What We’re Up To...
This is where we post our favorite resources, our ongoing research, and our latest news for both technical security and enterprise systems and program management issues. It is of course a work in progress, and we welcome submissions for things you find useful as well.
We Blog
The best way to keep track of what we’re thinking, and what we’re up to, is of course to subscribe to our blogs. Jonathan’s is here. Sherri’s is over here. And John Strand holds forth over here.
We blog, duh!
Scalable & Agile Lifecycle Security for Applications
Application security has flat gone critical. With the amazing pace of the demand for “Web 2.0” applications, a comprehensive and agile framework for the integration of best practices in security within the development environment is no longer optional (if it ever was!). Gary W. Longsine and I have proposed just such a framework in a recent SANS whitepaper.
If you’re anywhere near any sort of application development project, this is a must-read (if I do have to say so myself). But it’s not just about Gary and I, or SANS, or Watchfire (the paper’s sponsor). You need to get involved. It’s going to take all of us working together...
SALSA
Parse Packets and Win a Fabulous Prize!
In a shameless attempt to garner attention and interest in Jonathan and Sherri’s new SANS course, Sec558 Network Forensics, they’ve put together a fun little contest:
*UPDATE: SANS has agreed to sponsor the contest, and is awarding a free On-Demand course of the winner’s choosing (worth up to $3500 depending on your choice)!
*Prizewinner to be announced at Sec558 Network Forensics in San Diego, 9/16-9/18.
Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company's prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company's secret recipe.
Security staff have been monitoring Ann's activity for some time, but haven't found anything suspicious-- until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann's computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.
"We have a packet capture of the activity," said security staff, "but we can't figure out what's going on. Can you help?"
You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:
  1. 1.What is the name of Ann's IM buddy?
  2. 2.What was the first comment in the captured IM conversation?
  3. 3.What is the name of the file Ann transferred?
  4. 4.What is the magic number of the file you want to extract (first four bytes)?
  5. 5.What was the MD5sum of the file?
  6. 6.What is the secret recipe?
 
Here is your evidence file:
http://jhamcorp.com/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5
 
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged.  All responses should be submitted as plain text files.
Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.
Email submissions to contest@jhamcorp.com. The deadline is 9/10/09. Good luck!!
OMG! Network Forensics Puzzle Contest, v1.0!
New Course! New Skills!
Network equipment such as Web proxies, firewalls, IDS, routers and even switches often contain evidence that can make or break a case.  A great deal of evidence flows across the network but is never stored on a workstation or server hard drive.  In this class, law enforcement and information security professionals will learn how to recover evidence from network-based devices in order to speed up investigations and build stronger cases.
 
During hands-on exercises, we will use tools such as tcpdump, Snort, ngrep, tcpxtract, and Wireshark to understand attacks and trace suspect activity. Each student will be given a virtual network to analyze and will have the opportunity to conduct forensic analysis on a variety of devices.
 
Underlying all of our forensic procedures is a solid forensic methodology, which includes verification, acquisition, timeline creation, evidence recovery, reconstruction, and reporting.  This course complements SEC508: COMPUTER FORENSICS, INVESTIGATION, AND RESPONSE using the same fundamental methodology to recover and analyze evidence from network-based devices.
 
By capturing evidence from network-based devices, law enforcement and information security professionals can recover evidence that does not even exist on endpoint hard drives.
 
Who Should Attend
•  Law enforcement
• Network and/or computer forensic examiners
• Computer incident response team members
• Security architects
• Security administrators
•  Anyone responsible for orchestrating a corporate or government network for evidence acquisition in the face of a criminal or civil investigation
In the NEWS,
Around the World
Sherri’s presentation at DEFCON 17 absolutely killed!
Jonathan and Sherri presented at FIRST in Kyoto.
Check out Sherri and Jonathan on the Network Security Podcast, from FIRST 2009!
Jonathan delivered another SANS Webcast, this one entitled Network Forensics: No Hard Drive? No Problem!
Jonathan enjoyed the hospitality of the Arab Republic of Egypt’s Ministry of Coms and IT, delivering SANS Sec401 as part of an ongoing series.
Jonathan and Sherri presented “Proprietary Data Leakage: Techniques and Countermeasures” at the RSA Conference 2009.
Sherri’s philosecurity article on Squid Forensics got picked up on Schneier’s Crypto-Gram blog.
Jonathan and Sherri were guests on the PaulDotCom podcast, talking about Network Forensics and other cool things!
Jonathan and Sherri Davidoff announce plans for a new SANS course in Network Forensics, to air at SANSFIRE 2009!
Jonathan participated in a panel discussion on “Hard Problems in IT Security, and Creative Solutions” in Canberra, NSW, AU.
Jonathan presented a lecture for the Brazilian Chapter of the ISSA on “Network Intelligence: The Benefits of a Passive Versus an Active Approach.”
Jonathan and Gary W. Longsine presented a SANS Webcast about their SALSA Framework for Web 2.0 security. Read their whitepaper, published here.
IT Manager’s Journal ran a feature on Jonathan, discussing open source software in security.
The WSJ cited us again, ironically on blogging for building business, which we really don’t.
The Wall Street Journal published a write-up of a new SANS Management Course.
A researcher at the Chinese CERT cites Jonathan’s work on large-scale reconnaissance.
Ok, so we were overwhelmed with both the enthusiasm of the community for this contest, and by the number of amazing and novel solutions! We’ve decided to continue running these contests as often as we can, and so have created a home for the effort over here: http://forensicscontest.com.
Please head over there to see how it shook out, and to examine both the winning submission, and the submissions of the runners-up. A List of Honor is also there showing the names of all the folks who submitted correct answers.
Also, if you’re interested in future contests, don’t forget to subscribe to the RSS feed.
“No hard drive, no problem!”
OMG! Network Forensics Puzzle Contest Answered!