We have another BaySec meeting scheduled for the coming Monday. 7pm at O’Neills, at 3rd and King Street. Right around the corner from my work 😉

I thought I’d already disabled mDNSResponder when I did some basic hardening of my Laptop. Turns out that when Marty (no, I am not refereing to myself in the third person) asked me whether I disabled it and I checked again, it was really not. Maybe I just killed the process, but here is how to really disable that service:

Launch the following command

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

The next step is turning off the mDNSResponder at startup. And where do you do that? As I am not really confident getting online here at BlackHat, I decided to just look around on the hard drive and what I found was that you could probably just change an entry in the /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist file:

<key>OnDemand</key>
<false></false>

Replace false with true. Do you notice something? Someone really knew XML. Darn it. Two elements. One being the key, the other one being the value. Ever heard of attributes in XML? To whoever built this, this is how I would write the entry:

Or even better, re-architect the entire XML file to actually make sense!

I just now found the real way to actually disable the service by using the -w flag on the launchctl command from above. That will turn the process off permanently. A good reference is here.

Bob Blakley from the burton group wrote a blog entry about event interoperability standards. This clearly shows that interoperability is a hot topic. However, it also shows that we (CEE) still have to do a lot of work educating the community ;)I want to correct some of Bob’s statements about CEF and provide some more information and thoughts:

1. “CEF defines only a record format”. Well, that’s absolutely right and very very intended. You do not HAVE to define anything else. The transport for example is something that should not depend on the syntax and vice versa. I keep haing to make that point. The ArcSight CEF standard is not bound to any transport. Use anything. If you don’t have anything better, use syslog. It is very very very easy to implement. You just marshall a packet, send it to port 514 and done. Yes, it’s not reliable and all, but it’s a very simple and quick start. If you want, use something more complicated and with more capabilities. CEE will be doing exactly the same thing. We’ll break the standard up into four subtypes, separating syntax from transport, recomendation, and taxonomy.
2.  “it doesn’t define service interfaces to allow event producers to notify event consumers that an event has been created and is ready to be processed”. Wow, this is interesting. Why would you not just send the event? Why going asynchronous? People, get away from the notion of pulling events!
3. “it does not contain any mechanism for dealing with clock synchronization issues in distributed environments”. Since when should an interoperability standard take care of synchronizing clocks? Use NTP. I am just assuming that! The standard should not have to talk about that!
4. “[…] CEF leaves the definition of event types (which are called “Signature IDs” […] ) up to the individual event producers, thus inviting both ID conflict issues and proliferation of different names for events of the same type in different systems.” Half of this is definitely wrong. The other half is again a separation issue. CEF is a syntax standard. Not a taxonomy! Furthermore, you use a combination of deviceVendor, deviceProduct, deviceVersion, and SignatureID for the unique ID. Hence, no overlapping IDs. I know where this is going. Have a look at CPE. Darn, that thing is complex. However, compeltely unnecessary in this case. Let people define their own IDs. They have them already anyways (except for most syslog entries, but there you just make an ID up). I know what I talk about. I have been doing all of this for the last 4 years! What is really missing in the critique is (and yes, I will admit that there are wholes in CEF) that the granularity of defining the signature IDs is not defined. For example, do you use the same ID for all logins? Failed and successful? The answer here is no. I need different ones, but that’s something CEF does not define. Be assured, CEE will!

I also disagree with Bob that multiple standards should be pursued and supported. I will definitely push CEE harder than CEF. It’s open, it’s a community effort, it’s Mitre led, and it’s going to be a more comprehensive approach. We are keeping NIST and all the other interested parties involved. No need for NIST to go out and create yet another standard. There are so many other standards out there also and just because they exist does not mean they are any good. For example XDAS  is not what I want to see standardized! Why? See my review of XDAS.

Technorati Tags: CEE, CEF, event interoperability, standard, event exchange

This is a pretty random blog entry, but oh well… I am sitting in the London airport. In the lounge here, they have a computer that is connected to the Internet. I sat down, opened a browser, typed in my webmail domain and paused for a second. Then I opened a command shell and checked for open ports, processes running, and all that. Well, I still felt like I couldn’t enter my password. What if a keylogger was running?

Then I had an idea. I opened a notepad and just entered some random characters. Then I started, using the mouse, to rearrange the letters into my username and password. A key logger is not able to capture my password like this. I _think_ I successfully circumvented these beasts.

I know, there are other trojans, such as transaction generators that could get in my way, but …

A group of info sec people is meeting up in San Francisco for an informal get together. We’ll have a drink and probably chat about security.

You work in computer security? Join us:

Wednesday, May 16th, 7pm at Zeitgeist in San Francisco.

No RSVP needed. So far you’ll have to buy your own beer unless we’ll find a sponsor 😉

Everybody blogged about RSA, I guess I am the only one who has not gotten around to do so until now. I did some pretty interesting survey of companies and how they use visualization in their products. I will try to publish some of my findings at a later point. The other thing which is always incredible about RSA is the people and the networking. I don’t know how many parties there were in total, but there were a lot. Just the parties I knew about were in the high teens. I even went to the Gala for a little bit but unfortunately I left too early. Otherwise I would have seen this life:

http://www.youtube.com/results?search_query=geeks+dance+rsa

I wish I could dance like this guy. Dude, he got moves!

Anton Chuvakin just blog-tagged me. What that means is that I have to write five things about myself that not many people know and then list five other people that should do the same thing. Well, here ya go:

1. I used to be heavily involed in crossbow shooting. I was Swiss champion, was shooting in the national team for about 6 years and was the coach of the youth team for about 2 years. A great time which is responsible for a lot of what I am today.

2. I have a passion for bridges. I love taking pictures of them. I should probably start posting them 😉
3. I guess this is well known: I am Swiss. I grew up in Switzerland. In 1999 I came to the Silicon Valley for an internship, left the US again and then moved back to San Francisco in 2003.
4. My interest in security came about during my cryptography lessons in college. I was phascinated by the concepts and how they can be put into practical solutions. That initial phascination led to an internship and then later my master thesis at IBM Research in Zurich.

5. VIM: I am a huge fan of VIM. Some people hate me for using VIM for all my writing; Anton? I write my emails in VIM, I write my books in VIM, and much to the annoyance of my co-workers, I set my shells to VIM mode (set -o vi). And who is responsible for that? I am pretty sure it was Dhawal during my internship at Cylink.

So, who am I tagging?

1. Jian Zhen

2. Jan P. Monsch

3. Michael Rash

4. Deigo Zamboni

5. Axel Eble

I wanted to post this picture for a while. Here we go. Anton (NetForensics) and myself (ArcSight) at some of our competitors booths … Thanks for taking the pictures!

Fresh from the press and fueling the discussion on the acronyms that I started earlier. Not just authors of articles are starting to make up new acronyms, now apparently the NBAD space is being renamed to NBA (Network Bahavioral Analysis). Why do we have to make things more complicated. People have a hard enough time already keeping track of technologies, and now you need to have a special dictionary for security acronyms?

Can you tell that I was travelling again? Gives me a chance to catch up with the security magazines that pile up on my desk. And I keep getting disappointed. Well, there were a couple of good articles I read. One from Ed Skoudis about how to secure yourself against spyware. But most of the articles are horrible.

The first thing I found is in the Information Security Magazine. Somebody had a comment about Ed Skoudis and Mike Poor’s article on “IPS: Reloaded”. This person claims that in the old world, IDSs signatures had to be tuned, but in the new world of IPSs, that’s not necessary anymore. In his words: “IPS should not be judged with old IDS standards”. So what does this guy think IPSs do different than IDSs? Do you really think that for example the CISCO IPS is a completely new product and is not based on the old CISCO IDS code at all? What about all the other IPSs? I can guarantee you that you will have to spend as much time (if not more) to tune IPS signatures as you had to spend tuning your IDS. If IPS really had the magic sauce, why would IDSs not adopt that? Forget it!

In fact, this brings me to another thought that I had while I was walking the floor at the RSA conference in San Jose this week. There are all these new companies that I have never heard of. They are presenting solutions for all kinds of problems, ranging from insider threat detection to identity management. I spent quite some time trying to understand what they are doing. What I have seen is quite disappointing. Take an insider threat management company and check what they are doing. Well, they can detect credit card records on the wire, alert you on transmissions of social security numbers (SSN) or patient health records. Sounds great. But do you know what they are doing? Right. They basically take a NIDS sensor, apply some signatures which look for SSNs or credit card numbers. In fact, one of the companies showed me their signature definition and this is what you had to enter to detect an SSN:

\d\d\d-\d\d-\d\d\d\d

Wow! Have they ever heard of regular expressions? What about:

\d{3}-\d{2}-\d{4}

This was not their worst example! Anyways. My point is that there are all these new companies that claim amazing technology, but if you look under the hood, you realize that we had the technology for YEARS! Refurbish your NIDS and you are in great shape! Why have the NIDS vendors not jumped on the wagon? I don’t know. By the way, it’s not just the insider threat companies, but also other companies. One of them sniffs the wire and decodes all kinds of application protocols to attribute user identities to IP transactions. Again, I can solve the same problem with a Sniffer. I don’t even need a NIDS for that! [Believe me, I have tried it!]

Granted, there are some new and cools things. For example companies that let you register documents and then they detect them on the wire in any variation. For example, I register my word document. Now if someone takes the document and takes a pragraph out of it or pastes it into Excel, they are still capable of detecting that the document is on the wire. That’s pretty cool!