Wednesday, January 19, 2011

Wanted: Incident Handler in Michigan

Do you know how to detect and respond to intruders in a multinational organization? Do you want to join a team with that mission? Are you an experienced information security professional who is looking for a challenge? If your answer to these three questions is yes, please consider applying for the last open Incident Handler role in GE-CIRT. In this role you will mentor intermediate and junior CIRT members and work with some of the best detection and response staff in the world.

The role is located at our Advanced Manufacturing & Software Technology Center in located at Visteon Village, Van Buren Township, Michigan. By the end of the month, 19 of my team (about half of GE-CIRT) will be located there. (I have 2 new hires arriving within the next two weeks.) In addition to normal operations there, our extended team meets at the AMSTC facility regularly for training and planning sessions.

If you would like more information on the role, apply for job 1259804 and I will review your resume. Please read the qualifications carefully -- I'm looking for an experienced person for this role. Thank you.

Monday, January 10, 2011

Seven Cool Open Source Projects for Defenders

Long-time blog readers should know that I don't rely on tools to defend my enterprise. I rely on people first, followed by tools, then processes. However, today I took a moment to consider the myriad of really cool work happening (mainly) in the open source tool community. When I started counting, I found about seven projects that are likely to help you defend your enterprise.

Most of these require some commitment of brainpower and willingness to learn, but I am nevertheless very pleased to see this much innovation on the defensive side. Collectively these projects do not "solve" any problems (nor should they), but I am certain they can help address one or more problems you may encounter -- especially regarding visibility. In other words, these are the sorts of tools (with one or two exceptions) that will help you detect and respond to intruders.

These are numbered for reference and not for priority.

  1. Charles Smutz recently announced his Ruminate IDS, whose goal is to "demonstrate the feasibility and value of flexible and scalable analysis of objects transferred through the network." Charles is also author of the Vortex prohect, a "a near real time IDS and network surveillance engine for TCP stream data."

  2. Doug Burks just released a new version of SecurityOnion, an Ubuntu-based live CD to facilitate network security monitoring. You'll find many of the tools on this list in SO and I expect those missing will be included at some point!

  3. Over at Berkeley, development of the Bro IDS project is kicking into high gear with Seth Hall's new role as a full-time developer. We miss you Seth!

  4. OISF just released a new version of their Suricata IDS. If you're going to RSA next month, see the OISF team at their next Brainstorming Session. I plan to stop by.

  5. Dustin Webber and new team member Jason Meller just released a new version of Snorby, a Web 2.0 interface for Snort alerts. I hope to see Snorby packaged in SO soon.

  6. Edward Bjarte Fjellskål continues to release cool new code, from the packet capture system OpenFPC with Leon Ward to Polman for managing IDS rules.

  7. Sourcefire's Razorback framework seems to be making some progress again, and the relaunch of new Snort, VRT, and ClamAV blogs under new community manager Joel Esler is a welcome move.


Check these out if you have some time!

Saturday, January 08, 2011

More on Chinese Stealth Fighter and APT

Since my 27 December post Courtesy of APT, featuring the new Chinese stealth fighter, Aviation Week writer Bill Sweetman wrote more about the development of this aircraft and the support from APT:

One question that may go unanswered for a long time concerns the degree to which cyberespionage has aided the development of the J-20. U.S. defense industry cybersecurity experts have cited 2006—close to the date when the J-20 program would have started—as the point at which they became aware of what was later named the advanced persistent threat (APT), a campaign of cyberintrusion aimed primarily at military and defense industries and characterized by sophisticated infiltration and exfiltration techniques.

Dale Meyerrose, information security vice president for the Harris Corp. and former chief information officer for the director of national intelligence, told an Aviation Week cybersecurity conference in April 2010 that the APT had been little discussed outside the classified realm, up to that point, because “the vast majority of APT attacks are believed to come from a single country.”

Between 2009 and early 2010, Lockheed Martin found that “six to eight companies” among its subcontractors “had been totally compromised—e-mails, their networks, everything,” according to Chief Information Security Officer Anne Mullins.


Note the 2006 date is consistent with my APT history article for Information Security magazine. However, before being officially named "APT" by the US Air Force in 2006, APT was active against cleared defense contractors in 2003, and probably earlier.

Bill makes an interesting point about the availability of photographs of this aircraft:

The way in which the J-20 was unveiled also reflects China’s use and control of information technology to support national interests. The test airfield is located in the city of Chengdu and is not secure, with many public viewing points. Photography is technically forbidden, but reports suggest that patrols have been permitting the use of cell phone cameras. From Dec. 25‑29, these images were placed on Chinese Internet discussion boards, and after an early intervention by censors—which served to draw attention to the activity—they appeared with steadily increasing quality. Substantial international attention was thereby achieved without any official disclosures.

In other words, consistent with their information warfare doctrine, China is presenting this aircraft as a deterrent to Western, and specifically American, interference in their region, through psychological operations.

Happy 8th Birthday TaoSecurity Blog

Today, 8 January 2011, is the 8th birthday of TaoSecurity Blog. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2739 posts (averaging 342 per year) later, I am still blogging.

I don't have any changes planned here. I plan to continue blogging, especially with respect to network security monitoring, incident detection and response, network forensics, threat-centric security, and FreeBSD when appropriate. I especially enjoy reading your comments and engaging in informed dialogues. Thanks for joining me these 8 years -- I hope to have a ten year post in 2013!

Don't forget -- today is Elvis Presley's birthday. Coincidence? You decide.

The image shows Elvis training with Ed Parker, founder of American Kenpo. As I like to tell my students, Elvis' stance is so wide it would take him a week to react to an attack. Then again, he's Elvis.

I studied Kenpo in San Antonio, TX and would like to return to practicing, along with ice hockey, if my shoulders cooperate!

Wednesday, January 05, 2011

The "IT as a Business" Train Wreck

I just read this year-old article by InfoWorld's Bob Lewis titled Run IT as a business -- why that's a train wreck waiting to happen. It reminded me of comments on a CIO article I posted in 2008 as The Limits of Running IT Like a Business. Here I would like to emphasize a few of Bob's points via excerpts from the 2010 article.

When IT is a business, selling to its internal customers, its principal product is software that "meets requirements." This all but ensures a less-than-optimal solution, lack of business ownership, and poor acceptance of the results...

Tim Hegwood, CIO of MRI Companies, is trying to steer his company's mindset away from a focus on software delivery. "We're still struggling to institute the concept that 'there are no IT projects -- only projects designed to solve business problems,'" he reports...

Larry Sadler, IT service manager at ONFC, experiences similar difficulties. "The 'customer' concept is deeply embedded in the departmental silos here," he says. "This results in an attitude of 'I want this or that aspect done, and without any interruption.'"

According to [Bassam Fawaz, CIO of a large global logistics company], "IT should relinquish its increasing stance as an order taker, and earn and advance its intended role as the qualified engineer of what makes a business hum..."

Another unintended consequence of running IT as a business with internal customers, while less tangible, might be even more important: Defining IT's role this way creates an arm's-length relationship between IT and the rest of the business...

When IT acts as a separate, stand-alone business, the rest of the enterprise will treat it as a vendor. Other than in dysfunctional, highly political environments, business executives don't trust vendors to the extent they trust each other...

Businesses that take running IT as a business seriously have to bill IT's internal customers for services rendered. That means instituting chargebacks, also known by the more impressive-sounding synonym "transfer pricing," but more accurately described as "full employment for accountants..."

When the only incentive managers have to promote efficiency is the impact of chargebacks on their departmental budgets, chargebacks are just a Band-Aid. They won't fix the real problem: that nobody cares about the success of the business, only their own fiefdom.

Anita Cassidy, president of IT Directions and coauthor of "A Practical Guide to Reducing IT Costs..." [says] "I watched one company make several poor strategic decisions for the enterprise as a whole," she adds. "Because of its chargeback system, its managers were more concerned about reducing their individual costs than doing what was best for the enterprise. I watched another significantly increase shadow costs and inefficiencies within the business.

Chargebacks had a chilling effect on using the central IT services."

Chargebacks are an attempt to use market forces to regulate the supply and demand for IT services. If that's the best a business can do, it means the business has no strategy, no plans, and no intentional way to turn ideas into action...

The alternatives begin with a radically different model of the relationship between IT and the rest of the business -- that IT must be integrated into the heart of the enterprise, and everyone in IT must collaborate as a peer with those in the business who need what they do.

Nobody in IT should ever say, "You're my customer and my job is to make sure you're satisfied," or ask, "What do you want me to do?"

Instead, they should say, "My job is to help you and the company succeed," followed by "Show me how you do things now," and "Let's figure out a better way of getting this done."


Cassidy sees proper governance as the superior alternative to using chargebacks to set IT's priorities. The company's leaders have to collaborate to determine how funds are spent, or the company won't be able to set and implement a strategic direction...

When IT is integrated into the heart of the enterprise, its priorities aren't defined by who has the budget to spend (by chargebacks). Rather, they're defined by a company leadership team whose members have a shared purpose, who understand what the company must do to achieve that purpose, and who understand the role new technology will play...

Companies that have integrated IT and no internal customers define success differently.

IT's job is to recommend better ways to operate, using technical capabilities business managers might not even know are possible.

These enlightened companies don't have IT projects -- they have business change projects that aren't done until the planned business change has been accomplished...

Where did the standard model [i.e., "IT as a business] come from in the first place? The answer is both ironic and deeply suspicious: It came from the IT outsourcing industry, which has a vested interest in encouraging internal IT to eliminate everything that makes it more attractive than outside service providers...

Take it all away and start acting like a separate business, and what do you have? A separate business, but without a marketing department, sales force, or possibility of turning a profit.

My advice? Don't act like a separate business. Do the opposite -- be the most internal of internal departments. Become so integrated into the enterprise that nobody would dream of working with anyone else.


This article makes so many great points. I strongly recommend reading the whole story if you have time. At the very least, consider what I've emphasized here the next time you interact with IT or the rest of your company.

To Those Who Want Tim Thomas Books

I continue to be bombarded by questions from readers looking to buy the books by Timothy L Thomas, mentioned in my posts Review of Dragon Bytes Posted, Review of Decoding the Virtual Dragon Posted, and Review of The Dragon's Quantum Leap Posted. As you can see at Amazon.com, they are not available.

I hope that the spotlight I'm shining on these books helps Mr Thomas either 1) reprint the books or 2) secure a different publisher who will reprint them.

If you want to show your interest in buying these books, I recommend adding a Comment to each my reviews at Amazon.com saying you want to buy the books, but can't find them. I think that is the most direct and visible way to express interest.

Tuesday, January 04, 2011

TaoSecurity Lab

In a recent blog comment one of you asked about TaoSecurity lab. This is a collection of my own gear -- nothing associated with my corporate employer. I decided to post the diagram at left in case someone found it useful.

To summarize the color scheme: 1) blue (and the blue squiggle) means "wireless access," regardless of the nature of the device (phone, appliance, laptop, etc.); 2) green means Cisco; 3) gray means "appliance"; 4) peach (?) means server; and 5) orange means no IP address (e.g., two dumb taps). The two small purple arrows represent lines running to a sensor for monitoring purposes.

As you can see, there are two main segments. The blue devices all connect via wireless to the main network. You could consider the blue devices (and the supported WAP, iTap, and gateway) to be "production." The other devices are all wired, and they are more for "research." In other words, if the Cisco 2651xm router or anything else connected to it dies, no one but me will likely care!

A few aspects of this lab stand out to me:

  • The number of wired devices is roughly equal to the number of wireless devices. A few years ago I had a couple dozen white box systems that took nearly all the shelf space in my wire racks. Now wireless devices generate most of the interesting traffic.

  • I've replaced most hardware systems with virtual systems. The 2950iii is an ESXi server with 10 NICs. With so many NICs I can simulate systems on multiple VLANs on real hardware switches.

  • I like having three Cisco switches and a router. They aren't really necessary but a real layer 3 switch plus two real layer 2 switches is fun for working with IOS.

  • I need a real computer rack. All the rackmount gear is sitting on wire shelving. I'd rather not show any photos until it looks more professional!


So there it is. I didn't show a few more systems which I consider retired, or at least "shut down unless I really need them." For example, I have a PPC Mac Mini and a HP Visualize PA-RISC, plus two Shuttle SFFs and a portable Hacom device. Right now I can't think of a reason to keep them running since I can always spin up a new VM if I need to test anything.

Monday, January 03, 2011

VizSec 2011 Call for Papers Open

The call for papers for VizSec 2011 is open. VizSec2011 will be held on the campus of Carnegie Mellon University, on 20 July. Full paper submissions are due 1 April and panel abstract submissions are due 15 April. This is the conference to attend if you're interested in graphical depiction and analysis of security data! I was pleased to provide the keynote last year, but I will not be able to attend this year.

Starting the New Year Right

Today's a company holiday (odd, but ok), so I figured what better way to start the New Year than to see if my Commodore 64 still works? I bought it in mid-1986, so it's almost 25 years old, and it's been over seven years since I posted My C-64 Rides Again. Since then the monitor I used with my C-64 died, but my dad shipped me his old RBG monitor.

Would everything work? Could I access the Internet with it? The answer: YES. As you can see above, I have a C-64c, with a 1541c disk drive. I even have a 1351 mouse, but I decided not to use it. I found the Contiki OS 5 1/4 floppy that shipped with the NIC I bought for the C-64 in 2003. I was able to LOAD "*",8,1 and get Contiki OS running.

At right you can see a visit to the Bejtlich.net Web site using the Contiki OS Web browser. Remember this is a 25 year old computer running a 7 year old Web browser.

I'd like to try to get a copy of the newest Contiki OS on 5 1/4 floppy to see what improvements have happened in the last 7 years. For example, the Web browser didn't render Google at all. I also couldn't get the Telnet client to run. For all I know that part of the disk could be bad. The Web browser sort of worked, but it was very fragile (unlike the modern Contiki OS version, which is Internet-facing).

This was a fun test of this old gear. I've got my original 1200 baud modem (upgrade from a 300 baud) as well, and it still works. I'm not sure it's going to like the Verizon land line in my lab. I also need terminal software for it. That would be another fun trip down memory lane to get the C-64 working with the old modem.

At left is a screen shot of the Web server in action, but I think even accessing this page killed it.

I consider it ironic that I took these photos with a 2+ year old Blackberry, which has hundreds of times the computing power and capabilities of this setup in probably 1/100th the volume.

Happy New Year!