Security Ripcord

While at Defcon 16 I had the chance to sit down with Monty McDougal.  It started out more as a quick lunch to catch up with Monty as I had not seen him in quite a while.  But after catching up with him he told me that he had made some significant modifications to his WINDOWS FORENSIC TOOLCHEST™ (WFT).  The last time I had worked with WFT it was at version 1.01 and Monty did not have time to devote to updating the tool with some of the new features that were rolling around in his head.  I knew that this disappointed him at the time because the tool had received such a good response from the SANS community.  Well, after speaking with Monty and looking at some of the updates that he has implemented I can see that he has been able to devote more than a little time to this excellent tool.

If you are not familiar with WFT, here is a brief overview from Monty’s website FoolMoon.net.

The Windows Forensic Toolchest™ (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system. WFT is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner.

Actually, WFT is a lot more developed than this description.  WFT provides the user with a repeatable method to deploy many security and administrative tools designed to gather information about a Windows Operating System (OS).  These tools include tools present on specific OSes, tools provided through Windows Resource Kits, third-party tools, and even some tools (or soon to be) that Monty has written to include within WFT.  Monty goes to great lengths to respect all user agreements and licensing associated with each tool employed by WFT.  In version 3.0 the ability to automatically download tools and validate integrity is built directly into the toolchest’s functionality.  Updates to locations and code modifications are handled by an automated toolchest update process.  Although these methods of acquiring tools work when Internet access is available it is not always the case that connectivity will be available.  Monty has taken this into considetion and provided the WFT update capabilities to utilize the Helix Incident Response & Computer Forensics CD-ROM as a source for the tools.

I was very surprised when Monty mentioned that he is now charging for the use of WFT.  In the FAQ on his site, Monty explains why he has moved to the commercial model.

What happened to the free version of Windows Forensic Toolchest™ (WFT)?

After providing WFT for free to the security community for nearly 4 years, I have decided to make version 3.x a commercial product. WFT is still available for download, but the downloaded version is restricted to specific uses identified within its license. WFT has consumed several hundred hours of development and support over the last few years, and while $100 is a modest amount, it will help motivate me to continue to develop and support WFT (since the donation model did not work out at all). There is also a new WFT Pro version in development which will include several additional features useful in an enterprise environment along with a new GUI. Pricing for this version will be slightly higher, but will also include WFT. Paid WFT users will of course receive 100% upgrade credit towards the upcoming Pro version. I have no plans of supporting the 1.x or 2.x code bases in the immediate future and will instead be focusing on bringing new features to version 3.x.

At the time I am writing this post the restricted version is no longer available for download and I can only assume that WFT has gone completely commercial at this time.  This means it is very likely that it will no longer be available via the Helix CD-ROM which was one of the original ways to obtain this tool.  Persons who have versions of WFT on their current Helix CD-ROMs will also find out that their version is broken due to a WFT update script.  When I questioned Monty about this he told me that the Helix update script was necessary to force Helix users to up-to-date versions of WFT because he could not support the questions he was getting about out-of-date versions.  He did assure me, however, that although the script on the current version of Helix is broken, he will be releasing a patch soon, which should be available on his website.  If you do not find it there (I did not at the time of writing this post) you can attempt to contact Monty and I am sure he will get back to you as soon as his busy travel schedule permits.  Unfortunately, it may be the case that he has dropped support for Helix altogether, but this has not been confirmed.

One of the things that Monty did show me while we were talking about WFT was the new Graphical User Interface (GUI).  This GUI will be provided as a part of a PRO version of WFT.  Currently the toolchest is controlled via a detailed configuration file.  The GUI will give the user complete control over which tools are run and how/when the tools are updated.  He was very excited that he was nearing the conclusion of this milestone as it was going to permit him to pursue some other key features that he has been considering.  These features include reporting tool outputs to a remote system, rewrites of certain tools so they do not have to be downloaded, and new tools that provide unique features.

It is unfortunate that I did not get a chance to test drive the new version of WFT before writing this article.  I am hoping that I can convince my new colleagues to consider putting WFT into our toolkit for Live Response.  Having this tool would simplify so many aspects of scripting, tool maintenance, and tool and output hashing for verification and validation.  Yes, most of what WFT can do can be done by hand, but as I have mentioned before, having a repeatable process that is the same everytime is critical to providing a consistent and professional incident response.

I would like to wish Monty and WFT the best of luck in the future.  I am looking forward to their continued success.

Go forth and do good things,

Don C. Weber

Although I have never met atlas personally, I was originally made aware of him at RSA 2007 while speaking with Ed Skoudis. I was talking to Ed about my interest in the DefCon CTF and he mentioned that his company InGuardians was working with altas on several projects because, among other reasons, of his outstanding performances at DefCon. The next time I heard about atlas was during last year’s DefCon CTF 2007 when invisigoth mention how impressed he was with altas’ leadership qualities during the intense competition as he lead his team, l@stplace, to a second, consecutive, victory. All of this peeked my interested and I was very keen on getting an interview to augment my post on last years DefCon CTF, DefCon 15 CTF – WarGamez, but time quickly passed and I went ahead with the post without the interview as I was not aware at the time of altas‘ blog, atlas wandering. After the post I mentioned my disappointment to my good friend Lara and she said, “Oh, he’s a great guy. I’ll drop him a note tomorrow.” For those of you who know Lara, she always comes through.

Sure enough altas emailed me several days later. We quickly agreed to an interview but because of constant battles with SPAM filtering, multiple projects on both sides, and several conference presentations by atlas, we just did not get it completed until a few days ago. During one of the emails I asked atlas to mention some of the things that he was working on to help me write some pointed questions directed towards his interests. He mentioned a few:

I have been doing some fun stuff with 16-bit real mode, kernel module play in
Linux, BIOS hacking, and of course disassembly and programmatic debugging.

My first thought was “Uh, oh.” Sure, I have heard of all of this but if you followed my failings with writing exploits for a simple buffer overflow you know that I am not going to be able to dig very deeply into these topics. I did some quick research on the topics. Then I reviewed his latest posts on his toolkit, atlasutils and reviewed his presentation on Vulncatcher. I started to get a little frustrated. After all, I did not want to waste the excellent opportunity just because I do not have a grasp of the integrate details of complex software and hardware relationships. Ahhh, bingo. I hit the nail on the head. Looking over everything that I can find on altas I realized that he has one of those special eyes for detail. He can see the integrate relationships within complex systems and understand how to research them. Or, at least, he understands it enough to try and manipulate the relationship. Hacking at its finest, its very core. Excellent. I might not be able to delve deeply into his research, but I can at least find out his opinions on this complexity.

First, a little Bio on altas stolen from his ShmooCon 2008 introduction.

atlas is an average joe who spends his time learning new ways to make computer systems dance. When he’s not slicing and dicing windows and unix binaries, he’s writing tools to make vulnerability research simpler and more enjoyable. His hobbies include deadlisting (opcode disassembly), vulnerability research, and lately he’s been working on processor emulation and kernel-mode internals. atlas leads the capture-the-flag team, 1@stplace, who recently won back-to-back victories at defcon, which he blames on his teammates. “I surround myself with brilliant people,” he quips.

So, without further ado, atlas.

---

DefCon CTF

1. You have lead your team to two straight victories in the DefCon CTF.
Has this part of your life run its course or is it still challenging enough
to give it another run?

Wow… it’s still challenging! Each year we have been extremely challenged by
amazing talent. There is still immense question of how well we will place
this year, with the outstanding talent the Naval Postgrad School puts forth
each year, Vigna’s team has provided some serious domination in the past, we
have several international teams which are doing very well, and other talent
not yet “displayed” at defcon. We have to go in each year focused on doing
our best, regardless of who and what challenges we face. How many more years
I have left to give is another question. It’s a very consuming weekend, and
quals weekend, even though we don’t currently have to qualify, is challenging
as well.

2. Your team is obviously very skilled but the types of personalities I
imagine that are involved are use to individual performance and behavior.
Was it a challenge to lead them and keep them focused on goals that
benefitted the group as a whole? I.E. tracking down a problem that might
be too difficult for the competition or not worth the effort.

If I’ve done anything really well in CTF it is selecting amazing people. They
have always been an honor to lead, and have actually helped me lead them in
more ways than I can count.

3. Have you or your team members seen benefits develop from the amount of
time and effort you have placed in getting ready for DefCon CTF?

Oh totally. A few of my guys, myself included, have changed career paths
based largely on how well they’ve proven themselves at ctf. I can’t speak
for the others, but I’m quite happy with the results. I think we’ve all seen
improvements in our daily tasks and our abilities to achieve our goals.
We’ve built strong friendships within the team which has been very good.
Management also responds well to our wins, as they are more likely to think
we know what the heck we’re talking about.

4. Are you personally going to give it another run? Will l@stplace return
as the same team or will you select different members to keep the blood
fresh and challenge high?

We’ll return the same team we left. I’ve been fortunate to find such amazing
guys, hand-selected them based on their talent, skill and personality, and
formed lasting friendships that transcend defcon. I’m confident from our
talks offline that we will all be returning this year, Lord willing.

5. Do you believe that there are real world teams, criminal or govenment,
performing detailed and near real-time application analysis to penetrate
businesses and government systems, much in the same manner that the teams
in the last DefCon CTF were doing?

Certainly. Absolutely. No Comment.

Program Research and Exploit Writing

6. What was your background before you started really moving into program
and architecture research?

I had been a coder since I was young, but got a career in sys-admin work, then
moved into data-telecom where I was responsible for many security-related
services, then got drafted into security.

7. To me some of the concepts are difficult to grasp and implement when
there are resources. What did you do to help you get over the hump and
begin to fully understand the intricacies of low level programming and
analysis?

Gave up. Then I redoubled back. I was freaked out at the possibility I’d
fail. So I decided that I couldn’t do it. Once I had finished freaking out
I decided to work it and grow. Some people could and were doing this stuff,
what’s the cost of throwing myself into the learning curve and seeing where
it lead?

8. Your toolset, atlasutils, is a combination of python programs and
script that include a disassembler and other tools that help located and
provide information to exploit vulnerabilities. I have noticed that Dave
Aitel likes to talk about writing his own debuggers as well. Is this
because the tools that are out there are not useful, you have different
ideas that did not go into the usual debugger, or that you just need
something to help fit a specific niche? Or, it is just fun to write your
down debugger?

To quote a very good friend of mine, I write code because I’m lazy. Truth
is, using others’ tools is tiring, since I have to learn to think like
them… Writing my own forces to me to learn how to think about the things
I’m trying to do, then write tools that help me next time I have to do them.
I hope people find my tools useful, but they’re really for my benefit. I
often write my own tools because I’m forced to learn the details better…
and then I can add my own whizbang fun new stuff on from there. For
instance, I’m rewriting disass, because there was an upper-limit in binary
size, above which it simply took forever to process because of inefficient
use of memory. It was also very “dogmatic”, and not agile. Some code I want
to disassemble is packed/encrypted and wrapped with an unpacker/decryptor.
That means the data/code actually changes post-loading. Disassemblers have
to account for that, which means they have to be “agile”, or able to adjust
how they view the memory setup of a binary. I’m also working parts of the
remake of disass into an emulator (no, not complete emulation) which will
allow me to better address certain laborious tasks.

9. When you are developing these tools, how do you pick a program to
analyze? Do you generate your own vulnerable code or find something with
known vulnerabilities to analyze?

When developing tools I try to use them on anything I want to analyze, just to
see them break (and wow they break). Sometimes it’s code I’ve snagged from
ctf, sometimes it’s my own code, sometimes it’s POSIX code or Win32 code, or
<insert-your-fav-commercial-app> code.

10. As I look at the types of research you are performing I start to
wonder if computers are just too complex. Or if the higher level
programming languages that we have just cannot securely support all of the
low level functionality. Then I start thinking about the interactions and
complexity added by software and hardware interaction, BIOS, and firmware
and my head really starts to spin. What are your thoughts on this
complexity and how it is affecting the security of technology as a whole?

Well, you’ve really nailed it. Computers have become very complex indeed…
and continue to do so. In many layers of “synthesis” the computer industry
has striven to group low-level functions into simple-to-use functionality;
for the developers and ultimately the end users.
Each iteration of simplification masks many details from the users/developers,
and with the disappearance of those details comes many assumptions.
Assumptions are inevitable in our industry because you can’t teach *every*
administrator and developer *every* detail about the computer. Some in the
security field have attained a great deal of understanding those details…
and we tend to hail them as deities.
False assumptions and the state of mind induced by details-overload work
together to provide vulnerabilities for attackers to leverage. Sometimes
those vulnerabilities highlight a loss of communication, laziness, lack of
understanding, or simply mistakes.

This dilemma is not going away. We continue to see layered-development and a
push for ease-of-use at every level. Ease-of-use tends to be directly
counter to security, in that we enable users and developers to do mighty
things without realizing the truth of what they are doing. For example,
without proper education and focus on security, thousands of SQL-Servers were
put on the Internet with a blank SA password (the default).

Security must become a baked-in part of the development culture. Developers
need to be screened for how seriously they take security, and continually
trained and updated on new security problems, such as format-string bugs and
buffer overflows in the 90s. When the next new common programming flaw is
identified, those mistakes must be put in front of developers to warn them
and instruct what the computer is actually doing, or how attackers are
leveraging the flaws to do evil things. Each development team needs to have
someone who understands how to think like an evil d00d. I venture to say
that every developer should become that person.

This complexity provides plenty of playground for attackers, but hackers are
rising to the occasion, finding enjoyment in understanding systems better
sometimes than their creators. We insert stop-gap protections like ASLR and
anti-corruption techniques and hackers find ways around them. Worse than the
time lost in the creation and adoption of those protections is the
complacency they allow developers, who wrongfully think they are protected.
With all the complexity of just learning someone else’s API and interacting
with third-party products, as well as designing corporate-wide API’s that
hundreds of developers may use, they are happy to think on the good sides to
such protections, without being able to understand the details or
limitations. Even if they have the base-knowledge to understand, they simply
are seldom given the time.

11. With this complexity, how can developers fix it? I mean, programmers
just do not have the time and resources to think of every little piece of
the puzzle. We cannot expect them to. So, how do developers protect their
projects? Do we just need to realize that we are in a constant state of
possible exploitation and accept that very expensive systems will get
exploited and we better have a good incident response team?

See above… Good incident handling teams are invaluable for an organization.
Teams who understand proactive security and the patching process are equally
important. Consider them “stoppers” and “sweepers” if you like futbol.

In the end, the ball is the developer’s court. Each person who writes code
needs to learn the details of what they are doing, and accept responsibility
for the security of their work. If format-string bugs seem impossible to
exploit, that developer needs training (SANS SEC504 is generally very good
for that). If XSS doesn’t seem to be a big deal, training is necessary.
Aside from great training, that SANS course will likely provide networking
opportunities with people who think evil all day every day. BlackHat and
defcon are also good venues, but likely less substantive. We need to stop
training our developers only about how to enable things… because that only
enables exploits.

12. Along the lines of complexity, most of the technologies that are put
out there, operating systems and applications, automatically have these
complexities built into them as features. The Center of Internet Security
has long benchmarks to help guide administrators through steps that help
them limit their exposure to some of these complexities, but with each new
release of a product the administrator has to be worried about what is new
or what was modified that exposes the environment to additional risk. What
recommendations can you make to these administrators as they are taking
these complexities into consideration?

Good luck? The truth is that CIS spits out some outstanding documents to help
us get a certain level of security with the least outlay of effort. It’s a
bang-for-your-buck arrangement. Unfortunately no benchmark or security guide
is going to take the place of a solid understanding of the technologies one
is using. Best case, CIS guides serve as a litmus test and a guide to
someone who already has a great understanding and the curiosity to know their
playground well. Someone who knows enough to know how much they don’t know
so they welcome the help, but someone who plays with their tech and groks
it… because they want to. This is the part where I get to piss a lot of
people off… if you don’t love security or IT or IS… get out. There are
many professions where you may be happier and more successful. Computers
have become the next “Doctor” or “Lawyer” profession, where people flood
Computer college programs in hopes of a mighty paycheck. Those people
everyone views as gods in this industry are people who would tinker anyway,
even if they were janitors during the day. And if you *do* tinker and wind
up in the industry… get yourself some security understanding. Learn to
think as your opponent… think about how someone who hates your guts and
your programs would mess with them. Get the training, from an organization
or a friend if you cannot afford formalized training.
And remember, patching is a vital, ongoing process organization-wide.

@

---

Of course you have to love any question that ends in “No Comment.” The Mission Impossible music always seems to kick in at those moments.
I hope all of you enjoyed this as much I as did. Thank you to altas for being so patient and generous with his time.
Of course, thank you to Lara who always pulls through for me and my family.

Go forth and do good things,
Don C. Weber

atlas, exploits, vulnerabilities, defcon, ctf, atlasutils, vulncatcher, InGuardians, skoudis, Security Ripcord, atlas wandering, l@astplace

Speaking, presentations, guided group discussions, brown bags, technical talks, impromptu meetings, moderated conference forums: security professionals at some point find themselves talking out loud in front of a wide variety of groups with a wide variety of skills and interests. Indeed, I personally believe that speaking in front of a group of people is one of the key skills necessary for all security professional. Although some people are born with this skill, the rest of us have to work at it. It takes guts, time, knowledge, and practice, practice, practice.

Luckily for all of us we have security professionals like Ron Woerner. Ron is a professional speaker who strives to provide guidance and leadership about speaking to anybody who will take the time to listen. More than once I have found myself turning to Ron and he has always made time for me.

Because of his expertise in speaking and security I decided that it would be a good idea to have Ron do an email interview about security professionals and speaking. First, let’s start with a little background on Ron.

Ron Woerner has over 17 years of experience in the security industry. He has been quoted in CSO, SC, and Information Security magazines and has been a noted speaker at security conferences throughout the U.S. including the RSA, CSI and NebraskaCERT Security Conferences. He has been employed as an Air Force Intelligence Officer, the Information Security Officer for the Nebraska Department of Roads, a UNIX administrator for the Mutual of Omaha Companies, and the Lead Security Engineer for CSG Systems, ConAgra Foods and now TD Ameritrade. Ron earned a Bachelors degree from Michigan State University and a Masters degree from Syracuse University in Information Systems. He was awarded the CISSP security certification in August of 2001, the NSA IAM certification in August of 2003, the Certified Ethical Hacker (CEH) designation in December 2005 and is a Certified Forensics Investigator.

Before we get into the interview, I would like to thank Ron for his very detailed responses. He really went above and beyond my expectations. It does not surprise me, but I am truly thankful.

Now onto the interview. The following, unedited, text is my questions and Ron’s responses.

1. In Episode 84 of the Network Security Podcast (http://netsecpodcast.com/?p=5), Rich Mogul talked about the importance of
presenting skills. How important is presenting to a security professional and do you think it is any different from that of any other professional?

I agree fully with Rich Mogul that Security Professionals need to be able communicate in both speaking and writing.

Communication skills distinguish security professionals from security technicians. This includes both spoken and written skills. We are constantly selling our ideas. If you can’t communicate, you can’t sell. As a security professional, we need to be able to communicate well in order to influence others behaviors to be more secure.

We speak for three primary reasons: to influence, to inform, and to entertain. In security, we are primarily trying to influence others to be more secure. Occasionally we are informing others about the state of security. Even in technical presentations, don’t discount the need to entertain. Think about the best speakers you’ve ever heard. They were entertaining while informing or influencing.

Consider the Wall St. Journal’s list of the traits that recruiters look for in business school candidates:

• Communication and interpersonal skills
• Original and visionary thinking
• Leadership potential
• Ability to work well within a team
• Analytical and problem-solving skills

I ask, “Shouldn’t this be a similar list for security professionals?”

2. Do you think that the students coming out of college today are lacking the basic skills necessary for presenting information to a group?

I don’t think they’re only missing the skills; they’re missing an understanding of its importance. They will blow-off a basic communications class without realizing that it’s core to their success later on.

Additionally, many college classes require presentations, but often the students are told to do it without being shown how. A history professor does not feel it is their place to show students the basics of presenting. Plus the students aren’t given the right feedback to improve.

There are two primary types of speaking: prepared and impromptu. Most college classes focus only on the former. This is unfortunate because the ability to speak without preparation or notes can easily separate high achievers.

Security professionals need to be able to speak without a lot of preparation, because you never know when you’ll be called into the CIO’s office.

3. The latest Security Ripcord Poll asks is there is a difference between presenting and being able to lead a group discussion. Are these different skill sets or do you think they fall into the same category?

I agree that, “All security professionals should be able to present well and lead conversations.”
However, these are two different, yet related skill sets. In presenting, you are front and center. You need to be able to address all questions and be seen as the SME. In leading group discussions, the focus is on the topic and participants. You don’t need to know the answers, but you do need to what questions to ask. Plus the group is the SME.

As Tony Jeary says, “Life is a series of presentations.” Even in a group discussion, you will be presenting. Both traits demonstrate the need for security professionals to be leaders. As a security leader, you may be called to give a presentation or you may need to lead a discussion group. You better be prepared. One way is to learn and practice both skills.

4. What are some common mistakes that people who are new to presenting will find themselves doing? What are ways to overcome these mistakes?

Mistake #1: Not preparing for everything. This includes the basics, but also the unexpected. Murphy lives at presentations. If the technology can break, it will. Be ready for it.

Mistake #2: Depending too much on PowerPoint. See #1. Be ready to speak without a PowerPoint. Don’t bulletize everything you’re going to say. People came to hear you speak, not to read a book. Also, don’t…read…from…your…slides. (See the Smallest Presentation Hack Ever.) I’ve seen too many good presentations spoiled because of that.

Mistake #3: Too many grunts. Grunts are ums, ahs, and ya knows that fill a presentation. Here’s a great LifeHack has a great article on it: http://www.lifehack.org/articles/lifehack/how-to-cut-crutch-words-when-giving-a-speech.html. Most people don’t realize how much they grunt until they start listening to themselves.

5. What are some common mistakes that professional speakers can find themselves doing if they are not careful. Can you recommend ways they can determine they are doing these things?

See point 4 above. Those mistakes can happen to anyone.

The most common mistake for experienced speakers is not fighting for feedback. You need an unbiased evaluation in order to see your mistakes and grow. Our good friend, Michael Santarcangelo (http://www.securitycatalyst.com/) pointed out that most professional sportsmen have coaches. Speakers so have one as well.

6. If you had to pick one method to help a person improve their speaking skills, what would it be?

Darren LaCroix, the 2001 World Champion of Speaking, has a mantra for building talent as a speaker: “Stage time, stage time, stage time.” Take every opportunity you can get to present; whether it’s with a couple of people or a whole roomful.

One great place to develop both your speaking and leadership skills is Toastmasters (http://www.toastmasters.org/). A local Toastmasters club can provide all of the things I’ve talked about here. You get practice with both planned and impromptu speeches. You get evaluations from other experienced speakers. You can also get leadership experience. You can even take part in their many speaking competitions. All for a low cost. (I won’t say how much or else it may sound like a commercial.)

7. Do you think that the use of presenting software like Microsoft Power Point or Apple’s Keynote have adversely affected the present skills of today’s professionals?

I once asked Craig Valentine, another World Champion speaker why he didn’t use PowerPoint. He laughed. We place far too much reliance on presenting software. It’s supposed to supplement our presentation, not be its focus. Presentation Revolution has great comments on how, when, and where to use those programs. See its Change This manifesto: http://www.changethis.com/35.05.Presentation.

8. Could you recommend any books, blogs, or websites that people can use to gather information about presenting skills?

• Toastmasters. Join a club near you.
• Dale Carnegie has a number of books on leadership, speaking, and improving your people skills.
• Peter Urs Bender, Secrets of Power Presentations (plus many other articles)
• Businessballs article on Presentation Skills (http://www.businessballs.com/presentation.htm). We’re always saying that security needs to better connect with business. Businessballs shows how.
• I’ve also mentioned a number of sites through-out my comments above.

9. Is there anything I have missed that you think it is important to talk about when discussing presenting skills?

Don’t be afraid to get up and do it. You really have little to lose and much to gain. Plus, it’s addicting, once you get into it.

10. Is there anything you are working on that you would like people to know about?

We are continuing to build the Security Catalyst Community (http://www.securitycatalyst.org/forums/). This is a great way to connect with other security professionals from around the globe.

Let me know if you’re going to RSA 2008 in San Francisco. I look forward to talking with you.

“By working together, we all become stronger.”

Ron W

Go forth and do good things,
Don C. Weber

speaking, security, Security Ripcord, Ron Woerner

I was going to post a comment to Michael’s Computer World post titled “OK CXO, does this incident convince you of the need for security???” when I decided not to do it. Instead I realized that this is a prefect opportunity to do another Email Interview. So I hammered out a few questions I figured would be easy to answer and then tossed them his way. The following are his responses with the questions included in bold.

Who do you work for and what do you do?

Accuvant. Pre-sales Security Engineer. Basically, I am in customer
relations, with the occasional product evaluation installation thrown
in.

Centralized logging is one of the keys to a good security posture.
Percentage-wise, how many companies do you see doing this?

Unfortunately, the customers I have been dealing with are very late
coming to this game. And I am not talking about SIEM either. Just
centralized logging. Many of them have some kind of syslog server with
a few logs getting thrown to it, but very few have any kind of real
centralized logging solution where they can go do forensics and get a
good idea of what was happening in their network as a whole at any given
time.

When they are designing the networks, do you find that the
administrators are aware of the pitfalls and nuances of setting up a
logging infrastructure?

Generally they think it is just a matter of throwing some logs into a
bucket o’ hard drives and that is it. Not many think about the logs
being used for forensic purposes later in the case of an incident. Many
aren’t aware that normalizing logs pretty much makes it fodder for the
defense attorney. Administrators up until now have had to be concerned
with keeping servers going, and they read the logs when there is a
problem. Most don’t think from a security mindset, so they don’t have a
clue what to do to if those logs aren’t there (because they got deleted
by Mr. Bad Guy). There’s also the matter of retention and drive space,
maintaining the logs in such a manner that they can’t be altered, etc.
I mean, that is the central reason for logs: forensics. And forensics
does not necessarily mean criminal forensics. It means that if there is
any incident, malicious, accidental, mechanical, whatever. And if the
logs get corrupted, then you have problems.

Another problem that people don’t think about is application logs and
“x”-flow data. These are often very critical to determining what
happened in incidents because they give you two ends of the spectrum
that just server and device logs don’t give you. Of course, that will
greatly increase your storage needs, so be careful.

Where are the common weaknesses and how can we educate our
administrators better? Certifications associated with log management
and review?

See above for common weaknesses. As far as another specialized cert, I
don’t think that is the way to go. I know SANS is big on this, and I
have nothing but respect for those guys, but I really think that
security cannot be stovepiped anymore. Security has to be a part of a
sys admin’s job and training. This is one facet of that training, and
it realistically not all of security can be thrown into a couple of
Windows courses. But the mindset has to be taught more. A single cert
can’t do that.

Is it common practice to have critical systems administered through a
management network that does not touch the production network?
Basically, a network that is separated from the intranet and Internet?

Do you mean having something like separate NICs in critical servers
plugged into a different VLAN for management, and plugging management
NICS on devices into that same VLAN? To my knowledge, that is not very
common. It makes sense, but I could see it being something of a
headache to get setup. As far a segmenting critical systems altogether,
that is happening in a big way. PCI is driving that everywhere.

Can Small and Medium-Size Businesses really afford taking on a project
like centralized log management? What would be the first steps?

Yes, SMB’s can do this. I does not have to be expensive. I did it when
I was at an SMB. I used the PRO version of KIWI syslog server
(http://www.kiwisyslog.com/) and pointed all my devices and servers at
it. I used SNARE (http://www.intersectalliance.com/projects/Snare/) to
push server logs to the KIWI syslog. KIWI even has the ability to read
application logs if they are put into a flat file. It really is not
hard to setup if you are willing to take the time to organize it. But
be sure to take note of the problems mentioned above.

Do you have any recommendations for the Small/Home Office businesses
when it comes to log management?

See above. Should also work for them.

Companies are generally aware that they need to backup their common and
critical data. How much are they aware that they need to do the same
with logs? What is common practice in log retention?

I think they are becoming MORE aware, but the awareness is not where it
should be. Again, this is a failing in training. Security is not
taught as a “baked-in” component of knowledge.

Common practice depends. It seems like 7 years tends to be a good
retention length of time, but that can change depending on compliance
and other laws.

What types of sensitive information could be found in logs and what does
this mean about the protections associated with collecting and retaining
this information? When do you think encryption would be necessary?

It is feasible for access logs on servers containing data to hold
sensitive information such as credit card numbers, SSN’s, etc. It is
also feasible for logs from network devices such as routers and
firewalls to have sensitive data in them because the data passes through
them. That is why PCI specifically addresses this issue.

Encryption of sensitive fields in a database should always be in place.
Encryption when transmitting data should be the norm. And obfuscation
of sensitive data (“x”ing out most of the SSN number or the CC number)
should be done when records are viewed by parties that do not need the
information to perform their duties.

How does log management tie into forensic investigations?

As I mentioned above, log management is crucial to forensic
investigations. Most log management systems normalize logs because they
have to store the data in a manageable format. However, there has to be
some way to recover the raw log in order for the log to be used in
investigations. It is not as crucial if all you are trying to do is
determine what happened in an event. But if plans are to use the logs
in prosecution of criminal activity, then you have to be able to prove
that the logs are the raw, original logs that came from the servers and
devices.

If an investigation team walks in the crime scene and fouls evidence,
the judge is very likely not to admit it. Or if the cops don’t retain a
good chain of custody of the evidence, then the defense lawyer can make
the claim that there is no way to know that the police did not alter the
evidence in some fashion. Logs are evidence, so the same rules apply.

Do any of the forensic programs out there integrate with the logging
solutions you are familiar with?

Good question. I don’t know of any that do off the top of my head.
However, if standards are used to code each one, there is likely a way
to integrate them and transfer logs between them. But again, this can
only be done successfully if the evidence is not altered in doing so.

How can your company help with the issues related to this topic?

Accuvant has four practice areas (Security Assessment, Compliance,
Security Technologies, and Wireless). Our compliance team would be
specifically helpful with this kind of issue because they know the
different compliance controls that would require a company to adhere to
log management standards, and they could perform a gap analysis to let a
company know where they are lacking. They can also provide remediation
assistance to fill the gaps.

The assessment team can perform policy review and architecture review to
tell a company where they are lacking in this area and their security
posture as a whole. They can also perform penetration and vulnerability
tests to see what is getting logged and at what level. And they can
perform application code review to determine if an app’s logging is
sufficient. They can also provide remediation assistance.

The security technologies team can help in recommending an appropriate
log management solution, and they can provide professional services for
installation, configuration, and management of the solution.

The wireless team does not seem to be specific to this issue, but
wireless is actually an area that many administrators and managers tend
to kind of forget is in their network. Thus, logging rarely happens
from these devices. Our wireless team has expertise with many different
manufacturers of wireless technology, and they would be able to provide
best practices for gathering logs from these devices.

You are a blogger and Internet author. Tell us a bit about that.

Internet author?? Really just a blogger since I have rarely written
anything more than a page at one time. But oh well. It sounds good!

I started blogging a little over a year ago when I was in the trenches
as an Information Security Manager at a small / medium-sized psychiatric
clinic in Houston. I really enjoyed being able to write about the
things I ran into during the course of my job. It gave me a chance to
grow as a security professional, and it really helped me hone my writing
style.

As I went forward with it, I realized that it was also a way to get my
name known out in the world of security, which I think will help my
career in the long run.

I maintain two security-related blogs. My personal blog is at
http://infosecplace.com/blog. That one is known as An Information
Security Place. I also blog about security at ComputerWorld at
http://computerworld.com/blogs/farnum.

I also have a personal blog at http://infosecplace.com/tangential. I
don’t update that on a lot. It is mainly a place to keep anything
personal I want to write about, and it helps me maintain a more pure
security blog.

Nothing really ground breaking here. Just a few questions that I thought might help others that are thinking about centralized logging. Hopefully Michael’s answers will help you when you are considering initiating or increasing logging and log management within your environment.

I would like to thank Michael again for taking time out of his very busy schedule to answer these questions. Check out his sites when you have a few extra minutes. It is definitely worth bookmarking or placing into your feeds.

Go forth and do good things,
Cutaway

logging, Accuvant, An Information Security Place, Computer World, Michael Farnum, Security Ripcord

I was interviewed by Martin McKeay of the Network Security Blog for PodTech at RSA 2007. I had the pleasure of running around with Martin a lot during the conference. He worked really hard and we should be seeing more than a few interviews coming from the footage taken at the Verizon Business and F5 booths.

In this interview we talk about how big the Vendor Exposition floor was and how it was almost overwhelming for a first time, large conference, attendee. The product I mention in the video is the Norman Malware Analyzer. I still think that this type of product would be a good step for an incident response team who has found themselves responding to many malware incidents and outsourcing the analysis of that code to determine the actual intent of the malware. I do have to say, though, that this is the first product I have seen to perform this task so although there may be others out there this is the first to which I have been exposed. Something I just found, but haven’t watched yet is a SANS webcast covering this product: Ask The Expert Webcast: Malware Analysis Shortcuts. Check it out and let me know what you think in the comments.

Here is the interview. I hope you enjoy.

I just realized that there are two videos. This second one is a mixture of several interviews that Martin did throughout the conference. Nothing new from me but the other interviews are worth checking out.

Thank you, Martin, for this and all rest of your support throughout the year.

UPDATE: I corrected the glaring mistake I made in the name of the Norman Malware Sandbox Analyzer. Thank you to Kurt Wismer for pointing that out to me and my apologies to Norman for the mistake

Go forth and do good things,
Cutaway

RSA, Norman, McKeay, PodTech, SANS, F5, Security Ripcord

My initial interview with B10m sparked my interest in the security professional field in Europe. As I had recently contacted the trio from RaDaJo about helping me notify a Spanish University one of their servers had been compromised, I decided to contact them with similar questions. The RaDaJo name is a combination of the team member’s names: RAul Siles, DAvid Perez, and JOrge Ortiz.

I had originally met these security professionals during a GSEC Advisory Board meeting in Washington D.C. At the time they were working on another certification that would eventually apply towards their GIAC Security Expert certification. As you can see from the website they were the third, fourth, and fifth persons to receive this intensive credential. During this meeting I was impressed with their outgoing nature and interest in promoting and growing the security industry. The following interview demonstrates they have retained these qualities and that they are continuing to promote security advancement on their continent.

I also highly recommend that you visit their blog site. They continue to provide great information and technical expertise that can be utilized by any security professional. We all should watch out for their technical challenges as they have proven not only to be interesting but useful in real world situations.

---

Why did you all start blogging? I believe that you are all living in Spain but you blog in English. Is there any particular reason? Do you maintain a sister site in Spanish?

[Raul]
The main reason we started blogging was to provide a security resource for technical people where anyone could see the things we are involved in our daily research and job tasks, and to publish details of specific security areas we are interested in. Additionally, we received several requests from people asking us to create a blog, so unconsciously, I think this also influenced us

We all live in Spain, and although we initially though about the language issue, we finally decided to blog in English to reach a broad population; almost all Spanish security professionals understand English, but obviously, the opposite is not true. At some point we thought about keeping two versions of the RaDaJo blog, in Spanish and English, but being realistic, it would be too much work with a reduced benefit.

When you are teaching your training classes do you use English as a common language or does it just depend on the setting and individuals taking the class?

[David]
SANS regular conferences are always run in English. Otherwise we couldn’t get so many people people in class coming from so many different countries. Nevertheless, in a few occasions in Spain there have been courses run in Spanish (with the materials in English, though) and the feedback has been very positive. I think we may be seeing this more often in the future, but I’m just guessing here.

If a security professional were going to fly to Europe for one security conference, which would you recommend and why?

[Jorge]
As always I would recommend SANS conferences. They really rock in all their tracks! . I have also attended and enjoyed the ISSE Conference (http://www.eema.org/static/isse/ ).

And we also have Black Hat Europe and some others, but I haven’t had the chance to attend yet.

What resources do European security professionals look to during their day to day work to keep abreast of breaking news and events (e.g. Alert/Vulnerability Lists, Websites, Blogs)?

[Raul]
Based on our international experience, the same resources are used by almost all professionals, no matter were you are located. The most popular ones are SANS ISC, Security Focus bugtraq and mailing-lists, the FullDisclosure list… but, as you know, there are dozens of them.

From the alert/vulnerability lists perspective, people use the generic ones, such as SANS Newsbites and SF Newsletters, plus the manufacturers resources (Cisco, Microsoft, Linux-vendor…).

We suggest that every serious security professional should have its own preferred list of resources, created throughout the years, and at least including Websites, Blogs, Mailing-lists, Forums, Security Conferences and Podcasts.

Unfortunately, there are no well known European-centric security resources. People tend to access global resources published in English (some of them located in Europe), and additionally, some localized country-based resources (published in your own language). However, due to the language barriers, it is not common to have lot of people from one EU country accessing resources from another EU country (if they are not in English).

Obviously many people in Europe are multilingual but not everybody. How do these language barriers affect the security situation in Europe and how information flows and is interpreted?

[David]
I think security personnel in most, if not all, big companies can at least read English well enough to understand all technical documentation, articles and news, so getting information is not a problem. Writing and speaking is a little less universal but still most people can, so information also flows (less) in the opposite direction. However, the smaller the company the most common is that people only speak their own language, which is a serious limitation because not everything gets translated and even what it does get translated is never the latest.

The basic security considerations and best practices are the same the world over, but society and business practices do change according to specific regions. I would think that this make it a challenge to generate and enforce information security regulations that span the European countries. Is this true?

[Jorge]
Although the European Union tries to create a common framework for all its countries, it is true that some specific laws are different from country to country. Besides, law enforcement has important barriers due to the different languages in each country and they need to establish good relationships (in their initial incident response phases) with every potential country an attack could come from. Certainly, all this makes it more complex than in the US.

Although security is still a young profession here in the United States the government and businesses are starting to understand and accept the need for security professionals or administrators with security training. How does this compare to European governments and businesses?

[Raul]
We think it is very similar in the US and Europe. The information security field is still maturing and government and businesses are realizing of the huge needs of security professionals. Everything is being computerized, so this fact increases the protection demands and the need of security knowledge and personnel.

Fortunately, the market has changed a lot in the last 7 years; when we started as full-time infosec pros in Spain around 2000 we needed to explain from scratch certain things and terms to customers. Nowadays almost anyone has heard about rootkits, penetration tests and forensics (just to cite some examples).

Are there any security tools and products that are specific to Europe?

[David]
Not that I’m aware of. I think we use the same commercial and public domain tools as the rest of the world. This is a global village and market.

[Raul]
The only exception are government and defense organizations, where each country wants to manage their own security infrastructure. They typically use commercial and proprietary (home-made and secret) solutions.

When Americans think of computer security and Europe many of them start thinking about organized crime and hacker groups from some of the former “Eastern Block” countries. Is this being blown out of proportion? From your experiences are businesses and end-users in Europe in more danger from organized crime and hackers from around the world than businesses and end-users in the United States?

[Jorge]
Well, there are several hackers from the Eastern Europe, but also from other European countries as well, like Germany that has a long lasting hacker tradition. However, I believe that organized crime has increased its activity in Europe during the last couple of years (or at least we have started to notice that it was happening), and started to hit some real businesses and getting some real money.

Due to the nature of the Internet, everybody is equally exposed to the attacks. The only advantage in targeting the United States is that, even with the same percentage of vulnerable systems, the same attack can be used against a higher number of users ( i.e., that will speak the same language, go to the same web page and use the same bank, for example). Other than that we should all watch out!

---

I would like to, once again, express my gratitude to RaDaJo for the time the took out of their busy schedule to answer these questions. From this information I can see that the security profession is following much the same track as we are here in the Untied States. This is not very surprising as the technologies and risks are generally the same. Hopefully this interview will help people understand that the concepts, standards, and philosophies are generally similar throughout the industry despite international borders.

Go forth and do good things,
Cutaway

RaDaJo, GSE, GIAC, SANS, Interview, Security Ripcord

As I stated in a previous post, I have been paying a little more attention to the information provided in URI and Refer sections provided by one of my Wordpress plugins. This information has, at times, contained information about some systems on the Internet that are searching for other systems with vulnerable PHP installations and applications. As I mentioned in the original post I found a blog where another blogger had already analyzed the scripts that I found on a hacked server, which was scanning my web server. The blog is B10[m|g] and the blogger goes by the pseudonym B10m.

After reading another post where B10m confronted a script-kiddie botnet runner with the cracker name “fazanul,” I decided that I would ask B10m to be my first blog interview. He agreed. The following contains my questions and his answers. As you will see, B10m is not a security professional. Rather, he is a software programmer. Because of his interest and investigation into the IRC bot that queried his system, I assumed that he was a security professional or had close ties to them. The majority of my questions take that misconception and run with it. However, B10m was a good sport and answered each question he was able.

I think it is a good sign that a software programmer decided to take action when he was presented with malicious activity. I would not suggest everybody try to connect to the command and control channels of botnets they locate unless they have experience in the field of malware analysis. Fortunately, B10m did know how to protect himself and his systems to a certain extent but, as he mentions during the interview, he has accepted a certain amount of risk associated with his actions. My recommendations is that people wanting to make a difference against crackers a simple abuse report to the system owner, the system’s hosting company, and the system’s ISP is probably sufficient.

I would like to thank B10m for agreeing to the interview. I hope you all enjoy.

---

What made you start blogging? From your site you appear to be living in The Netherlands but you blog in English. Is there any particular reason?

I’ve started blogging quite some time ago on my own hacked up Perl
blogging system. When I found out other people build better systems,
I used that. I was forced to create my own blog by a friend who -at a
certain point- refused to publish my items any longer…

English just seemed to fit better with my topics (mainly technical
issues). I usually get disappointed when I find a blog post in a
language I don’t master, containing the exact error message, and
most likely a solution, I was searching for

Are you a security professional? What industry do you work in (e.g. government, education, financial, consulting, etc)? What are your primary duties?

Not at all. I’m a software developer (somewhat) and don’t really
have any real security background other than trying to get my apps
to be as secure as possible.

I am going to assume that you do malware analysis either for work or as a hobby. How did you start and what training have you received?

I’m a selftaught geek. Never really had any official training. Just
a lot of reading code will do the trick (besides chatting with
professionals over a few beers). Reading code is fun, and when it’s
supposed to do evil things on my machine, it’s even more fun.

Going after these kiddies isn’t even a hobby though. I just got
obsessed with this fazanul guy. I took a botnet down and rather
quickly, he returned with a new server. So I had to take that down,
and now we’re here. I’m scanning my logfiles for him on a daily base
now. Others do get by, but I pay less attention to them.

If a security professional were going to fly to Europe for one security conference, which would you recommend and why?

I would have no clue. I’m not into those big conferences too much.
So my answer would probably be Prague. Not because of any
conference, but just because it’s an awesome city

What resources do European security professionals look to during their day to day work to keep abreast of breaking news and events (e.g. Alert/Vulnerability Lists, Websites, Blogs)?

I’m not a security professional, so I can only speak for myself. I
of course follow slashdot, subscribed to the CERT Advisory mailing
list (so I can taunt MS Windows-using friends often and look at
digg occasionally.

What training (personal, certification, degrees) would you recommend for persons just starting to look into malware analysis?

No clue, it’s not my job

Obviously many people in Europe are multilingual but not everybody. How do these language barriers affect the security situation in Europe and how information flows and is interpreted?

Language barriers are not really a problem in Europe. Most kids
learn at least 1 foreign language in school. In the Netherlands it
used to be mandatory (still is?) to study English, German and French
for at least one year in highschool. After that, German and French
become optional. English is even being taught by the age of 10 or
so.

I have never ran into an abuse desk that couldn’t communicate in
English though. It’s part of the job. Abuse reports may come from
all over the world… I do notice that people get working faster for
you when you do address them in their native language though.

You have started a conversation with a hacker who refers to him/herself as “fazanul,” why did you start that conversation?
The code he used for his attacks were full of “scriptkiddie” signs.
A real coder has a certain programming style as to indentation, etc.
This was clearly a cut’n'paste job, done by someone with little
knowledge.

I wanted to see how many hosts actually were infected by this guy’s
script, so I logged in, pretending to be a bot myself. He launched
commands at me, which I replied with bogus replies, but looked like
real system replies. That was fun for a while and he bought my
answers up until I really made it ridiculous, like giving answers to
questions he never asked… and of course the “I refuse” answer was
something he didn’t expect from a machine.

I was just messing with this kid and found it quite funny, so I
continued talking to him (he doesn’t want to talk much to me
though…).

You used fazanul’s IRC bot to connect to his command and control channel, what did you do to protect yourself before making that connection?

Not really. I read his code and connected to the IRC channel by
BitchX, a regular IRC client.

What tools would a young security professional want to become familiar with to begin to analyze malware like fazanul’s IRC bot?

It just boils down to being bored and having some time left to waste
on these things. I noticed the script being written in Perl. I’m a
Perl hacker so it caught my attention. After that, it’s basic
networking knowledge. It’s quite important to find out who to contact
about network abuse etc. Just scan your logfiles every now and
then for “weird” activity.

It’d probably help to read a little PHP too though. There’s a lot of
horribly insecure PHP code available online. By being able to read
PHP, you can spot errors in the code and patch it. Afterall, close
to all of these attacks are PHP-script exploits.

Have you noticed any type of DDoS towards your systems and what did you do to protect yourself from fazanul’s repercussions?

Nothing. Since his botnets crumble rather fast I doubt he has the
power to launch a real DDoS attack. If he does, oh well, my poor
little server will suffer and my blog will be inaccessable for a
while. Not that big of a deal. Then again, since this is really a
scriptkiddie without a clue about what he’s doing, I don’t fear this
guy. I fear my buggy harddrive more

You have been contacting system owners and Internet Service Providers to report the systems being used to spread these IRC bots. Please explain how you do this so that others can do the same?

As I stated before, the most important thing is to find out who is
responsible for a box. First you go after the host of these files.
They are usually not aware of this abuse so they are usually helpful
and friendly. After that, I usually look up who’s currently logged
in the IRC channel, find out their IP addresses and lookup the ISPs
belonging to that. I use gwhois[1] for that. These admins are
usually less helpful and friendly (calling my warnings “bogus
claims” and “without logfiles, we won’t do anything” stuff).
Nevertheless, most zombies in the botnet do disappear after my
warnings though.

1. http://freshmeat.net/projects/gwhois/

---

Go forth and do good things,
Cutaway

B10m, B10m|g, botnet, fanazul, abuse, Security Ripcord