Michael N. Dundas

This is my first book review, so please bare with me as I learn and improve.  For anyone that views this blog, it has nothing to do with networks, security and is not technical.   In reviewing the book, I agreed to post a review on my blog.  I have also posted it on Amazon.

The X and Y of buy attempts to explain how male and females are different in the way they think and feel and how this affects companies ability to sell if they are not aware of and adjust their marketing and selling strategies to these differences.  The book is divided into 2 main parts.  The first part explains these differences and offers reasons for these differences.  Then using the information on the differences used by males and females to make decision in part I, Part II takes you though how to sell to male and females.  It outlines a 6 step process, as well as some typical sales scenarios. In each phase it gives pointers and steps to use for each gender.

While I liked the first part of the book, I found it to be too black and white.  For example, one concept was the men prioritize and women synthesize.  While it offers reasoning for it’s statements using Paul MacLean’s triune brain theory, this is but one explanation.  While I found some of the concepts in the book to be very useful, I do not believe that male and females are as black and white as this book professes.

If you are looking for a quick book to give you some theories and logic as to how genders make decisions and apply them and are not interested in the many variations that may occur in males and females this book is for you.  If however, you want to dive deeper into how to market and sell to genders this book is merely a very quick introduction.

Day 2 of the course (Day one is here) on developing effective intrustion prevention and detection signatures was much more interesting for myself.  We discussed ways to block SSL enabled sessions to specific sites.  By creating a signature that checks for the OU in the certificate that the server passes to the client and blocking it if it matches a site you do not want people to visit, you can effectively block the certificate exchange, which disallows the key exchange, which effectively stops the SSL session from being established.  Not rocket science.  What was interesting was that their capture file of a Gmail login, had the OU in the certificate of ‘mail.google.com’.  I pulled the current Gmail certificate and its OU is ‘www.google.com’.  Smart move on Google to consolidate all SSL for applications under one SSL certificate.  Given the number of businesses wanting to block external sites email sites such as Gmail, this technique would force a company to block all SSL communication to Google, which is probably not realistic.  However, a lot of malware uses SSL and valid certificates for transmission now adays, so this technique would potentially yield some benefit in these conditions.

We took a long look at proxy services such as Hidemyass.com. Discussion around different ways to block proxy services, which are better to do and why.  We then had to create a signature to block proxy requests from hidemyass.com.

Fuzzing was talked about, specifically in relationship to VoIP and SIP.  Some attacks were shown using fuzzying, and we were required to create signatures to block these attacks.  One interesting attack was a SIP attack that used both fuzzing as well as fragmentation.

Rob spoke in great detail about regular expression (regex) optimization.  He spoke about C.A.R. Hoare, his rules of optimization and applied them to his examples and discussion on optimization.  If you need to know about regex, Rob is definitely an expert in this area.   Other optimization techniques were discussed such as blocking at the firewall first if possible.  The firewall has to look at the 5-tuple of the IP header for every packet, so if you know you can use information here to create a successful block, then do it.  It makes no sense to have a regex or other rule re-process the 5-tuple and block if it isn’t necessary.  Other concepts such as where to use string matches, not analyzing traffic you don’t need to, and other helpful ideas based on common sense, his experiences and knowledge were discussed.

We did a entire section on complex signatures.  This was the most interesting part of the course for myself.  For the example, SMTP was used as the protocol and the goal was to block any attachment that had a reference to ‘.com’ in it.  The main problem here as most network types will know, is that SMTP uses base64 encoding for data transfers.  This means that a ‘.com’ won’t appear as a ‘.com’ on the wire.  We dove into the weeds of base64, how it would transmit on the wire, and the result was to build a signature that had no known false positives.  Base64 groups binary into 6 bit sections making transformation of data possible in 3 different blocks.  All these had to be accounted for, along with upper and lower case.

Evasion techniques were discussed such as encryption and fragmentation.  When writing detections one common mistake is that designers often write to the RFC assuming that applications all follow the RFC.  Apache, the most popular webserver would follow the HTTP RFC obviously, right?  Nothing could be further from the truth.  The HTTP specification dictates that you should always use \x20 for a space, but Apache will accept tab \x09 as well.  If you just follow the specification you create false positives, false negatives, potentially blocking valid sites, or missing legitimate attacks.

Finally we worked with Snort to create a signature that would block an SSL connection to gmail (the problem discussed at the beginning of the day).

Rohit and Rob put on an excellent course.  Anyone interested in signature design and detection techniques for security, protocols, or behavior would benefit from the course.  Although, they will cover concepts and techniques that people who have worked in these areas will already know, they apply their experiences into the course and the labes which make it well worth attending.  As an example, they didn’t teach any regex concepts I didn’t already know, but they applied their experiences to it and the tricks they had learned on the way.

I signed up for a course on developing effective intrusion prevention and detection signatures.  This is a two day course and today was day 1.  I had two reasons for selecting this course.  The first was the individuals running the course.  Both had presented some excellent research in the past and I was interested in learning more about what they had to say and to meet them.  The second reason was these individuals have spent a great number of years creating signatures as part of their job.  The experiences they share about that would be valuable.  The two individuals are Rohit Dhamankar and Rob King.

The first part of the course I didn’t learn very much.  We reviewed the IP packet, its associated fields and the meaning of them.  We discussed fragmentation, how it works, why it happens, and how it is used to launch effective attacks.  We reviewed how to use mathematical operations such as bitwise AND to isolate parts of a field in a packet that are of interest.  We were shown a simple ‘SYN-FLOOD’ attack capture file.  All of these concepts had exercises the class did and reviewed.

The afternoon section brought with it mostly regular expressions.  We started with the syntax and how it works.  There were several exercises the class did which got increasingly more complicated.  Rohit and Rob discussed good signature writing.  This is where the class started to get interesting for myself.  I was keen for them to discuss their experiences with signature writing.  They discussed writing signatures to detect the vulnerability not the exploit, how to avoid false positive signature matches and the complexities around this such as regex ’sliding match’.  All of these had multiple examples and exercises the class went through.  These exercises and the discussion around them were extremely useful for myself.

It was very obvious Rob and Rohit really enjoy their work.  Rob stated several times how he ‘loved his job’ and you can tell just by watching and listening to him.  There is an obvious excitement in his body language and voice when he discusses good signature creation.  Rohit although not as animated knows his topic and explains concepts and experiences very well.  He is a Director of Security Research and can still discuss in very technical detail how fragmentation works.  In my books that deserves and gets respect and I am impressed he is able to keep his technical skill up while being in a management position.  That speaks well for his company.

I arrived yesterday at Caesars palace for the Blackhat and Defcon conferences that are getting ready to commence.   Blackhat has been at Caesar’s Palace for at least the last 3 years I have been attending and I suspect before then as well.  This is the first year where there were difficulties checking in and getting my room.  Previously it has always been flawless.

When I arrived they were not accepting check-ins yet.  There was a rather long line of people checking out that had yet to be processed and according to Caesar’s staff the rooms were not ready.  Previous years,  I arrived at the same time as this year (typically late morning) , and they were processing both people checking in and people leaving.  I took the opportunity to wonder around the strip and enjoy the hot weather.  It was nice especially since this summer in Ontario Canada has been less than stellar so far with respect to the weather.  When I came back to check-in there was a large line of people waiting to check-in and it was longer than the check-out line previously.  The Caesar’s staff recognized I was one of the people that arrived early and let me go into the premium line which was thoughtful and appreciated. I am not much of a hotel room person and I typically don’t care what type of room I have when I am traveling alone (although I’m learning this is changing as I get older), but as long as it is clean, comfortable, and has decent Internet I am usually okay.  The room was awful.  The layout of the room was not well thought out.  The decor reminded me of early 80’s hotel rooms.  It was in badly need of an update.  These rooms always give me the feeling of being dirty.  I know they are not, it is just they are ‘well used’.  Finally, the internet connection was terrible.  I called to complain nicely.  The staff was excellent and the lady switched my room and sent a staff person to move my luggage even when I insisted I could move it myself.  Very thoughtful and concerned.    I was moved from the Roman tower to the Forum tower.  The room is much more modern, the layout makes sense and the Internet connection is sufficient.  I like Caesars and this is the first year I have ever had any difficulties with them, but they took care of all my concerns.  I was very impressed with the staff.  As for the difficulties, it was probably just a bad day for Caesars.  It happens to everyone in every industry at some time or another.

I registered my arrival at the Blackhat conference and today I start my first session.   The session is being conducted by a researcher who has done some impressive research on security in the past.  He presents well too.   I am looking forward to it.

http://www.flickr.com/photos/ceekay/2115530628/

Most that know me, know that I have as much interest in people as I do networks and systems.  I am usually always watching and asking myself questions. Why did he suddenly choose this option as it is not his normal choice? Why in the meeting did she have a moment of anger on her face as soon as he spoke, yet appeared and acted perfectly happy? And many other questions, but you get the idea.  I took a psychology course in University out of interest.   I made it through the course, but it was tough.  I am not good with memorization and that course required almost 100% memorization and regurgitation.

Here are two interesting posts on groups and group mentality. I feel they are very applicable to work environments where there are departments and teams. The first is called “10 Rules That Govern Groups”.   It discusses how much of our time is spent in groups of people and some of the dynamics around groups.   The second one is entitled “Why Group Norms Kill Creativity“.  It asserts that creativity is less when people are in groups and contains links to studies that support this assertion.

A Thank you to Rob Tyrie, for pointing me to the first article.

Back in May I was asked to give a presentation to law enforcement.  The presentation is here.  Since then, I have been asked to clarify the advantage of using DNS as opposed to HTTP when conducting an investigation.  It is not that one would use DNS instead of HTTP, but use DNS first to assess if further investigation into HTTP and other protocols is warranted. I will use the same example I used in the presentation to explain.

When a browser or application (here in I will just use ‘browser’)  goes to a website it almost always does a DNS request first for the site that the user is looking for.  The DNS request is basically asking “What server houses the site I am looking for”?  In the simplest case, the browser  makes a DNS request for an address based on the bookmark, link, or address entered.  A DNS response to the request comes back with the IP address.  The Browser then connects to the IP address and asks for the particular URL.

The capture below shows the DNS request and response in green and the request for the URL in blue.  In this particular example, the user requested to goto http://www.facebook.com.  Frame 1 shows the DNS request for www.facebook.com and frame 2 shows the response from the DNS server indicating the browser should connect to 69.63.180.15.  Then in frames 3,4,5 you see the connection to 69.63.180.15 and finally in frame 6, the request for the root web page.

DNS lookup and HTTP get of www.facebook.com

Frames 7 and on are the data being transferred, along with other HTTP GETs made.   In fact, that one request for a web page generated many HTTP GET Requests.  You can see all the HTTP GET requests for http://www.facebook.com in the capture below.

Facebook homepage all HTTP GET requests

During an investigation if initially you capture the HTTP requests, it is a lot harder to walk though each one and determine what the request is asking, what the response is, and determine if each request has relevance to the investigation.  It can be done, but it is more work and more time. While this effort may be necessary, often at the beginning of an investigation you want to determine first if further investigation is required.  Suppose you are investigating an individual suspected of selling stolen items on Ebay.  If you never see a DNS request to go to ebay or another auction site from that user, it may not make any sense and be a waste of time to investigate further – maybe you have the wrong individual.

When I have been asked to determine what a particular user, employee, or service is doing I usually always start with DNS.  By extracting what the subject was trying to lookup in DNS, you can quickly compile a time-line of sites and applications they were using.  From this data, you can determine if you need to investigate further and if so what applications, sites, and protocols you should focus on.  I find this allows me to focus my investigation easier, and not waste time looking at data that is not relevant to the investigation.

DNS has a few other advantages too.  It is not encrypted so it is easy to analyze.  It is the standard directory of the internet and used by most if not all applications and services.  While I acknowledge that a serious ‘anti-forensic’ individual or group might set-up and deploy infastructure to avoid detection via DNS such as VPN tunnel, their own DNS services for sites and applications where they wish to not be easily tracked, this is not typical behaviour and would be the exception not the rule.

I wrote a post in June on companies that choose to outsource their email, specifically using Gmail.  A London, Ontario based lawyer named David Canton recently published an opinion here.

http://www.flickr.com/photos/jbusch/2945015981/

We rented a friends cottage this week.  Ironically it is located at the same beach I had spent vacation on for years as a child and teenager.  Amberley beach is where my parents rented a cottage there for every summer for two weeks years.

About 3 km north is Point Clark.  My daughter, her friend and I biked up to the Point Clark lighthouse and went for the tour.  The tour was run by a girl named Meaghan.  She was in grade 10 and it was her summer job.  What was interesting was she was obviously nervous.  Once the group arrived, you could see her clearly ’shift’ into a rehearsed speech about the lighthouse.  Fair enough, I am not a presentation expert and I’d be very nervous too.

Meaghan explained the history of the light house and how it was built and we then all climbed the 114 stairs to the top of the lighthouse.  At the top, Meaghan again explained the lighthouse, it’s historic features, views and other interesting things.  At certain points when she would break from speaking to let everyone look around, I started asking her questions.  I was trying to get her to relax a bit.  She responded very well and articulately.  She would answer me easily.  It was obvious she had done her homework and knew the information.

After we came down from the lighthouse, we went to the museum, which was actually the light keepers house where he and his family lived.  She came to a set of pictures and pointed to them and said “This is my great aunt and uncle, one of the light keepers here back in …”.  I was shocked, and if you looked at the rest of the tour, you could see the changes on their faces.  From this point on, the group completely changed how they viewed Meaghan and information she was conveying.   They asked more questions, and showed much more interest in what she had to say.  Even Meaghan seemed to relax a bit.

After the tour, I spoke briefly to Meaghan thanked her for the tour, said she did a good job and suggested she mention at the start of the tour that her great aunt, uncle and grandparents were lighthouse keepers at the lighthouse.  She seemed genuinely thankful that I commented on her tour and for the suggestion.  I really hope she does.  I am not a presentation expert, it is something that I have always struggled with, although I do enjoy presenting when I have something to say in an area I am experienced in.  Having personal experiences like Meaghan has where her family directly worked at the lighthouse gives so much credibility to what she is saying during the tour.  She is portraying the same information, but adding that personal family history makes it all the more real to the tour guests.  They pay more attention to what she has to say,  ask more questions and listen more attentively to her responses.  Being able to add examples, or experience in any presentation helps make the presentation even better.  I was told that by a excellent presenter a while back, and I always try to do that when I present.  This was a perfect example of why that works.

http://www.flickr.com/photos/martineian/485029758/

A presentation of research on an ATM vulnerability has been pulled from the Blackhat conference.  This is too bad as I will be attending and love listening to security research of this calibre.  What is more disappointing is what it says about software and systems design and development.  Companies are going to have to get their heads around the fact that security design and testing has to be put into the product from the beginning.  Most vendors will say they do this, but the fact of the matter is that many do not.  Those that do often have good intentions, but then costs, timelines, delivery to market and other conditions cause them to drop the level of testing.  Security just isn’t a priority.  Personally, I feel the answer is simple.  Make the vendors legally and financially responsible for the software they design and create.    As soon as money is on the line, it will force the right thing.  This idea is not mine either, a great write up on this concept can be found here.  I think this is important.

This research was stopped because the ATM vendors do not have things fixed even after being told about it 8 months ago.  But what about the bad guy?  The guy that discovers a vulnerability such as this and rather then choose to present it at a conference, he just sells it to organized crime?  Some would call this spreading FUD (fear, uncertanty and doubt), maybe, but I think it is easy to see it happening more and more if nothing is fixed.

http://www.flickr.com/photos/lwr/3318166499/

At work we have this white board which has a up-to-date list of a particular project my team is working on.  It is nice in that you can just look up at it while in the office or anyone can walk over and get current information.  One of the guys on the team likes to see the list get shorter.  For these reasons we keep it on the white board.  The problem is when you are working remote as I often do, how do you get or obtain the current status?  My solution is to take a picture of it with my PDA before I leave at the end of each day.  Besides keeping a time chronology of the project with the pictures, it allows me to pull it up on my laptop when I am not in the office and work.

This morning, I am sitting in Starbucks working away and I get my PDA out to download the latest task list picture to my laptop.  In the process of getting to the application, I accidentally took a picture of my table.  The mouse was on the the ‘take a picture’ selection by default and I must have pressed the enter key.   Two people heard the ‘click’ noise and immediately looked over.  No big deal, but I found their reactions interesting and amusing.  The next thought was to ask myself the question how does one disable the sound?  Turns out you cannot.

A quick look around the web and I discovered a few things on the topic of PDAs and the sound of the picture taking.  RIM, the makers of Blackberry do not provide the option to disable the noise.  Some speculate this is because RIM doesn’t want you covertly taking pictures, but maybe they just forgot or dropped it from the design due to time pressures.  Regardless it seemed kind of silly.

It is well accepted now a days that there is no expectation of privacy in public.  Stores, businesses, and places of employment have cameras both overt and covert that constantly record and store the people and activities.  Street cameras downtown constantly record and store traffic and the movements of people.  If this is acceptable, why is it not acceptable for a individual to take a picture?  I find the assumption that there is more risk to individuals taking pictures or video than a registered business or government entity very naive.  Turns out there is even  an attempt somewhere in the world to put a law in place that would ‘require’ the noise on all digital devices.

No matter, like all things there are ways around it.  A quick search led me to this application. Downloaded it to my blackberry and problem solved.  No technical wizardry required.  I can now take silent pictures of my table and I won’t disturb the people sitting over on the couch.  These laws are just silly.  If someone really wants to take covert pictures they will always be able to do it and regulating the technology will not help.

The question is not about technology it is about the expectation of privacy.  If there is an expectation of privacy in public, then change the laws to support that and enforce it.  However, based on the court decisions I have read over the years, there is never an expectation of privacy in public.  I am not a lawyer, but I believe that precident has been set.   If you query most people on this topic,  they will assume they are being phtographed and recorded on video regularly, and they would be silly not to.