Michael N. Dundas

Day 2 of the course (Day one is here) on developing effective intrustion prevention and detection signatures was much more interesting for myself.  We discussed ways to block SSL enabled sessions to specific sites.  By creating a signature that checks for the OU in the certificate that the server passes to the client and blocking it if it matches a site you do not want people to visit, you can effectively block the certificate exchange, which disallows the key exchange, which effectively stops the SSL session from being established.  Not rocket science.  What was interesting was that their capture file of a Gmail login, had the OU in the certificate of ‘mail.google.com’.  I pulled the current Gmail certificate and its OU is ‘www.google.com’.  Smart move on Google to consolidate all SSL for applications under one SSL certificate.  Given the number of businesses wanting to block external sites email sites such as Gmail, this technique would force a company to block all SSL communication to Google, which is probably not realistic.  However, a lot of malware uses SSL and valid certificates for transmission now adays, so this technique would potentially yield some benefit in these conditions.

We took a long look at proxy services such as Hidemyass.com. Discussion around different ways to block proxy services, which are better to do and why.  We then had to create a signature to block proxy requests from hidemyass.com.

Fuzzing was talked about, specifically in relationship to VoIP and SIP.  Some attacks were shown using fuzzying, and we were required to create signatures to block these attacks.  One interesting attack was a SIP attack that used both fuzzing as well as fragmentation.

Rob spoke in great detail about regular expression (regex) optimization.  He spoke about C.A.R. Hoare, his rules of optimization and applied them to his examples and discussion on optimization.  If you need to know about regex, Rob is definitely an expert in this area.   Other optimization techniques were discussed such as blocking at the firewall first if possible.  The firewall has to look at the 5-tuple of the IP header for every packet, so if you know you can use information here to create a successful block, then do it.  It makes no sense to have a regex or other rule re-process the 5-tuple and block if it isn’t necessary.  Other concepts such as where to use string matches, not analyzing traffic you don’t need to, and other helpful ideas based on common sense, his experiences and knowledge were discussed.

We did a entire section on complex signatures.  This was the most interesting part of the course for myself.  For the example, SMTP was used as the protocol and the goal was to block any attachment that had a reference to ‘.com’ in it.  The main problem here as most network types will know, is that SMTP uses base64 encoding for data transfers.  This means that a ‘.com’ won’t appear as a ‘.com’ on the wire.  We dove into the weeds of base64, how it would transmit on the wire, and the result was to build a signature that had no known false positives.  Base64 groups binary into 6 bit sections making transformation of data possible in 3 different blocks.  All these had to be accounted for, along with upper and lower case.

Evasion techniques were discussed such as encryption and fragmentation.  When writing detections one common mistake is that designers often write to the RFC assuming that applications all follow the RFC.  Apache, the most popular webserver would follow the HTTP RFC obviously, right?  Nothing could be further from the truth.  The HTTP specification dictates that you should always use \x20 for a space, but Apache will accept tab \x09 as well.  If you just follow the specification you create false positives, false negatives, potentially blocking valid sites, or missing legitimate attacks.

Finally we worked with Snort to create a signature that would block an SSL connection to gmail (the problem discussed at the beginning of the day).

Rohit and Rob put on an excellent course.  Anyone interested in signature design and detection techniques for security, protocols, or behavior would benefit from the course.  Although, they will cover concepts and techniques that people who have worked in these areas will already know, they apply their experiences into the course and the labes which make it well worth attending.  As an example, they didn’t teach any regex concepts I didn’t already know, but they applied their experiences to it and the tricks they had learned on the way.

I signed up for a course on developing effective intrusion prevention and detection signatures.  This is a two day course and today was day 1.  I had two reasons for selecting this course.  The first was the individuals running the course.  Both had presented some excellent research in the past and I was interested in learning more about what they had to say and to meet them.  The second reason was these individuals have spent a great number of years creating signatures as part of their job.  The experiences they share about that would be valuable.  The two individuals are Rohit Dhamankar and Rob King.

The first part of the course I didn’t learn very much.  We reviewed the IP packet, its associated fields and the meaning of them.  We discussed fragmentation, how it works, why it happens, and how it is used to launch effective attacks.  We reviewed how to use mathematical operations such as bitwise AND to isolate parts of a field in a packet that are of interest.  We were shown a simple ‘SYN-FLOOD’ attack capture file.  All of these concepts had exercises the class did and reviewed.

The afternoon section brought with it mostly regular expressions.  We started with the syntax and how it works.  There were several exercises the class did which got increasingly more complicated.  Rohit and Rob discussed good signature writing.  This is where the class started to get interesting for myself.  I was keen for them to discuss their experiences with signature writing.  They discussed writing signatures to detect the vulnerability not the exploit, how to avoid false positive signature matches and the complexities around this such as regex ‘sliding match’.  All of these had multiple examples and exercises the class went through.  These exercises and the discussion around them were extremely useful for myself.

It was very obvious Rob and Rohit really enjoy their work.  Rob stated several times how he ‘loved his job’ and you can tell just by watching and listening to him.  There is an obvious excitement in his body language and voice when he discusses good signature creation.  Rohit although not as animated knows his topic and explains concepts and experiences very well.  He is a Director of Security Research and can still discuss in very technical detail how fragmentation works.  In my books that deserves and gets respect and I am impressed he is able to keep his technical skill up while being in a management position.  That speaks well for his company.

I arrived yesterday at Caesars palace for the Blackhat and Defcon conferences that are getting ready to commence.   Blackhat has been at Caesar’s Palace for at least the last 3 years I have been attending and I suspect before then as well.  This is the first year where there were difficulties checking in and getting my room.  Previously it has always been flawless.

When I arrived they were not accepting check-ins yet.  There was a rather long line of people checking out that had yet to be processed and according to Caesar’s staff the rooms were not ready.  Previous years,  I arrived at the same time as this year (typically late morning) , and they were processing both people checking in and people leaving.  I took the opportunity to wonder around the strip and enjoy the hot weather.  It was nice especially since this summer in Ontario Canada has been less than stellar so far with respect to the weather.  When I came back to check-in there was a large line of people waiting to check-in and it was longer than the check-out line previously.  The Caesar’s staff recognized I was one of the people that arrived early and let me go into the premium line which was thoughtful and appreciated. I am not much of a hotel room person and I typically don’t care what type of room I have when I am traveling alone (although I’m learning this is changing as I get older), but as long as it is clean, comfortable, and has decent Internet I am usually okay.  The room was awful.  The layout of the room was not well thought out.  The decor reminded me of early 80′s hotel rooms.  It was in badly need of an update.  These rooms always give me the feeling of being dirty.  I know they are not, it is just they are ‘well used’.  Finally, the internet connection was terrible.  I called to complain nicely.  The staff was excellent and the lady switched my room and sent a staff person to move my luggage even when I insisted I could move it myself.  Very thoughtful and concerned.    I was moved from the Roman tower to the Forum tower.  The room is much more modern, the layout makes sense and the Internet connection is sufficient.  I like Caesars and this is the first year I have ever had any difficulties with them, but they took care of all my concerns.  I was very impressed with the staff.  As for the difficulties, it was probably just a bad day for Caesars.  It happens to everyone in every industry at some time or another.

I registered my arrival at the Blackhat conference and today I start my first session.   The session is being conducted by a researcher who has done some impressive research on security in the past.  He presents well too.   I am looking forward to it.

http://www.flickr.com/photos/martineian/485029758/

A presentation of research on an ATM vulnerability has been pulled from the Blackhat conference.  This is too bad as I will be attending and love listening to security research of this calibre.  What is more disappointing is what it says about software and systems design and development.  Companies are going to have to get their heads around the fact that security design and testing has to be put into the product from the beginning.  Most vendors will say they do this, but the fact of the matter is that many do not.  Those that do often have good intentions, but then costs, timelines, delivery to market and other conditions cause them to drop the level of testing.  Security just isn’t a priority.  Personally, I feel the answer is simple.  Make the vendors legally and financially responsible for the software they design and create.    As soon as money is on the line, it will force the right thing.  This idea is not mine either, a great write up on this concept can be found here.  I think this is important.

This research was stopped because the ATM vendors do not have things fixed even after being told about it 8 months ago.  But what about the bad guy?  The guy that discovers a vulnerability such as this and rather then choose to present it at a conference, he just sells it to organized crime?  Some would call this spreading FUD (fear, uncertanty and doubt), maybe, but I think it is easy to see it happening more and more if nothing is fixed.

I attended DefCon 16 this year. A presentation by 3 MIT students Zack Anderson, RJ Ryan, and Alessandro Chiesa on the last day of the conference was stopped by a federal court judge. The order is here, and more details can be found here. The slides to their presentation had already been published on the Defcon CD that is distributed to all attendees.

Defcon issued a twitter notification to all attendees immediately this morning to disseminate the news. The EFF in their scheduled time slot preempted what they had originally been presenting to first discuss this in a press release. The EFF will be representing the students. What disappointed me the most and the main reason I am blogging this was that during the press release it was discovered that the students did everything right. They had met with the Massachusetts Bay Transportation Authority MBTA) at their convenience prior to Defcon and discussed the vulnerability in detail with them. The impression was that the meeting was friendly, went well and there were no issues. Then on Friday and Saturday (the presentation was to be on Sunday), the MBTA managed to secure a temporary restraining order at the last minute. This makes me sad. It suggests that properly informing companies of the vulnerability before releasing the details may not be the right thing to do. Researchers in the future may very well look at this example and decide to just publish not bothering to inform companies. Everyone needs to play by the rules for responsible disclosure to work.

Vulnerabilities such as these are not new either. There was a presentation at Blackhat last week as well. The company Mifare chooses to try and cover these vulernabilities up and stop them from being published rather then fix the issues and learn to design secure software.

I have been fortunate to attend Blackhat USA 2008 this year. I don’t usually pay too much attention to the vendors present as I am much more interested in the training, the researchers and their presentations and papers, but I usually peruse the vendor booths at some point during the conference.

I stopped at Splunk’s booth for two reasons. The first was that Alex Bewley mentioned them on his blog. I used to work for Alex at a previous company. Alex is a smart guy (in my opinon anyway), so the fact that he took the time to mention them in is worth noting. The second reason was I knew they had something to do with log management, analysis and forensics. Analysis and forensics is a big part of my job and a natural interest I have always had. It is why I like working in security.

One of the first things that caught me was the staff was genuinely nice. You could tell they were enjoying themselves and for the most part enjoyed their jobs and liked working for Splunk. It wasn’t just one or two of them either, it was all of them. They were all open honest people and this was readily apparent. It was like you were talking to real people, not a facade. Even the demo they gave didn’t feel like a sales presentation. It is really great when a company let’s employees be themselves and trusts they will do the right thing. This is all part of a companies corporate culture which is very important. Lately in talking to others, especially at this conference, I get the sense that corporate culture is getting worse instead of better. One of the main reasons I enjoy working at Sandvine and have been at Sandvine as long as I have is their corporate culture. I have no doubt our culture is very similar to Splunk. Alex also wrote a blog entry on corporate culture recently. If you are interested it can be found here.

The Splunk staff gave me a detailed tour of their software. In simple terms it can take anything ASCII, and index it. But it does so much more. You can search, create events, correlate different events, produce graphs, alerts. It is extremely configurable and easy to use. Anyone that has logs or events from any system that has the need to perform analysis on these forensically, proactively or any reason should give Splunk a try.

Splunk has taken a problem (log management) which has been around for a very long time and made it easy. No need to write custom code, scripts, and have people maintaining it along with changes, upgrades. My first job out of school was a firewall administrator for a large financial institution. One of my tasks was to automate the processing of the firewall logs, create alerts, automated responses etc. I used perl and did a pretty good job I think. However, I wish back then I had something like Splunk. It is a really well though out piece of software. I was impressed and I don’t impress easily.

“See what happens when you put a bunch of guys together that work hard and like what they do. Things get done.” — Mike Holmes

I honestly believe there is a direct correlation between Corporate Culture and good software.