach, and a vigilant person might notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach.

    • If a digital asset is compromised by professionals while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner is away, upon return even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most vigilant person will be hard pressed to notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach. Everyone else is hopeless.


    Observe a key element of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se observations is vigilance. I liked Tate Hansen's post Attackers will win so what can you do? because it alludes to this thought. Here are my three recommendations.

    1. Monitor everything you can, within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bounds of legal, political, and technical means. The absolute first priority for any digital security operation is to know what is happening. Bruce Schneier was so right in 2001 when he wrote Monitoring First. If you think I am hopeless but you believe in Bruce, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n read what he wrote. It's as relevant today as ever.

      Monitoring is to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world as accounting is to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 financial world. How can any company expect to stay in business if its bleeding money? Similarly, how can any enterprise preserve confidentiality, integrity, and availability of digital assets if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of those assets is unknown?

      When I talk of monitoring, keep in mind three data sources; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are terms I'm using from here forward.

      • First order monitoring observes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack as it happens. It's difficult if not impossible to accomplish this. Because you can't stop what you can't see, preventing intrusions is increasingly impossible for all or most cases.

      • Second order monitoring observes continuation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident. These are signs following compromise, like installation and use of a back door, command-and-control, exfiltration of data, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like. This is difficult to detect but potentially not as difficult as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first order case.

      • Third order monitoring observes consequences of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident. This includes discovery of your company's IPs in botnet command-and-control channels or Web sites, finding sensitive company documents on p2p networks, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release by your competitor of a new product based on your design, and related events. These are easier to detect but usually difficult to tie to a specific incident.


      My final comment on monitoring is this: monitoring helps prioritize resources. If you instrument your platforms, OS, applications, and data, you can see how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are being abused. Then you direct resources to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most pressing problems.

      Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2002 CERT advisory on SNMP vulnerabilities. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time it looked like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world because everyone was vulnerable. My clients basically didn't care, because I was watching for any SNMP traffic to or from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir sites. Guess what -- I hardly saw anything (and SNMP is easy to see if you're wondering.) Because I didn't see recon or exploitation, I advised my clients to concentrate on problems I did see being probed or attacked.

      It's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same situation a battlefield commander faces. Without on-scene situational awareness, how do you know if you need to reinforce your flank or commit your reserves to defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 center? If you have no clue and you guess wrong, you lose. Let's manage by fact instead of belief if we want to win.

    2. Force vendors to ship feature-disabled applications by default. I don't want my Flash viewer to initiate sockets to hosts on my internal network. Alternatively, let my security team, IT department, or PC vendor decide how my machine should be configured, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n let me make changes if I decide I do want Flash to initiate connections. Let's face it: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web browser is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new operating system. Securing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS is great but it's all about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 features and configuration of your Web browser and its embedded rich media content rendering applications. Reducing our application exposure will limit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk.

    3. Force our governments to focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat. Techies like technical solutions. This is not working. We have to take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fight to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy by removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat, not countering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir tools.

      We cannot code, block, or patch our way out of this situation. We have to deter, investigate, apprehend, prosecute, and incarcerate threats. It's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only approach that has ever had a chance to work in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world continues to resemble and in some ways surpass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analog world, why do we think we are smart enough to reject 3,000 years of human history and rely on technical means to solve this problem?

      If you don't believe me, please read my next post.

    Sunday, August 05, 2007

    Black Hat USA 2007 Round-Up Part 2

    I'm waiting in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r airport, so it's time to summarize my second day at Black Hat USA 2007. (The first day is Black Hat USA 2007 Round-Up Part 1.)

    • I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day in Bruce Schneier's keynote. Bruce's talk was interesting but plauged by audio problems (not his fault). Bruce reiterated his ideas of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "security consumer" who asks "is it worth it?" when deciding whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r or not to wear a bullet-proof vest when walking out his front door. Bruce seems to have changed his mind about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evils of "security cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ater," because he said "security is a feeling and a reality," and sometimes security cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ater is needed to right imbalances between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 feeling and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reality. This imbalance can come about when citizens watch television, which impairs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir availability heuristic by making rare and catastrophic events seem common and personal.

      Bruce focused on psychology, stating people, on average, are risk-seeking when facing losses but risk-adverse when facing gains. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are more likely to take a chance to avoid a loss than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are to take a chance to acquire a greater gain. Bruce published a paper describing his views at The Psychology of Security. Pay attention to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five aspects of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security trade-off.

    • Jim Hoaglund from Symantec presented my first technical talk of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day. He described cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Windows Vista TCP/IP stack and emphasized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of tunnels for IPv6. It's probably best just to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 papers behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk, namely Windows Vista Network Attack Surface Analysis (.pdf), The Teredo Protocol: Tunneling Past Network Security and Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Security Implications (.pdf), draft-ietf-v6ops-teredo-security-concerns , Microsoft's Objectives for IPv6, and Jim's blog post. Jim said "stacks are complex entities that take years to mature." Jim discussed stack vulnerabilities found in beta versions of Vista. I was very interested in hearing about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new fragmentation reassembly standard used in Vista, which differs from previous versions. (Hello trouble for IDS/IPS/etc, good news for stack fingerprinters.)

      Jim spent a lot of time talking about Teredo, documented in RFC 4380. Teredo is designed as an IPv6 transition mechanism "of last resort." I've documented my tests with Miredo, a Unix implementation. What struck me about Jim's comments were his revelation that Teredo was designed without visibility or control. This directly contradicts my idea of Security Application Instrumentation. Essentially, unless an inspection product analyzes every UDP packet, it is not possible to control Teredo. It is possible to "starve" Teredo traffic by blocking outbound to Teredo servers on UDP port 3544, but that is not a complete solution. Also, Jim claimed that in some cases Teredo "may be preferred even over native IPv4." He recommended that Teredo not be deployed on "managed networks," which is just about anywhere that matters.

    • Nick Harbour of MANDIANT discussed basic, intermediate, and advanced ways to hide malware. He talked about hook injection to hide malware in existing processes, library injection (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most common attack) via CreateProcessThread() to hide in libraries, and direct injection, where code is inserted directly into processes. He mentioned registry tricks like Image File Execution Options to launch malware as a "debugger" that calls a legitimate process. Nick said he would release Malvm and his Executable Toolkit on nickharbour.com soon.

    • I watched almost all of Gadi Evron's talk about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Estonia "information war," but I felt like he took over an hour when probably 20 minutes would have sufficed.

    • One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best talks on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second day was delivered by Tom Ptacek and Eric Monti who described vulnerabilities and exposures in extrusion detection and related products. Because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could not name cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 products cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had tested, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y profiled a "fake" product called PlugBoy. Basically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se products are nearly worthless, except for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y deliver in demonstrations to executives and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 launch pad cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y provide for intruders. They focused on host-based systems instead of those that sit inline or offline.

      Tom and Eric said "evasion is a given." For example, you can trivially bypass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir filters using any number of techniques at layers 3, 4, or higher. It could take as simple a technique as changed text in a word document to bold or adding a space between every character of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document. The problem with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se products is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to do some sort of file format decoding in order to have a prayer of making sense of a document's contents. Unfortunately, by introducing file format dissection decoding, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are incredibly vulnerable (think of Wireshark's security history with protocol dissectors and recent file format fuzzing exploits.)

      Here's anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r problem with extrusion products on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y tend to communicate what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y find in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clear to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir management platforms. (Zlib compression doesn't count as "encryption.") So, think of this: you have a product sitting between a remote SSL-enabled site, inspecting and grabbing sensitive content, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n retransmitting a subset of that content in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clear to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 management server. Who designed this train wreck? Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se products tend to have application, service, and kernel components. This means you have a piece of code that by design has access to everything you consider sensitive sitting in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel.

      Tom and Eric said this code is rife with vulnerabilities. They described how sending a malformed AIM packet would root cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agent and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box. Returning to agent to manager communications, this channel is unaucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticated. This means anyone could spoof traffic or send traffic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 management console. That content tends to be rendered in a Web application viewable by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administrator. Now you can send traffic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 management console (think XSS or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r file rendering attacks) and own it.

      In case you didn't put all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se steps togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, here cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are: 1) Web browser with ED agent visits malicious Web site; 2) Web site attacks and owns ED agent; 3) Owned ED agent attacks ED manager; 4) Owned ED managed attacks and owns all ED agents on all hosts; Game Over.

      In brief, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host-based ED products Eric and Tom reviewed are "latent botnets" in addition to all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir potential violations of PCI and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r regulations protecting data.

      I managed to briefly talk with Tom and Eric prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir presentation, which was cool. They reminded me I need to try cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir tools, like Black Bag, which is "Netcat on steroids."

    • I finished cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day watching my friends Keith Jones and Rohyt Belani present three case studies on insider attacks. Keith talked about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Duronio case. Rohyt described a wireless exploit at a retail company and a law firm document management system abused by an administrator.


    I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following thoughts after watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se talks.

    • We cannot eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of compromise of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general Internet population. This is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way to say "prevention eventually fails." We can reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of compromise by applying costing countermeasures or drastically limiting exposure. You could think of this situation as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lives between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 President and his Secret Service vs Joe Sixpack. The President can try to venture outside if protected by agents, but Joe is a sitting duck. His best bet is to stay home if he feels threatened. This deserves more thought, so I will probably address it later. A digital equivalent is hiring a team to build your own special Web browser or using a text-based Web browser and living a more monastic life.

    • Modern countermeasures applied to reduce vulnerability and/or exposure in many cases increase both vulnerability and exposure. This is certainly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case with so many agents (see Matasano is Right About Agents.)

    • Developers continue to ignore history by reintroducing old vulnerabilities and exposures. Tom and Eric talked about how so many products ship old vulnerable versions of Gzip libraries, as one example.

    • As assets are increasingly managed, it becomes easier for intruders to exploit vulnerabilities in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m and assume management of those assets. Eric and Tom noted that monolithic agents are being placed on assets of all types for purposes of managing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m (if operating system homogeneity weren't enough of a problem). These agents are not coded to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standards found in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS (props to Microsoft for getting its act togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r in recent years). The problem with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se agents is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y open a brittle window for takeover by malicious parties.

    • Firewalls are channel restriction products, not compromise prevention products. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of channels proliferates, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall is increasingly irrelevant. Inspection products (which include detection and filtering devices) are caught in a quandry. Application-unaware (think content matching alone, maybe via regex) inspection and filtering systems are less able to understand content and counter attacks. Application and protocol awareness would seem to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer, but those dissectors are directly targted by intruders and are heavily vulnerable to protocol and file format attacks. (Previously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content inspectors were mainly vulnerable if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir content-matching system [think regex library] had a flaw.) No one wins.


    I'm really rushed here so I may revisit this post to fix a few thoughts. I will post my overall defensive recommendations in a future post.

    Friday, August 03, 2007

    Black Hat USA 2007 Round-Up Part 1

    I'm waiting in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 airport for my flight home after spending 6 days in Las Vegas at Black Hat USA 2007. I last attended in 2003. Put simply I was blown away by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks I saw. I'll summarize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks and my response.

    I spent four days teaching TCP/IP Weapons School in two two-day sessions, to a total of 116 students. I think both classes were well-received. The students were some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sharper ones I've had in class, which is what I hoped for and expected. The first day of teaching I was lucky enough to share lunch with some of my students and Joanna Rutkowska. We discussed covert channels related difficult detection problems.

    The following are thoughts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first day of briefings. I spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application security track.

    • I sat in Richard Clarke's keynote. He emphasized how what he called "visualization exercises" help decision makers envisage digital risk. I described this phenomenon last year in Analog Security Is Threat-Centric and Disaster Stories Help Envisage Risks. Mr. Clarke explained how human-machine interfaces are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next security frontier and how DoD's Net-Centric Warfare (see Thoughts from IATF Meeting depends on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast number of IP addresses available in IPv6. Unfortunately Mr. Clarke has fallen for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 myth that IPv6 will bring greater security and "prioritization," which means we must have it. I debunked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se misconceptions held by many executives in Chinese IPv6 in CIO. It struck me that Mr. Clarke mentioned that executives view spending on security as a "cost center" but spending on breach recovery is a "loss center." I wonder where we've heard that before?

    • David Byrne delivered an exceptional talk on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security consequences of anti-DNS pinning. The purpose of his attack is to use Web clients as a conduit for attacking intranet hosts. He demo'd conducting a remote Nessus scan and Metasploit attack of intranet hosts via a "tunnel" of HTTP POSTs and replies passed through a Web browser. David's talk showed that DNS resolutions which result in an Internet hostname resolving first to an Internet host and next to an intranet host can be used as a detection mechanism. A Web server vulnerable to XSS is required, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of Java or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r rich content vehicles on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host only exacerbates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem by providing additional attack vectors.

    • Jeremiah Grossman and Robert Hansen continued to pile on Web application attacks. They showed a variety of ways to exploit Web clients and internet hosts without Javascript. Robert (aka Rsnake of ha.ckers.org said that everyone who links to his site from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intranet Web pages and uses his files for penetration tests leaks data on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir company to him.

    • I only saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last half of Brad Hill's talk because I had lunch with several ex-Foundstoners, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 part I saw was impressive. Brad explained how to exploit XML digital signatures, such as running arbitrary executables (like cmd.exe) from within a signature!

    • Bryan Sullivan and Billy Hoffman rocked, showing how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir demo site www.hackervacations.com exemplified cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 many vulnerabilities in Ajax Web sites. They really made me understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem with Ajax: most, if not all in some cases, of Ajax applications are executing on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client. Previously, attacking Web applications centered on providing malicious input to influence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 execution of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web app. Now, attacking Ajax Web applications means malicious clients manipulate every aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program, including variables, order of execution, and control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server. They showed how to "DoS a plane" by reserving all seats on a flight booking system, and keeping all seats filled by sending an HTTP message every 30 seconds. They showed how to buy a plane seat for $1, or buy all seats for nothing. They accessed hidden administrative functions by directly talking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote Web service and dumping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire database (with zero knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote database) with two commands. This emphasized that testing inputs through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web applications is completely insufficient; all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web services must now be similarly assessed.

    • Ben Feinstein and Daniel Peck showed a way to crawl and de-obfuscate malicious Javascript. They mentioned an integrity attack whereby malicious eBay sellers used XSS to provide fake positive seller ratings to unsuspecting buyers. The showed how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Caffeine Monkey tool profiles Javascript, providing a fingerprint of current malicious Javascript compared to nonmalicious Javascript. For example, string and object instantiations are very common in malicious Javascript but rare in nonmalicious Javascript. This is essentially cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same detection problem we've been wrestling with for years, and it shows that intruders could begin to write cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Javascript to resemble normal versions.

    • I ended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day in Hacker Court, where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Crimson Knight" was tried for cheating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Masters of Mayhem" online game. As usual Hacker Court was great, especially because Jennifer Granick moved from her traditional role as defense counsel to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new role of prosecutor. She lost her case, but I spoke with her briefly and learned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 experience gave her a chance to think like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side in front of an audience in a simulated trial.


    My overall impression from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first day of briefings can be summarized in this manner.

    • Existing defenses are absolutely ineffective against current attacks. I am struggling to describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of this insight. It does not matter if you are fully patched, "properly configured," not running Javascript, or adopting any number of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 techniques described in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat talks relies upon exploiting vulnerable software. Almost all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m abuse inherent functionality for malicious reasons.

    • Detecting current attacks in "real time" is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 expanse of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack surface exposed by "rich Internet applications" and frameworks. I realized that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "rich" in "RIA" refers to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money intruders will make by exploiting Web clients.

    • The average Web developer and security professional will never be able to counter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se attacks. Intruders are so far ahead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defenders with respect to tools and techniques that it is simply not possible to prevent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks I saw at Black Hat. This statement will probably offend many people but it's time to face cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 truth. There is no way to get "ahead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat" here.


    I realize I've painted a very bleak picture. In my next post (time to board cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plane) I will summarize day 2 of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat Briefings. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post after that I will provide some defensive strategies and concluding thoughts.

    Sunday, May 13, 2007

    CONFidence Wrap-Up

    This morning I delivered a talk at CONFidence 2007 in Krakow, Poland. I'd like to thank Andrzej Targosz and Jacek Artymiak for being cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best hosts I've met at any conference. They got me at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 airport, took me to dinner (along with dozens of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs), and will take me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 airport (at 0430 no less!) tomorrow. I spent a good amount of time with Anton Chuvakin, Daniel Cid, and Stefano Zanero, which was very cool.

    I'd like to mention two talks. First, I watched Paweł Pokrywka talk about a neat way to discovery layer two LAN topology with crafted ARP packets. Unfortunately, his talk was in Polish and I didn't exactly learn how he does it! I spoke to Paweł briefly before my own talk, and he said he plans to release a paper (in English) and his code (called Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rbat), so I look forward to seeing both.

    Second, I attended Dinis Cruz's talk on buffer overflows in .NET and ASP.NET. I'm afraid I can't say anything intelligent about his talk. Dinis is a coding ninja and I really only left his talk with one idea: all general-computing platforms can be broken. What's funny is I'm not even sure Dinis would agree with me. His point seemed to be that .NET and ASP.NET (as well as ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r managed code environments) are breakable, but if implemented "properly," could be made not breakable.

    Let's think about that for a moment. I'm sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who dreamed up .NET and ASP.NET are really smart. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are problems that render cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m vulnerable to people like Dinis. "Fine," you say. "Let Dinis help Microsoft fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems." Ok, Dinis helps implement a new version of this framework. A year or so later someone with a different insight or skill comes along and breaks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new version. And so on. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 history of general purpose computing. I don't see a way to break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cycle if we continue to want developers to be able to write general purpose software. I am not speaking as a developer, but as an historian. We have been walking this path for over 20 years and I don't see any improvements.

    Update: I forgot to mention that I liked Anton Chuvakin's definition of forensics:

    Computer forensics is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scientific method to digital media to establish factual information for judicial review.

    Sunday, March 25, 2007

    ShmooCon 2007 Wrap-Up

    ShmooCon 2007 ended today. Only four talks occurred today (Sunday), and only two of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m (Mike Rash, Rob King/Rohlt Dhamankar) really interested me. Therefore, I went to church with my family this morning and took lead on watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kids afterwards. I plan to watch those two interesting talks once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are released as video downloads. (It takes me 1 1/2 - 2 hours each way into and out of DC via driving and Metro, so I would have spent more time on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 road than listening to speakers.)

    I also left right after Bruce Potter's introductory comments on Friday afternoon. If it hadn't been for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NoVA Sec meeting I scheduled Friday at 1230, I probably would have only attended Saturday's sessions. I heard Avi Rubin's 7 pm keynote was good, and I would have liked to watch Johnny Long's talk. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise I thought spending time with my family was more important.

    That leaves Saturday. I spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole day at ShmooCon, from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first talk to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of Hack or Halo. I began cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day with Ofir Arkin from Insightix. (I actually spent about half an hour chatting with Ofir Friday afternoon, which was cool. I also spent time Friday speaking with several people I recognized.) Ofir demonstrated that just about all Network Admission Control concepts and implementations are broken. He only covered about half his material, but I left wondering who would bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r spending thousands or millions on NAC when it doesn't seem to work and is fighting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last war anyway.

    Ofir emphasized that knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key to network defense. He pointed out that NAC products which provide a shared medium quarantine area are exactly where an intruder wants his machine to be delivered. Once in that area he can attack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weakest, non-compliant systems on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same subnet or VLAN used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quarantine. Using PVLANs an avoid this problem, but only if not subject to VLAN hopping attacks. Ofir questioned whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r per-port security is ever feasible, especially in an age of increasing use of VMs.

    One basic take-away for me was this: if I find myself on a network requiring NAC, do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

    1. Find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nearest printer.

    2. Unplug cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network cable.

    3. Connect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network cable from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 printer to a hub, and connect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hub to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network port.

    4. Connect my laptop to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hub.

    5. Sniff printer's MAC address and IP address.

    6. Disconnect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 printer.

    7. Assign cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 printer's MAC and IP address to my laptop, and access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network.


    While this will not work everywhere, it's probably going to work in enough places to make NAC a questionable prospect for physical defense. Hosts connecting via VPN are anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r issue.

    After Ofir spoke I saw Joel Wilbanks, Matt Fisher, and Mike Murphy talk about incident response when Web applications are attacked. They made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point that Web app incidents don't usually leave artifacts (think files on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard drive) on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim. Web app forensics becomes a log analysis exercise. If no logs exist (Web, database, OS, etc.), you're hosed. They recommended populating database tables with honeytokens and writing custom IDS signatures to alert on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of those tokens in network traffic.

    During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir presentation several attendees questioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of SSL for inbound connections. The speakers recommending terminating SSL at an accelerator, and passing clear text by an IDS before sending it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web server or re-encrypting it. At least one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attendees was shocked -- shocked -- to consider passing "sensitive" data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clear like that. I have never understood this argument. The question is simple: do you care to know what is being carried in SSL, or do you not care? If you do care (and you should), architect your enterprise so you have visibility into what's happening. If you don't care, tell me so I can avoid doing business with you.

    As far as SSL is concerned, I consider inbound SSL a solved problem. Outbound SSL, as might be used for a command and control channel, is not solved -- unless you want to break SSL and teach users to accept a man-in-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-middle attack scenario. I worry about outbound SSL, not inbound.

    I had lunch with Joe Stewart, so in some sense I didn't really miss his talk. He was nice enough to share his thoughts with me on his next Sandnet and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r projects.

    My talk happened at 1300. This means I missed Billy Hoffman release Jikto, so I plan to download his talk (and Joe's) when available. I was really pleased by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outcome. The room was totally filled and people were standing outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 room listening. Thanks to everyone who attended. I wish we had more time for questions, so feel free to leave a comment here or email if you have unanswered issues.

    After my talk I listened to Raven talk about backbone security. She is fuzzing key routing protocols (RIP, OSPF, EIGRP, BGP, etc.) by mainly attacking open source implementations. She just got a Cisco 2600 series router so IOS is her next target. If she is getting results doing this work in her spare time sitting in airports, you can only imagine what funded, dedicated teams are doing with budgets for equipment and manpower.

    I spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next hour chatting with familiar faces in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 area near cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks. Marty McKeay was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, along with Mike Rash, Jamie Butler, and Bret Padres and Ovie Carroll from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CyberSpeak Podcast. (Sorry I couldn't get back to you guys in time!)

    At 1600 I squeezed into Dan Kaminsky's talk. Before he started I had a chance to chat briefly with Mike Poor and Ed Skoudis from Intel Guardians. Mike and Marc Sachs (who I saw independently) were not happy with my TCP options analysis. Oh well!

    I felt bad for Dan. The poor guy showed remarkable resolve trying to speak, despite an attendee who felt compelled to interrupt every fifth sentence. Dan had to dodge plenty of Shmoo balls while explaining slides with way too many words on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I think Dan's research is way outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 realm of what most security people do, but probably perfect for a paper at USENIX.

    I stayed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same room to listen to Josh Wright and Mike Kershaw talk about LORCON. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Web page states: LORON is "a generic library for injecting 802.11 frames, capable of injection via multiple driver frameworks, without forcing modification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application code." Basically, if you write a wireless packet injector, you should use LORCON. Don't write something for a specific wireless driver -- let LORCON handle that for you. I was really impressed, especially since I had never seen Mike (author of Kismet) and Josh (lots of tools, cool research) in person. In addition to LORCON cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y mentioned this WiFi frame injection patch for Wireshark.

    When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir talk was done I headed over to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hack or Halo room. I set up my Hacom Lex Twister on a SPAN port (argh, yes, I forgot a tap) and captured cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hack contest. I monitored it live with Sguil, which was fun.

    Overall, I was again impressed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization and manpower demonstrated by ShmooCon. I was less impressed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall slate of talks, but I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of attendees compensated for that. The first ShmooCon in 2005 attracted about 350 people. The second had about 800. This year nearly 1200 people attended. I was very thankful to attend and speak and I look forward to at least attending next year.

    Update: I forgot to ask -- if you liked my talk, please send feedback to feedback [at] shmoocon [dot] org. Thank you!

    Monday, March 19, 2007

    Bejtlich Teaching in Krakow, Poland at CONFidence 2007

    I'm happy to announce I will be speaking on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Self-Defeating Network on Sunday 13 May 2007 in Krakow, Poland at CONFidence 2007. I am looking forward to speaking at a conference where no one else thinks my name is especially odd or difficult to pronounce! (Bejtlich is an Eastern European name with roots in present-day Poland, Germany, and probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Czech Republic.) Please register while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lower rates are still in effect. Thank you.

    Wednesday, October 04, 2006

    Bejtlich in Australia in May 2007

    I mentioned earlier that I was invited to speak at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007.

    I accepted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 invitation, and I will probably deliver a short presentation and a longer (half-day or day-long) tutorial. After AusCERT, I plan to teach one or two-day classes in Brisbane and/or Sydney. I will probably teach condensed versions of my training classes Network Security Operations and TCP/IP Weapons School.

    As I develop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plans for all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se classes I will post details here and at TaoSecurity.com. If you would like me to keep you informed via email please write me: training [at] taosecurity [dot] com. Thank you.

    Tuesday, September 19, 2006

    Teaching Possibilities in Australia

    I've been invited to speak at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007.

    I haven't decided if I will accept yet. I'd like to know if any TaoSecurity Blog readers in Australia, New Zealand, or nearby areas would be interested in attending a two (or maybe more) day class eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r directly before or after my presentation date (which is unknown right now).

    I would need a location to host cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 training, in exchange for which I would provide two free seats for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hosting organization.

    Is anyone interested in attending and/or hosting such a class? Please email training [at] taosecurity.com. I have to accept or decline cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AusCERT invitation next week.

    I am open to suggestions regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 location of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class (if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Gold Coast is too remote) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class (Network Security Operations, TCP/IP Weapons School, etc.). Sydney is a possibility since I will fly through SYD on my way to and from BNE. Thank you.

    Friday, September 08, 2006

    Bejtlich Returns for SANS CDI East 2006

    It's been three years since I spoke at at SANS conference; I last presented at SANS NIAL in 2003. After some friendly discussions with SANS staff at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent SANS Log Management Summit, we've arranged for me to present a special event for SANS Cyber Defense Initiative East -- a two evening course called Enterprise Network Instrumentation (ENI).

    I developed ENI for a private client, but no public class has ever seen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material. I will be presenting ENI for two evenings, 14 and 15 December, 2006, from 6 to 9 pm at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Hilton Washington & Towers in Washington, DC.

    ENI is all about solving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difficult problems associated with gaining access to network traffic. It seems every book (with a few exceptions) assumes it's easy to deploy sensors to observe packets. In reality, achieving visibility in modern networks can be extremely difficult. ENI will share recommendations and concrete solutions for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most taxing enterprise network instrumentation issues seen today.

    You can register for ENI immediately. The fees look reasonable -- especially if you're already attending a day track. Please let me know if you have any questions.

    Monday, August 21, 2006

    USENIX Conference Summaries

    I've never been happy with any network security visualization tools, but I was pleased to learn of recent work in this area through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest USENIX publications.

    The Security Incident Fusion Tools (SIFT) Research Project at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Center for Advanced Secure Systems Research (NCASSR) at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 University of Illinois at Urbana Champaign (UIUC) looks interesting. USENIX also mentioned Netpy and Netviewer. (Note: updated after helpful blog comment -- thanks Chris.)

    It sounds like Tom Limoncelli and I argee about security professionalization and engineers of record:

    Tom cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n asked, "Are best practices cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution?" He made an analogy between electricians versus electrical engineers: a construction project stops racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than do something "not up to code." He claimed that what's missing from this analogy in IT is an inspector who signs off on a project.

    I liked seeing more references to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside world in Brent Chapman's talk about Incident Command for IT.

    I also heard of alternatives to Cfengine, namely Bcfg2 and Puppet.

    Finally, I enjoyed learning from descriptions of a talk by Akamai's personnel:

    The focus of this paper is not on CDN but on Akamai's experience in its seven-year experiment: in particular, keeping its distributed system running using Recovery Oriented Computing [ROC].

    In a single day, it is not unusual to lose servers, racks of servers, and even several data centers. The base assumption is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be a significant and constantly changing number of component or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r failures occurring at all times in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network.

    The development philosophy is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir software must continue to work seamlessly despite numerous failures.


    ROC sounds like acceptance that failure is inevitable, so plan for it.

    Saturday, July 22, 2006

    SANS Log Management Summit

    Last week I paid for and attended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Log Management Summit. I'd like to share a few thoughts about what I saw. First, I think Alan Paller did a great job as host. He kept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentations moving and unflinchingly kept to his schedule. Talks started at 8 am, period. I thought his "yellow card" system for questions worked very well. (If you wanted to ask a question, you wrote it on a yellow card. SANS staff collected cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cards cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n handed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speaker or Alan, who answered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question.) The system prevented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "speeches" one usually sees in large crowds with open microphones.

    Alan started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference by presenting his "faces of cybercrime" presentation, based on his testimony (.pdf) in late 2005. He reminded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advice to learn hacking given by soon-to-be-executed Bali bomber Imam Samudra. Alan claimed at least one organized crime group has moved two hackers to Africa and forced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to compromise targets "20 hours per day, 7 days per week," "for food." He reminded us of China's military doctrine of asymmetric warfare and repeated his earlier statements about Titan Rain.

    With regard to new information, Alan named three ways to help fight back against cybercriminals.

    1. Respond faster.

    2. Change metrics.

    3. Shift some responsibility to suppliers and integrators.


    I like this approach. For a few years Alan was beating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 drum for #3, and for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last year he's been working #2. I like #1 alot, since I am an incident responder.

    With regard to metrics, Alan likes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "attack-based metrics," and uses phrases like "measuring what we need to do," "how are we being compromised," and "how can we defend ourselves." He noted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force is "lead" for this approach. Alan said measuring report writing (e.g., FISMA) is a waste of time. Some example metrics he noted were:

    • Can an incident of successful spear phishing be detected in 30 minutes or less?

    • What percentage of employees fall victim to a spear phishing test?


    Alan mentioned using privilege user monitoring as a means to counter insiders, although he also said "The insider threat is baloney," until an outsider becomes an insider. Alan concluded his talk by sounding optimistic about SCADA procurement standards. I have no dog in that fight, but I recommend reading Dale Peterson's SCADA Blog for all things SCADA.

    Lawyer Ben Wright spoke next about log management and legal issues. I really wanted to see this talk. Ben said logs can indicate control, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby preventing claims of negligence and offering evidence to resolve disputes. His most interesting point was that records of log review are more important than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legal eye, it's better to make a note every time you review your logs than it is to retain those logs. Email is far more important to retain, since firms are fined millions for failing to keep email.

    Ben noted that HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(D) mentions logs, as does NIST SP 800-66 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCI Standard of January 2005, part 10.6. However, review of logs, not retention of logs, is critical. Ben explained negligence law, where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standard is "reasonableness." He said that if a company writes a policy stating "We will do X," and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y fail to perform X, it's easy for a jury to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company negligent. That means lawyers will recommend companies write policies saying "We may do X." The audience had a hard time handling that idea, since it's a lawyer's point of view and not that of an auditor or security person.

    Ben provided three suggestions regarding log management.

    1. Policy should stress preferences, not statements saying "We will do X."

    2. Keep records of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact you reviewed logs.

    3. Only a company's full audit committee should know about all monitoring methods -- neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r employees nor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO should know what is watched or stored.


    Ben liked promoting "mystery" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 workplace to keep people on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 straight and narrow. It's sounds like a great deterrence tool, but a little draconian for me.

    Next followed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first of several presentations by users of vendor log management solutions. Here I should mention that companies formally represented at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summit were Arcsight, Network Intelligence, LogLogic, Prism Microsystems, and SenSage. Yes, that's it -- no Tenable or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r big players. More importantly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendors chose all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customers who presented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir product experiences. Not surprisingly, all gave glowing opinions. This was really disappointing. The only opposing point of view came from Stephen Northcutt at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summit's end, who reported a majority of log management users are dissatisfied with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir solutions! Although TriGeo did not speak on any panels, some customers reported using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir product.

    I won't mention individual user reports by name, since most weren't that helpful. Here's a clue that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y lacked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detail I (and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r attendees) expected: when Alan has to ask, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of a presentation, "So what product do you use?", you know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 briefer didn't share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details that attendees wanted to hear.

    Here are a few data points though, collected from all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer reports and hence out-of-order chronologically. Chad Mead from JPMorgan Chase said his shop, with 210,000 desktops, 40,000 servers, 400 NIDS, 900 firewalls, 81 mainframe LPARs, and over 1 million network ports, produces over 150,000 events per second. He operates two security management centers with five people operating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log management solution and 65 analyzing logs. Wow, that's what I like to hear! His security team owns cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logging infrastructure, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 device owners own cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log feeds. This was a common refrain.

    Mark Olsen from CareGroup Healthcare System said all emergency room records are transmitted electronically "to Atlanta," by which I guess he meant to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDC. This is a measure to identify Bird Flu outbreaks. That sounds like something from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 X-Files. He also said that while HIPAA enforcement actions thus far have been few and far between ("19,000 violations in 2005, 7 selected for prosecution"), expect that to change in 2007.

    Chris Calabrese said a word about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Issues in Network Event Logging (syslog) IETF working group. Mike Poor said his company deploys LaBrea Tar Pits on Soekris boxes inside companies to watch for unexpected traffic. Jay Leak from Nokia justified his log management project by realizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 waste caused by his company making over 1,000 requests for log data each year, with each request taking over 4 hours and half of those never being resolved. Keith Fricke said "IPS is completely misnamed." He uses his IPS to block outbound malicious traffic from compromised internal systems! What's misnamed about that -- he's trying to "prevent" someone else from being compromised.

    Chris Brenton and Mike Poor next unveiled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Top 5 Essential Log Reports (.pdf). This appears to have gotten zero news coverage, which I don't understand. Here cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are, meaning what you should look for while reviewing logs:

    1. Attempts to Gain Access through Existing Accounts

    2. Failed File or Resource Access Attempts

    3. Unauthorized Changes to Users, Groups and Services

    4. Systems Most Vulnerable to Attack

    5. Suspicious or Unauthorized Network Traffic Patterns


    I found it funny that I wrote a whole book (Extrusion Detection) about #5, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "extrusion detection" isn't mentioned in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS .pdf. They did mention cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LogAnalysis.org mailing list, which I should probably start reading.

    The end of day one concluded with a "vendor shoot-out," where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five vendors I named earlier made pitches and argued with each ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. It seemed more hostile than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Real World Intrusion Detection Workshop I attended four years ago with Bamm Visscher, right before I left Ball Aerospace to join Foundstone (sorry Bamm!).

    I liked that LogLogic's Anton Chuvakin (I know you're reading) prefers to collect everything from a log source and let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 centralized solution handle presenting useful information. He said "you never know what might be important," which is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foundation for my NSM approach. During a nice "lunch and learn" Anton also said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest obstacle to building one's own log management solution is keeping pace with changing log formats. I had never imagined that problem.

    One really astute question-asker wondered why three vendors showed Lehman Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs as a client on each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir presentations. Each vendor stated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir case, with Network Intelligence saying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir product did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real log collecting, after which it forwarded a feed to ArcSight.

    Day two started with Mike Poor discussing network early warning systems (NEWS). He said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 famous Dutch botnet wasn't 1.5 million victims strong -- it was more like 5.1+ million systems. Wow. Mike reminded us of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Dabber worm which attacked Sasser victims. He said Dshield collects logs from 40,000 sensors watching 500,000 IPs. Mike spent some time discussing DNS cache poisoning and SANS' role.

    By now you might be wondering, "where is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 news on NEWS?" (Oh, too funny.) To be honest, I didn't hear much of anything new. In fact, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re wasn't much "early warning" to speak of. If you deploy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systems Mike mentioned in his talk, you aren't learning of an attack before it happens -- you're learning afterwards. I suppose if you are at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 front of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim list and you share what you know, you're cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NEWS for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs! Mike did name cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese Honeynet Project as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source of some interesting tools. I might try those.

    I've already noted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second day worth repeating, so that ends day 2.

    Day 3 consisted of classes by Randy Franklin Smith on Windows Event Logs and Chris Brenton on building your own solution. In short, Randy is a Windows EVL guru and Chris is a great instructor. These two classes probably saved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire three days for me, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y at least had some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detail I expected from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous two days. Randy's class really emphasized that understanding Windows EVL is an art in itself. It takes a lot of work to make sense of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Randy said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appointment of Eric Fitzgerald as a sort of Windows EVL czar will help unify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 expense of changing everything once Vista appears. Chris reminded me to try programs like Simple Event Correlator, Privateye, and Syslog NG.

    Overall, I think I got my money's worth from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summit. I do not do log management as a primary task, so I was exposed to a whole new world of challenges. I met some interesting people and I got to attend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDX briefing and Vendor Expo. Both yielded contacts that might result in future blog posts.

    I predict that three years from now people will still be disgusted with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir log management and security incident management "solutions," and will be looking for "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next big thing." It's already happened with firewalls, IDS, IPS, and now LM/SIM.

    What did you think of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summit?

    Saturday, July 15, 2006

    More Notes from TechnoSecurity 2006

    I found anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r page of notes I took at Techno Security 2006. These were from Marcus Ranum's talk, and I listen to Marcus. He observed that small vendors tend to sell products designed for sophisticated users, because large companies tend to sell products for unsophisticated users. Which market is bigger? The unsophisticates vastly outnumber cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sophisticates. Therefore, start-ups usually chase a very small market and tend to be weak.

    Marcus said "security ROI is dead" and "legislation has made security a cost." He predicted "we will be competing with legal for money (or working for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m) in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next five to ten years." To hammer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point Marcus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n said "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re never was a security ROI." Amen.

    For a way forward, Marcus offered two paths. Path A sees multi-level security rising from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ashes. Marcus claimed this is not likely, although papers like The Path to Multi-Level Security in Red Hat Enterprise Linux (.pdf) might beg to differ.

    Path B involves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 death of general purpose computing. Everyone will own appliances, perhaps even disposable ones like cell phones. All data will be on a backend somewhere. It's a return to mainframe computing that reverses what Marcus called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Satanic bargain" of general purpose computing. What's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bargain that was made in order to rid cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world of mainframes? "Everyone becomes a system administrator." Clearly that has not worked. Marcus said "distributed data equals distributed vulnerability," and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent public laptop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fts make that clear.

    Marcus told his audience to watch for a day when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can no longer buy software. Instead, people will rent and lease "capabilities," not applications. We're already doing this with anti-virus, intrusion detection and layer 7 firewalls, etc. What's next?

    Comments on SANS CDX Briefing

    One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefits of paying for this week's SANS Log Management Summit was attending a briefing last week on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest Cyber Defense Exercise conducted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA. SANS organized a panel with a USAFA cadet, a USNA midshipman, a USMA-grad Army 2LT, and several NSA or ex-NSA representatives, along with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir boss, Tony Sager. Although I've known of CDX for several years, this was my first real insight to how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se exercises are conducted.

    The NSA organizer, or "white cell leader," is Bruce Rogers. He explained that competitions can be conducted eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r as capture-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-flag style events or purely defensive affairs. CDX is purely defensive. When I asked Mr. Rogers if he had spoken to any organizers of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cyber competitions, like those of Def Con or ShmooCon, he said no. Mr. Rogers has 20 white controllers overseeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exercise, which includes 6 targets (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 six defending teams -- USAFA, USNA, USMA, USMMA, AFIT, and NPS).

    The attackers are split into two groups. The first group consists of "tainters". These are 13 NSA personnel, which included one high school-age intern and one college-age intern. The tainters spent about 80 man-hours building and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n misconfiguring, rootkitting, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise tampering with virtual machines delivered to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDX participants. The participants had two weeks to analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se VMs for vulnerabilities and exploitation, after which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had to activate and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. These compromised servers are supposed to be similar to "host nation machines" that military personnel might find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves operating.

    I was initially shocked by this news. Who in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir right mind would trust host nation equipment for sensitive operations? Wouldn't it be best to rip everything out and start fresh with clean, trusted media? After some thought, I decided that this tainting phase was more realistic than I initially believed. Unless one joins a very small company, no new security or IT employee is ever allowed to begin work at a new job by rebuilding all infrastructure. When you join a new company, you're stuck with all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 garbage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y give you.

    The second group of attackers are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traditional red team. This group consists of real red teams from across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 services, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 USAF 92nd Information Warfare Aggressor Squadron. The red team hammered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 6 target networks for 4 straight days. The target networks were hosted on live network links at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 respective schools and were connected back to NSA via VPN. No simulated non-malicious traffic was carried to or from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target networks. Everything on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wire was considered malicious since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red team was creating it. This is highly unrealistic, but partially driven by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bandwidth available to some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teams. At least one hosted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir target network on an ISDN line.

    Each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military participants said a few words about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir teams and experiences. Three cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mes stood out. First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team size varied widely. USAFA's team had 9 people. USMA's team had 35-40. (USAFA won.) Second, most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teams admitted having little or no security training. I was amazed. Who signs up for a hack-fest without having security experience? Third, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 networks designed by each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teams varied widely. USAFA emphasized simplicity. USNA concentrated upon prevention, and never regained control once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir servers were compromised. ("Prevention eventually fails." -- Tao) USMA's network was exceedingly complex, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y tried to watch outbound traffic for signs of compromise (e.g., extrusion detection). No team was allowed to block traffic from malicious IPs.

    All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target networks ended up being 0wn3d. USAFA didn't notice a rogue Apache module that resulted in a Web site defacement. USMA missed a default password on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir router and lost control of it. The red team said that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best team only found 15% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerabilities created by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "tainters." Wow. By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tainters did not tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red team what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMs. The tainters dropped some clues as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exercise progressed, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red team mostly used standard penetration techniques.

    These were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lessons learned from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2006 CDX.

    Top 9 Exploited Vulnerabilities

    1. Microsoft Windows LSASS Buffer Overflow Vulnerability

    2. Microsoft DCOM

    3. LM Hash versus NTLM Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication Protocol

    4. Use of Weak Passwords

    5. Use of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same password on Multiple Systems

    6. Microsoft Windows Default Administrative Shares

    7. Rich Text Format / HTML Email

    8. Access to System Executables

    9. Use of Unnecessary Services / Accounts



    Student Best Practices

    1. Know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network and Keep it Simple: Each additional device is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r avenue of attack. The entire team must understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. Troubleshooting is easier with a simple design.

    2. Deny by Default Policy: Only allow what is absolutely necessary. It's easier than blocking known bads.

    3. Remove Unnecessary Services, Software, and User Accounts: What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer? Remove unnecessary software completely.

    4. Plan for Contingencies: All networks will eventually have a problem.


    Finally, two of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 panel members (I remember USAFA cadet Michael Tanner told this story) participated in CDX and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Collegiate Cyber Defense Competition. Rob Lemos wrote about it for SecurityFocus. Cadet Tanner said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 national CDX was completely different from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military CDX. The military CDX allowed participants to protect and host cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir VMs using a variety of technologies. USAFA used mainly OpenBSD. AFIT used all Windows. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r groups uses ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r technologies. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 national CDX, participants were given a ton of commercial equipment (all from sponsors, no doubt) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves hacked to pieces five minutes into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exercise. Apparently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were given no opportunity to do anything with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equipment prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exercise starting?

    Overall, I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 session to be extremely informative. I'd like to thank Alan Paller from SANS for organizing this event and I appreciate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 participants sharing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir experiences. If you want more details, I found some papers on both exercises posted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 The Colloquium for Information Systems Security Education.

    Tuesday, June 06, 2006

    Notes from Techno Security 2006

    Today I spoke at three Techno Security 2006 events. I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day discussing enterprise network instrumentation basic and advanced topics. I ended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day on a panel discussion with Russ Rogers, Marcus Ranum, and Johnny Long, moderated by Ron Gula. My wife and daughter and I also shared lunch with Kevin Mandia and Julie Darmstadt, both of whom I worked with at Foundstone.

    This was my second Techno Security conference. I want to record a few thoughts from this conference, especially after hearing Marcus speak yesterday and after joining today's panel discussion.

    Yesterday Marcus noted that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry is just like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 diet industry. People who want to lose weight know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should eat less, eat good food, and exercise regularly. Instead, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y constantly seek cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest dieting fad, pill, plan, or program -- and wonder why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want!

    Marcus spent some time discussing money spent on security. He says we are "spending rocket science dollars but getting faith healer results." He quoted a March 2005 document by Peter Kuper (.pdf) analyzing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security vendor scene. Kuper claims that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 700 companies estimated to exist in 2005 will compete for $16 billion in revenues in 2008. That's an average of $22,857,143 per company -- not enough to sustain most players. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three "big boys" -- Symantec, Cisco, and McAfee -- are removed, that leaves only $11.5 billion for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remaining 697 companies, or only $16,499,283 per company; that's even worse. Kuper and Marcus believe all security companies are going to end up being owned by Symantec, Cisco, McAfee, or Microsoft, or will go out of business.

    Finally, I've been following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurityMetrics.org mailing list thread caused by Donn Parker's article and my blog posts. I've discussed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk equation both in this blog and in my books, so you may wonder why I even mention it if I feel that measuring risk is basically worthless? The answer is simple. The risk equation is like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OSI model. In practical applications, both are worthless. No one runs OSI protocols, but everyone talks about "layer 3," "layer 4," and so on. So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms are helpful, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation fails.

    (By implementation, I mean no one runs OSI protocols like CLNP. IS-IS might be an exception, although exceptionally rare.) [Note to self: prepare for deluge of posts saying "We run IS-IS!", even though I've never seen it.]

    Monday, February 20, 2006

    This is part 4 of my RSA Conference 2006 wrap-up. I started with part 1. I'm writing this in Brussels, Belgium, where I'm teaching my Network Security Operations class to a private group.

    I started my final day of RSA presentations last Thursday by wasting over an hour with Peiter "Mudge" Zatko. I should have walked out during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first fifteen minutes, but my respect for his previous work kept me in my chair. That was a huge mistake. In a haze Mudge rambled (for a quarter of his allotted time) about "The Aristocrat's Joke" while pleading with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audio guy to disable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recording of his talk. Eventually he half-turned his attention to his slides, and struggled to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point that internal intruders don't launch exploits when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can simply browse sensitive information using native file sharing options. He was also really excited by a paper Vern Paxson published in 2000 about detecting stepping stones, and we heard ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r historical tidbits of no real significance.

    I saw Mudge present to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFIWC eight years ago, when he had something intelligent to add to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security discourse. Those of us who suffered through his "presentation" last Thursday should get a refund for that talk. It was unprofessional, uninformative, and in many ways plain sad, in vast contrast to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 great presentation by fellow ex-L0pht member Chris Wysopal. Am I bitter? Sure, I had high expectations, and I missed listening to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r speakers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time slot.

    The RSA conference redeemed itself when I attended a presentation by Peter Woods from Microsoft. He described cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new User Account Control architecture in Windows Vista. (UAC has its own blog too!) In a nutshell, UAC means everyone runs as a Standard User -- even administrators. If a user with administrator powers logs on, he or she operates with a "filtered token." When an action requires administrative powers, it will be displayed with a "shield" icon, as seen in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 image above. Peter described a variety of security features in Windows Vista, many of which will be familiar to Unix users of sudo and programs implementing privilege separation. I was a little worried when Peter described Microsoft's Assistive Technology (AT) features. These are designed to help people who cannot use a mouse and keyboard. Microsoft is trying to ensure that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same techniques that help an AT user cannot be used by malware to install itself without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user's consent.

    Peter briefly discussed Internet Explorer 7, which he said runs in a protected mode that is at a lower trust level than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop. He mentioned Software Restriction Policies (not new).

    Overall I was very impressed by Peter's presentation. Microsoft seems to be getting its act togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. (I personally plan to buy a new laptop late this year once Vista is available. Of course I will dual-boot with FreeBSD!) Call me naive, but I believe (and have heard from exploit developers) that it is getting more difficult to find vulnerabilities in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows OS. I will be curious to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest iDefense program. Based on work I've seen by eEye and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs, intruders are going to spend more time on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 low-hanging fruit of poorly coded embedded devices like SOHO routers and related gear. They will also continue to target applications as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS becomes more resilient.

    I finished Thursday with John Pearce, a consultant with Booz Allen Hamilton. He presented his impressions of IPv6, including an overview of tunneling methods and packet captures. John reinforced that I have a lot of learning to do, like being able to instantly recognize certain prefixes. I also need to see if my preferred session tools will notice IP Protocol 41, used for carrying IPv6 inside IPv4. IP Protocol 47 (GRE) is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r option to check. John made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interesting point that even after IPv6 is widely adopted, "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a fairly good chance that IPv4 will never go away." John recommended we read Sean Convery's paper on IPv6 security.

    Overall I enjoyed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RSA conference, but I will probably not attend again. I may attend if I am accepted to speak cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. As a paying customer, I can't justify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 price for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of presentations available. I do not consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 morning keynotes to be worthwhile, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are only three presentations in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 afternoon each day. It was cool to walk cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exposition floor, where identity management and endpoint security were everywhere, but that doesn't justify a flight to California.

    What did you think of RSA?

    Saturday, February 18, 2006

    RSA Conference 2006 Wrap-Up, Part 3

    This is part 3 of my RSA Conference 2006 wrap-up. I started with part 1.

    Before continuing I should mention a few items relating to my previous posts. First, I forgot to say that I enjoyed presenting my talk on Tuesday afternoon. Many attendees stayed to ask questions. I ended up leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 room about 45 minutes after my briefing ended.

    Second, Nitesh Dhanjani asked me to mention his O'Reilly articles on Firefox anti-phishing and launching attacks through Tor.

    Third, in his talk Nitesh referenced his article Googling for Vulnerabilities, which includes a PHP script. He also reminded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crowd of Foundstone's SiteDigger tool.

    Now, on to new material. I finished Wednesday's briefings by listening to Ira Winkler, a fellow ex-intelligence professional. I highly recommend that those of you who give me grief about "threats" and "vulnerabilities" listen to what Mr. Winkler has to say. First, he distinguishes between those who perform security functions and those who perform counter-intelligence. The two are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same. Security focuses on vulnerabilities, while counter-intelligence focus on threats. He said if an asset does not expose a vulnerability, no threat can damage it. If no threat exists, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n a vulnerability cannot be exploited. This sort of discussion is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason we need to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two terms, which Mr. Winkler said are often "confused." Amen.

    Mr. Winkler presented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk equation as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following: risk = asset value * (threat * vulnerabilities)/countermeasures. I like that since it is essentially asset value * threat * vulnerabilities, with a denominator of countermeasures. Since my version doesn't explicitly address countermeasures, I intend to add that in future references to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk equation.

    Speaking of real threats, he gave a few examples. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are found in his books, but I am not sure. I am repeating what he said, so I hope no one is offended by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se remarks. They simply represent some of what is happening in corporate America today. Mr. Winkler described a Chinese restaurant located across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 street from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 research and development lab of a Fortune 5 company. That company hires many people of Chinese descent. He said that restaurant featured exceedingly good food, of better quality and cheaper price than might be found in China itself.

    The restaurant is operated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese government, or associates of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese government. They staff cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 restaurant with operatives who try to befriend patrons from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 R&D lab. Guess why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 restaurant is happy to host company luncheons where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 R&D lab discusses upcoming projects? Their meeting rooms are bugged. Mr. Winkler said this sort of corporate espionage is nothing new, and that we all need to understand that this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game is played. He also said he knows people who have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job of "drinking people under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table" in order to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to talk about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir companies.

    Mr. Winkler advised that companies conduct security awareness training that emphasizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se points:

    1. A company's information has value.

    2. Competitors will try to steal it.

    3. Employees should report anything suspicious.

    4. Security staff should make employees aware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 countermeasures cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y deploy to mitigate risk.


    After talking about corporate espionage, Mr. Winkler explained how he and an accomplice were hired to steal plans to nuclear reactors from an American company. He started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operation by visiting a nearby restaurant. He searched through a bowl of business cards left by patrons at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 front desk, and kept one from an employee of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company he was hired to penetrate. Using that business card, he and his accomplice were able to acquire corporate badges from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target company. They set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves up as special assistants to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 president of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company.

    They next traveled to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 facility that was responsible for designing nuclear power plants. He didn't even need his badge to enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 grounds, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guard was waving everyone through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gate. Mr. Winkler asked where he could find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 graphics and printing department. Why visit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineering crew when you could get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same diagrams from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who print cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m?

    After spending half a day walking around asking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 location of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team that printed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nuclear plant proposal, he found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right office. The employees let Mr. Winkler sit at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir computers, where he proceeded to acquire cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP address of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server hosting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plans. He left and passed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information to his accomplice, who had set himself up in an empty office with intranet connectivity. After downloading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target plans, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pair noticed unauthorized access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server from computers in India. As confirmed by this story, Mr. Winkler suspects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 users of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Indian computers stole reactor plans and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sensitive data from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target company.

    I found Mr. Winkler's talk highly informative, blunt, and disturbing. It was definitely worthwhile.