Progress! As you can see below, we’ve confirmed several additional speakers such as Tony Stramella from the NSA and Steve Carmel from Maersk (who was a fantastic speaker last year – he talked about his experiences with maritime piracy and pirates! Did I mention he talked about pirates??).

The Offensive perspective panel (Kevin Finisterre, Ruben Santamarta/Reversemode, and hopefully Josh Wright) is going to rock out with some talented vulnerability researchers and Mark Fabro will do his always brilliant job of improving the discourse. 

We’ll be excited to hear Bryan Sartin discuss the past year’s data breaches and front-line experts in the field let us know how the stuff you’ve heard in the news might apply to you (Scot Terban, Liam from Symantec, and the now-short-haired Adam Meyers). 

Boeing and Darryl Song from Volpe are going to dish on transportation-specific concerns, and the CTO of the CIA will drive home the need for security to be data-centric. 

Mike Murray will be both entertaining and captivating – even if I dont know his talk yet – and Russell Thomas will bring a much needed formal perspective to risk management and cyber security. 

Patrick Gray gives a lightning fast, but insightful presentation on social media, Jack Johnson will help us understand financial issues facing organizations today, and Amit Yoran will talk about…whatever. He’s just a smart guy.

Hope you can make it. If you’re interested in attending, the registration link is here: Invitation.

(Please, if you’re a vendor and plan on selling, we’ll take a pretty dim view of that at this particular conference. )

So, one of the things I get to do as part of my job which has been pretty exciting is to put together the agenda for our 2nd annual Cyber Security in Transportation summit. It’s happening November 1 & 2 this year in the DC area and is going to be full of outstanding talks for all ages and backgrounds. ;) The summit is aimed at executives and decision makers from within the transportation industry who might be effected by cyber security or whos actions may affect the security of their organizations. We’re covering general cyber security themes as well as transportation specific ones. If you’re in the transportation sector – pipeline, aviation, freight rail, mass transit, highway & motor carrier – and want to attend, let me know at sintixerr@gmail.com.

The tentative agenda currently looks like this:

Summit Schedule (Click for Larger)

You can find a copy of my presentation here: http://sintixerr.files.wordpress.com/2011/07/natotbilisiswhitsitt.pptx 

When writing – and delivering the presentation – I found it difficult to support both the scope of the panel as described – Energy Specific SCADA threats/vulnerabilities – while at the same time meeting the audience’s need for a higher level view of the problem.  I definitely need to work more on bridging the gap between the technical realities of what we do and the knowledge/perspective of policy makers…but that was always going to be hard…if it was easy, it would happen more often. :)

As for the rest of the conference, there were a number of presentations given, but I was most impressed by Alexander Klimburg’s take. He spoke about the intersection between attribution difficulties in cyber space and recent talk about kinetic response to attacks by nation states. Policy discussions seem to be moving, according to Alexander, in a direction which results in rapid, somewhat automated, escalation of hostilities between nations in the event of a cyber attack which seems to have come from another nation.  With the confidence in attribution being as low as it is – and with such a high probability of non-state actors being involved – this type of escalation becomes probablematic and ill-advised. Alexander’s talk proposed creating confidence building measures between states and non-state cyber attack actors, building in enough of a policy buffer to allow thoughtful responses to attacks, and having the media “name and shame” attackers where confidence isn’t 100% as a deterrent.

I don’t completely agree with all of the details, but philosophically, I think he was on point. 

What I also found interesting about the conference was that the same conclusions were drawn at the end of this conference that are drawn at the end of every other cyber conference:

• More information sharing is needed
• Public/Private Partnerships are important and difficult
• Cyber is a real threat
• Large organizations can help solve some, but not all problems in cyber security
• There needs to be clearer definition of roles and responsibilities

Someone in the audience rightly asked: “Yes, that all is obvious, but how do we do it?”

That’s a perfect question, and one I ask constantly.  I’ll say again: You can’t just say “cyber security is a problem” and expect to implement a plan to solve it; you can only speculate as to what types of efforts might be involved.  The problem needs to be defined in a much more structured, specific manner than we have so far (in my mind, using threat models which link risks to strategic business objectives from cyber systems to tactical risks to those cyber systems…at some point I’ll post a model for that here).

That all said, the trip was fantastic:

My NATO and Georgian hosts were gracious, professional, and intelligent. The locals were a lo of fun – I spent one evening with three random Tbilisians (one cute bartender, a guy who claimed to be a male model and was explaining the story of the city’s founding in broken english and by waving his arms up and down like a giant bird, and a US expat helping to start a lab). The country was beautiful; I particularly loved some of the crypts on the floor of a church in Mtskheta (the script was beautiful…I suggest checking out Georgian writing).

Thanks to Julijus for inviting me to speak. I was very grateful for the opportunity.

(Edit: This is a pretty rough draft of this blog post. It may change significantly and I want to add many more thoughts, but I wanted to get it out before it became OBE.)

If you have one error, you fix it and move on.

If you have the same error again, you fix it “better” and move on.

But if you keep having a variety of errors at a steady or increasing rate, you stop looking at the causes of individual errors and look at your basic business practices.

Cyber Security problems are errors. Cyber Security problems are systems or data doing things their owners and society do not with them to do.

Cyber Security errors keep occurring despite being fixed individually.

New types of cyber security errors are occurring over time as new systems are built, as data changes, and as new use cases develop.

By the time we fix our past errors, we’ve created new ones.

Let’s stop focusing national and organizational programs on fixing individual cyber security errors  – or even fixing common classes of cyber security errors.

Instead, let’s focus on reducing cyber security error rates in general.

To reduce the rate of cyber security errors, non-cyber specific business practices must be evaluated to determine where cyber security errors are being introduced.

Hmm. This sounds a lot like business management and quality control, not cyber.

Yes, it does.

Tackling individual cyber security errors in our critical infrastructure without reducing error rates will assure failure.

Tackling error rates will create long term, sustainable success by freeing up the vast, unnecessary number of resources we’ve allocated to individual problems to better use through the reduction of the number of errors which have to be dealt with in the first place.

Stop wasting so many resources. :)

1. Talking over your audience’s head is mean.  No one cares how smart you are unless you can make them just as smart on your topic in 20 minutes or less.
2. Speaking of 20 minutes. Stay on the time clock. Wasting 15 minutes of someone else’s time is presumptuous and rude.
3. Having a Slide Extravaganza doesn’t make you a good presenter.  Slides are talking points, nothing more. By the 98^th slide, your audience will hate you.
4. Engage. If people opt to read their horoscope on their l33t Droids rather than watching you in person, your presentation sucks.
5. Tone. If you have a terrible voice, amplifying it on a  microphone is just plain mean. Record yourself ahead of time and listen to it. Adjust accordingly.
6. Hair Matters.
7. Thanking everyone for thanking the thank you people gets redundant. Appreciation is one thing – but it’s not the academy awards.    
8. Pick one point. Maybe two. Not 438. Your audience is not Neo. They will not be able to learn Kung Fu
9. Relevance. Know the audience and have a backup plan if no one can relate to what you’re talking about. Otherwise, you’re just filling space.
10. Smile. If it’s supposed to be a joke and you frown, your audience might not get the cue to laugh
11. If you smile while you make a joke, and the audience still doesn’t laugh, see “know the audience” (or “talking over your audience’s head”).
12. Look nice. There are enough cave trolls in the audience. Give people something better to look at.
13. Be a wingman. If one of your colleagues is getting ogled by above-mentioned cave troll – be sure to intervene on her behalf. Especially if the cave troll is of unspecified gender
14. Don’t let friends sit in the back row and make you laugh unless they’re part of your shtick. Especially on a panel when it’s not your turn.
15. Bring pillows. If you’re going to put people to sleep, they may as well be comfortable.
        

“He could come from anywhere – from anywhere all at once. So we run into the classic problem of defense, cubed. The farther out you deploy your defenses, the more of them you have to have, and if your resources are limited, you soon have more fortifications than you can man. What good are based on moons, Jupiter, or Saturn, or Neptune, when the enemy doesn’t even have to come in on the plane of the ecliptic? He can bypass all our fortifications. The way Nimitz and MacArthur used two-dimensional island-hopping against the defense in depth of the Japanese in WWII. Only our enemy can work in three dimensions. Therefore we cannot possibly maintain defense in depth..”

“So even if we intercept 99 of 100 attacking squadrons, he only has to get one squadron through to cause terrible destruction.  We saw how much territory a single ship could scour when they first showed up.  Get ten ships to us for a single day, and if they spread us out enough, they’d have a lot more than a day and they would wipe out our most important centers. “

“I don’t think there is a solution. There is no point in trying to defend at all. So the only strategy that makes any sense at all is an all-out attack.”

I’ll let you all think through the implications of these passages and get back to me.

On another, related, topic, I have a question: A lot of us are quick to reference Sun Tzu’s Art of War in cyber security, but I havent seen (or havent recognized – I  might just be ignorant here) many attempts to use known historic, strategic war/battle thinkers in our industry much beyond Sun. Is there anything else – or anyone else – we should be looking at from a classic “war” perspective that we’re not already? Who? Why? Who/What am I missing? Is it relevant to ask?

What exactly is an RDoS? It works a lot like a syn-flood, which spins up a whole lot of blank connection attempts to a server. The server must receive these connections, wait for awhile to see if valid data arrives, then close them. The thing is, because the sender knows the connections are blank (and using things like botnets and such), it can generate a lot more connection attempts than the server can handle. Eventually, the server gets so busy that it fails to respond to real connections.

Now, think of how we handle “security”.  We religiously and studiously avoid building hardened, defensible systems from the ground up and rely on fixes, patches, and incident responders to cope with the eventual problems later (hoping all the while – in vain – that the attacks never come).

What we end up with, by and large, are systems that are so poorly constructed that it takes a large amount of effort to detect, confirm, respond to, and recover from attacks.  Further, while attackers can fairly easily attack multiple systems simultaneously, we require dedicated defenders/responses for much smaller groups of systems (or even individual systems).  This leaves us with an “RDoS”. Our security philosophies leave so much open that we can never, ever sufficiently resource our defenses at an adequate level. Everyone is occupied. Just ask your incident response vendors, teams, and CERT’s (over beers, of course), about their available resources vs the demand for their services, vs the large iceberg of incidents under the water that aren’t even talked about yet.

As I’ve said before: Good guys – you, we, have failed and will continue to fail if we keep going down this same road.  We can’t win until we change strategies completely. We need to embrace our failure and build systems which are defensible from the inside, which are measurably effective against operational/business objectives,  and which assume, from the get go, that sections and components have, are, and will continue  to be compromised. This hacking perimeters on, giving lip service to change control, and our complete inability to integrate cyber into our ORM and our ORM into our business decision making is a waste of time and resources. We’d be better off spending the money and time elsewhere if we’re going to keep doing security as badly as we do it now.

If anyone disagrees with this post, I’d LOVE to hear a rational argument as to why. (Really!)

(UPDATE: 08/06/10)

I really think some of Bruce Potter’s remarks at Shmoocon in 2009 are pertinent here:

People are getting owned a lot.
Trends

• Increased success in getting past our defenses
• Increasingly malicious motivations. The bad guys aren’t after web defacements
• In spite of the above, we haven’t changed our methods. Its a lot of the same
• Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?

This post will also serve as a brief introduction to what it would take for you to write your own Cocoa client for the server. But, If you just want the software, you can get it here:

• Server Application (and source code / Xcode Project)
• Quartz Composer Plug-In Client (and source code / Xcode Project)

Notes:

• To install the client for Quartz Composer, close QC and copy the .plugin file to: “/Library/Graphics/Quartz Composer Plugins”. When you next open QC, you should find it in your Patch Library listed as “MindSetQCClient”.  Usage of the patch should be obvious,
• The server shouldn’t need to start first as long as the client periodically checks for a vended object, but when troubleshooting it’s probably a good idea to start the server, then the client.
• The server needs the Thinkgear bundle in same directory as the server app. (I’m not including the Thinkgear bundle, it’s available from the Neurosky website for free as part of their developer stuff.
• Neurosky documentation has instructions for how to figure out what serial port your mindset is on, iirc.  The default for the server is the one I use.
• I’ve borrowed so heavily from a hodge-podge of tutorials and examples, that I’m not going to include a license for the code. Use it as you will.

.

So, onward to the tutorial/implementation details:

.

Distributed Object Mindset Server and Client

This server is intended to be a little easier to use than some of the connection methods Neurosky provides (at least in my mind). It grabs data from the Mindset and provides it to Cocoa client applications (such as my Quartz Composer plug-in) by using Objective-C / Cocoa’s Distributed Objects interprocess messaging capability.

To access the Mindset data, the client must create an NSConnection to “JacksMindsetServer”. This gives it access to a vended object which supports the following very simple protocol (this protocol will have to be included in your client header file):

@protocol PassingMindData

-(int) getDataCount;

-(NSArray *)getOldestData;

-(void)removeOldestData;

@end

Creating the connection to the vended object which uses that protocol is simple and requires only a short bit of code:

if (!sharedObject)

{

NSString *_host = nil;

sharedObject = (id <PassingMindData>)[[NSConnection rootProxyForConnectionWithRegisteredName:@"JacksMindsetServer" host:_host] retain];

}

You should now have an object called “sharedObject” which allows all of the methods specified by the “PassingMindData” protocol created above and which will pass the data from the mindset server to your code. To do so, the primary method is “getOldestData”. Calling this method will return an array of the oldest line of values from the Mindset and getDataCount returns the number of lines currently queued.

The returned array contains ordered NSNumbers representing each type of value available from the mindset. The array elements can always be accessed in the following order:

• Attention (0)
• Meditation (1)
• Raw (2)
• Delta (3)
• Theta (4)
• Alpha1 (5)
• Alpha2 (6)
• Beta1 (7)
• Beta2 (8)
• Gamma (9)
• Gamma2 (10)
• SignalQuality (11)

The client is left to access these elements as it pleases from the NSArray object returned by getOldestData. The server also relies on the client to remove the original data from the server as soon as it grabs it by calling “removeOldestData” on “sharedObject”.  (If the client does not call this, there is no auto-cleanup by the server until it’s stopped or exits and the client will not be able to access new data.)

If multiple lines of data are queued, getOldestData and removeOldestData should be executed repeatedly. A simple example would be:

if ([sharedObject getDataCount] > 0)

{

mindDataLine = [NSArray arrayWithArray:[sharedObject getOldestData]];

[self setOutputAttention:[[mindDataLine objectAtIndex:0] doubleValue]];

[sharedObject removeOldestData];

}

That’s really it.  How to write a server is out of the scope of this post, but Neurosky has some great documentation and have provided examples from which I have –heavily–  borrowed.

Let me know if you have questions or need further explanation. I’m going to continue to work on the art project with this stuff and will post more about that later.

In this demo (which is a significant step further than my last), my project selects between a series of images, merges them, moves them, and adds various visual effects based only on input from my brain waves (as measured by a Neurosky Mindset). All images – both drawings and photos – were made by me.  Depending on when I run this, the images selected and how they’re merged vary significantly. In this case, only a small subset were selected. Other times, there is a wider variety. It’s important to note that often, this has created pairings and mergings that are fantastically cool looking.  The Next step, creating a self portrait video of me sleeping with a curved screen over top of me projecting what my mind does with this while I sleep.

Thinking out loud, I wrote this earlier:

One of my interests, part of my future role, and with a perspective grounded in building/designing ways to detect badness / working on ICS-CERT, is in combating our habit of defining security in technical terms or on relying on technologists to “fix it”without ever defining what “it” is.  A secure system is one that does no more and no less than the people who have ownership and stake in it wish it to do- and that’s a business rule/decision/appetite.  As a technologist, if you ask me to secure your systems and let me define what that means, I’ll fail.  (ie: There is no “evil” flag in TCP). I’d like to make a plea for organizations to define security through risks to interrelated cross-sector business and social requirements (and associated appetites) before spending so much effort to create technical security plans, standards, controls, laws. An army without a defined mission can be potent just based on size and power, but one that has a mission and defined goals is much, much better.

I’m sure I’ll evolve what I actually want to say between now and September, but that’s where my head is now.

It’s always interesting dealing with the somewhat schizophrenic nature of government messaging.  While I understand the constraints, the risks, and the realities of trying to run a free-for-the-private sector service that actually DOES something in the government, it was always a little disheartening to hear (or read) people suggest that the government wasn’t doing anything for some of our cyber security problems, that it didnt have the services available, or “Well, I heard DHS started ICS-CERT, but I think they shut it down?” And, with the media so often just not getting it – and people so often not doing basic research – this happened more frequently than it should.  So, now that I’m in the role of customer here (and not on the floor there), I can finally say:

If you’re an asset owner, a vendor, a service provider, a customer, or otherwise a stakeholder in private sector or government critical infrastructure / key resources, you should be aware of CSSP and ICS-CERT (ICS-CERT has been functioning, in its current form, since earlier this year).

To start with: The Control Systems Security Program (CSSP) is an offering out of Homeland Security which:

“attempts to…reduce industrial control system risks within and across all critical infrastructure and key resource sectors by coordinating efforts among federal, state, local, and tribal governments, as well as industrial control systems owners, operators and vendors. The CSSP coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems through risk-mitigation activities.”

This includes providing a FREE cyber security assessment tool, onsite assessment visits, and the well-run Industrial Control Systems Joint Working Group (ICSJWG) and its associated conferences. CSSP also provides a variety of free-training in Control Systems Security, both locally in DC as well as, for it’s hands-on Red/Blue Team training,  in Idaho Falls.

Then, providing a tactical operational arm to the more strategic CSSP, ICS-CERT is a fully functioning free CERT service for your CIKR organizations. ICS-CERT will, as part of its mission:

1. Provide onsite fly-away technical incident response
2. Perform digital media analysis on media potentially affected by an incident
3. Coordinate the responsible release of vulnerabilities (involving third party researchers, vendors, etc.)
4. Provide timely situational awareness
5. Coordinate national response, via its seats in the National Cybersecurity Communications and Integration Center (NCCIC), with US-CERT, NCC, Law Enforcement, and other organizations.

All you have to do, basically, is ask.  They’ve assisted, during my tenure, quite a few organizations – large and small – and continue to do so.

(Importantly, ICS-CERT has neither a law-enforcement NOR a regulatory function. Their mission is to assist you in defending yourselves and responding to incidents. Your data is, and remains, yours, in any interaction with them. )

And you thought the government doesn’t do anything for cyber security :)

To contact ICS-CERT:

• Call the ICS-CERT Watch Floor: 1-877-776-7585
• Email regarding ICS related cyber activity: ics-cert@dhs.gov

Their website is: http://ics-cert.org

The talks start at 4:45 and go for an hour (or a little over) and you can find us at:

Mount Vernon Place United Methodist Church
900 Massachusetts Ave NW, Washington DC

If you want to hear more about consumer-grade fun with using your brainwaves to manipulate the world around you, come check it out!

The current speaker lineup is:

• Look Ma, No Wires (Michael Panfield)
• Sysadmins: Have smartphone, will travel (Betsy Nichols and Andrei Tchijov)
• AI: Three most common reactions (Bradford Barr)
•  ??? (Alan McCosh)
• Writ Large: scaling a Cartesian robot (Dan Barlow)
• Urban Data Access: How communication builds communities (Will Holcomb)
• Fast Creativity: Using the DNA of Improvisational Comedy to Foster Ideas Fast (Shawn Westfall)
• While you sleep: Making Art with your mind (and a little code) (Jack Whitsitt)

Really?

What gives? 0days/0-days/zero days used to mean (generally speaking) those exploits of which neither the vendor nor the “good guys” knew anything about. Ie, “zero days” had passed since a solution -could have- begun being developed.   I like About.com’s phrasing:

“A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor.”

A flaw that the vendor and the response community have known about for months but which the vendor hasn’t addressed is NOT a 0day - it’s an unpatched problem :P (There are cases where the time from the issue being known about until the vendor patches it has exceeded, in some cases, a decade.)

I’m trying to figure out how we got to this perceived definition and I wonder if it’s our refusal to come to grips with the fact that there are hundreds/thousands of security flaws running around out there that “the bad guys” know about (and use) that the “good guys” dont have a clue about. We run around patching things like if only we could just reduce the time it takes to patch systems to near-zero that somehow we would be measurably more secure.

If we just write out the truly severe part of the vulnerability window  – where there are vulnerabilities and exploits we don’t know about – from our language/definitions, it won’t exist right?

Right?

Bueller?

Would you buy a corvette? Hells no. You’d wait until you found something that met your minimum requirements: Moving the family around. If you got the vette, you would have gotten something that, even if it fit “some” of your requirements (moving some people around), doesn’t  fit enough of them to actually solve the problem. Furthermore, if you did get the vette, you probably wouldnt be able to afford the van so your problem would go on even longer than if you hadnt gotten the corvette.

Welcome to the kind of security that says “we should do more of what we’ve been doing, even though we know the architectures don’t work…because something is better than nothing.“  We can’t continue to add on layer after layer of security at ever increasing cost when no number of those layers, as modeled today, will ever get us to a comfortable place.  Getting owned by X% fewer people is still getting owned and doesn’t really change your risk profile unless X is a much bigger number than today’s most common best practices get us.

Nothing is ever perfect, so I’m not suggesting no one should take action until they find a perfect solution. Rather, I’m suggesting we all take a close look at our solution sets and look at how good they’re ever going to get at the end of the day and make decisions appropriately. When selecting a “50%” solution architecture for $Y, dont get caught thinking $Yx2 will get you a 100% solution with the same architecture:)

Take a look at it if you’re in the control systems / SCADA and security/emergency space (particularly with regard, but not limited, to cyber).

Edit/Update: Now that I’m no longer there, I do have a brief take on the subject and a summary of information HERE

Official press release follows:

—

Washington, DC — DCist.com is pleased to announce its fourth annual DCist Exposed Photography Show, at Long View Gallery, running March 6 to 21, 2010. Out of over 1,000 individual entries submitted through Flickr.com, 47 winning images were selected by a panel of judges to be included in this year’s DCist Exposed exhibit. DCist.com prides itself on engaging and promoting emerging local photographers through its daily use of images from the popular, reader-generated DCist Flickr photo pool.  Each day, DCist.com selects photos from the pool for use in its daily coverage of local news, arts and entertainment, food and sports.

This year’s opening reception will be bigger and better than ever, to be held Saturday, March 6, 2010 from 6 to 10 p.m. At the bar, mixologist Scott Palmer from Dino will have a special punch, Leopold Brothers will host a liquor tasting, and Pabst Blue Ribbon will hold down the fort with plenty of beer.  Nage will provide hor’dourves, while DJs v:shal kanwar and Sequoia spin tunes.  Reception is $5 per guest at the door.

Long View Gallery is located at 1234 9th St. NW, just a few blocks from the Mt. Vernon/Convention Center Metro. The 2009 DCist Exposed event welcomed over 1,000 people on opening night, and with this even larger venue, we expect our biggest crowd ever. All photographs selected and displayed at DCist Exposed will be for sale at prices well below traditional gallery shows.  Regular gallery hours are Wednesday-Saturday, 11 a.m. to 6 p.m., and Sunday, 12 to 5 p.m.

The 2010 DCist Exposed Photography Show is sponsored by Ten Miles Square, Pink Line Project, and Pabst Blue Ribbon.

I finally decided to put the Xcode project and associated source for pkviz up for free download and license it under GPL v3.

I’ve created a google code page for it HERE.

You can grab a stand alone zip of the source/project HERE.

(I’ve never used SVN before, so what’s up at the google code page might periodically be fubared, so you might want to start with the zip)

Feel free to download, comment, and please -contribute-. This was my first Objective-C app and first Xcode project, so if it’s a mess…well…deal or help? :)

Just remember the google code page if you want to post some updates or questions.

I’ve also made some haphazard notes to help people understand the code:

—–

The aquireData class handles reading the tcpdump text file. It uses Core Data to store the data. If I had to do it over, I wouldn’t have used Core Data…but it is what it is.  You can find the data model by double-clicking pkviz_DataModel under the Models folder in the project in Xcode.

pkGraphView is a subclass of NSView that I use to handle the layers, which are done in Core Animation (easy enough to understand). The view has a delegate function (drawLayer) which I handle in the layerDelegate class to deal with drawing the paths for each layer.

Everything else is handled by transformData – it’s pretty much my controller.

Rough flow:

the Load button tells aquireData to parse tcpdump and store in a core data context

The launch button kicks off transform data, which pulls in the data from the core data context, sticks it into an array, launches a thread to pop out individual packets, and then tells the view when it’s read to display another packet.  Everything else stops, starts, adjusts the current packet referenced, or aids this animation loop process.

The main array of packets in transformData is bytepakposSet.  It is an array of packet arrays. packet arrays contain arrays of bytes with 2 values in them: bytevalue, and byteposition

so, if you wanted to access the third packet in bytepakposSet and see what the byte value of the first byte stored is, you’d do:

[[[[bytepakposSet objectAtIndex:2] objectAtIndex:0] objectAtIndex:0] intValue];

if you wanted to get the byte value and position returned in an array:

[[bytepakposSet objectAtIndex:2] objectAtIndex:0]

Core Data doesnt return objects in order, so you dont know ahead of time what order the bytes are in the packet, youll have to sort them by position in packet first. You can find position:

[[[[bytepakposSet objectAtIndex:2] objectAtIndex:0] objectAtIndex:1] intValue];

Check out the example proof-of-code video I did below (a longer post to come tomorrow):

I don’t have video for them yet (maaaybe later today), so you’ll just have to try them out for yourself. I actually like all three of these much more than the original.

Remember, OS X / Quartz Composer only.

( Hmm. I guess I should write a viewer for these so you don’t need Quartz. Many projects, little time, but we’ll see… )

I can’t tell you if there will be 10 people or 100 there, but if you take a chance and show up, that’s 1 closer to 100 :)

I dont know any more than anyone else about this, but it highlights something very important that I think gets lost in a lot of our security discussions:

We’re all at risk, there are active threat actors, and state of the art doesn’t work. While I’m sure Google isnt perfect in the internal security arena, I can’t help but think it makes an above average attempt at security and uses some very bright people. For them to be attacked in such a way that it makes them reevaluate their business strategy in a market as large as China’s, it had to have been some pretty nasty stuff.

It makes you wonder – or it should. How does that bode for the rest of us arguing about putting in half-assed security controls and using 10 year old security architectures and paying lip service to security because we don’t really believe in the threats?

And, by the way, executives, this is your issue, not ours.  How -could- your business be negatively impacted by compromises? Reductions in service? Lost data? Have you thought about that? Have you made those operational requirements? Have you looked beyond compliance to “security”? Maybe you should. Then tell us how you want to play it, and we’ll build it for you.

(Hey, while youre here – Im getting a ton of hits on this – check out the t-shirts for sale, yeh? Theyre pretty cool ;) http://zazzle.com/sintixerr )

Data Visualization Art Prints

Some of these don’t look quite as surreal or “clean” as other data visualization art, but that’s because I’m very interested in the specific cross-section of usability and “prettiness” in the aesthetics of images: The place where what makes them useful is also what makes them attractive. Finding that line, in my mind, is what makes them “art”.  One could make some really cool looking images out of most semi-structured data, but it would cease to be useful. The ones here retain their function to security and data analysts while, at the same time, being attractive pieces.

If you’re interested in other security visualization information, try secviz.org

Since I’ve spent the past 2-3 years doing business risk and security architecture, national sector level strategy, policy, etc….but now find myself getting into the technical details of building a CERT (ICS-CERT, specifically)…it’s suddenly time to get more up to speed on flows and how people are using them these days (Especially since I’d previously spent most of my time with firewalls and IDS data and not netflow / SiLK stuff).

My work on and release of pkviz this past weekend has helped a bit to get me re-focused on data analysis and playing with correlation tools and methodologies, but I’m still finding it odd going back to my earlier technology-centric security role  – which I’d thought I’d given up.  My head space has to be completely different than it was and I have to work around what some have called my fatalistic belief that technical security measures and analysis are doomed to fail in the face of our complete lack of interest in doing business risk architectures.

What scares me a little, though, is when I’ve been talking to people and doing research lately, it seems the state of the art of IDS, Flows, SEMS, SIEMS, network data analysis, etc. hasn’t changed all that much in the past few years. More vendors have sold more products, but they still do the same (questionable) things it seems. What gives? Am I off base?

Still, I’m pretty excited to get back into this type of thing and about the con. Who’s going to be there?

For the past 2-3 months, I’ve been working on my first real Objective-C project (my iphone app is still going, it just took a back seat to this): An application that will read tcpdump output and animate the packets over time using their inherent byte / packet structure

And now…it’s up and in beta-ish quality. (Meaning it works, though some error checking and minor features arent quite where I want them.)

You can download it here for free: http://sintixerr.wordpress.com/pkviz-packet-visualizer-and-animator/

See it in motion here:

This project was important to me and has been a long time coming. I’ve wanted to write a packet visualizer since I first started working with data viz 5 or so years ago at NetSec and was using Advizor. That tool cost thousands of dollars per seat, didnt really animate (at least the way I needed), and only parsed CSV or databases. The free tools – like GnuPlot, just weren’t up to the task at all.

I also wanted something that could plot out data in interesting, pretty ways for some art projects I have in mind.

So, I originally started this time around on a quest to write a short python parser for tcpdump ascii hex output to put into <some generic viz tool> just to get started…but somehow I ended up writing a full-fledged visualizer (my first GUI project ever, I might add!). The learning process was a blast – I feel like I’m a much better coder for it – and I’ll be able to extend/expand on this to use for other art and security projects that are on my plate or are coming up.

I’m pretty excited about it. To see this finished through after years of whining to myself about it, procrastinating, and genuinely not having enough time, is pretty awesome. I’ve even already created a couple of cool shots that I’m happy to call “art” (granted, there is some photoshop processing here, but they’re both true to their originals!):

Anyway, Mac Users, check out the tool and let me know what you think!

The authors of the paper being presented had done interviews and other research and derived a number of principles required for critical infrastructure cyber security governance based on what they commonly heard over and over. At the talk, we had break-out sessions where they were pinging us for our thoughts on their findings.  During the session, I realized that I’d heard it all before (obviously, right? It’s a consensus paper) and was wondering why we couldn’t get past the stale “wisdom” repeated ad nauseam without effect…when it hit me: the use of their paper might be directly opposite of what they might think it is, but it’s still useful!

The thought process is as follows:

1. Assumption: We all “agree” that cybersecurity for critical infrastructure is insufficient and we’re missing something.
2. Assumption: The paper represented the community opinion, to date, on what needs to happen for good cyber security
3. People are trying to improve security, but despite sporadic improvements, we haven’t made nearly as much progress as we think we should. Something is missing.

Conclusion: Whatever it is we need to do …..isn’t in that paper.  If we collect a series of best practices and community consensus on a topic where we generally consider ourselves to have failed, collecting that consensus should be used – instead of as a driver of activity – a hint at what won’t, by itself, get us where we need to be. The lists should be considered things to exclude as solutions to our unidentified sticking points, but the solutions themselves.

The topic was “FISMA” in the context of OWASP and, while I don’t really do web app security, I’m still a “managed assurance” guy for risk, and I think that fit in well with everyone else’s perspective.  That said, I hate listening to myself talk, so tell me what you think of how it came out – I haven’t listened to it yet!

Also, it’s “National Cyber Security Awareness” month. What does that mean? Are we making everyone aware that we’re all 0wnz0red?  I like the idea – and socializing security was one of the recommendations that came out of the Estonia Ddos mess – but I have concerns about how the good intentions here aregoing to pave a specific road to a specific place.  The concern has to do with security productization.

You see, I have a suspicion that we’re not going to educate people about the nature of security. Or really that we’re going to get across how “security” is really this thing that everyone does all the name and we should stop treating it like this extra set of things we need to do -in addition- to actual requirements.

Instead, I think it’s going to come out as (from DHS’s website):

• Make sure that you have anti-virus software and firewalls installed, properly configured, and up-to-date. New threats are discovered every day, and keeping your software updated is one of the easier ways to protect yourself from an attack. Set your computer to automatically update for you.
• Update your operating system and critical program software. Software updates offer the latest protection against malicious activities. Turn on automatic updating if that feature is available.
• Back up key files. If you have important files stored on your computer, copy them onto a removable disc and store it in a safe place.

This is all admirable stuff, but it’s dogmatic. Dogma in security leads to blind trust in marketing and products.  Blind trust in marketing and products will never lead to secure systems or computers.

Yes, it’ll get us baby steps forward, but then we’ll be left with ye olde “I did what you asked me, isn’t that enough?” faith-based security and we’ll be in a pickle when we realize that, architecturally, we have some serious work to do to get where we want to be and no one is interested in doing more.

Press Release August 20th 2009 — Speaker Agenda Released and Registration Open!

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec DC 2009 will be held at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th 2009.

Who Should Attend AppSec DC 2009:

• Application Developers
• Application Testers and Quality Assurance
• Application Project Management and Staff
• Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
• Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
• Security Managers and Staff
• Executives, Managers, and Staff Responsible for IT Security Governance
• IT Professionals Interesting in Improving IT Security

“End result, the system view is lost because everybody works within their part of the behemoth but forgets about the mission.”

He’s right, of course. Furthermore: “Mission oriented” sounds “fuzzy” and people tend to blow it off, but it’s is not – it’s quite important.  In western culture, we seem to need to rush to go solve problems, without really ever trying to understand the nature of what we’re solving. This leads to all sorts of mayhem and things going wrong. We look back and can’t figure out why our solutions arent working or why they’re causing all these weird other problems.

What we need to do, instead, is spend our time groking the problems we’re wrestling with until we understand their deeper natures.  If we learn to ask sufficiently detailed questions, correct elegant answers will present themselves.  This, in many respects, is the essence of SABSA and Enterprise Architecture (although, especially in the case of the latter, an essence that is often missed).

In the case of cyber security, we absolutely blow past figuring out and AGREEING ON the nature of the problem and rush straight to the “solving” phase with perfectly predictable results.

My compatriots at TSA are asking me to, before I depart for INL,  transition my approach to the role of the SSA in the NIPP framework, but it really isn’t detailed or special. Fundamentally it is this: Figure out ahead of time what you’re asking and why. What is the mission being supported by cyber systems? What do you need to know to make sure those cyber systems continue to enable that mission? Start from the mission and work down. You’ll get there.

Hmm. Start somewhere and finish? That sounds like “Alice and Wonderland” – “start at the beginning and, when you get to the end, stop” – but it also sounds like a “process”. A “process” is what the NIPP lacks, yes? More to come…

Before I head out, though, I’d like to comment a little bit on an issue I’ve dealt with at TSA that I think also extrapolates to national cyber security efforts and is in no way unique to a single agency, or even the government. The issue is the label “cyber security”.  At TSA, as at DHS, as within the media, as within popular culture, there is confusion as to what “cyber security” means – even at a very high level. The term gets bandied about so loosely that it means everything and nothing. Still, people are making policy based on it without any definition.  The amorphous nature of the conversation is going to kick us in the pants sooner rather than later. Can we please nail it down more specifically when we discuss “cyber security”?

Below, find some areas of confusion that I’ve personally run into:

1. The internet, government networks, SCADA/ICS: This one is simple. When we talk about cyber security, we really need to preface our statements with which of these areas we’re discussing. They’re NOT THE SAME and the strategies, ownership, and etc to deal with them are NOT THE SAME either. Over and over again a lack of explicit distinction here burns us.

2. “IT Security” and Technology vs Strategy: Often, in my role, we were lumped in with what IT Security does: “Isn’t that the same thing, only with more computers?” was a popular sentiment.  There is the concept that these efforts are technical in nature and that they look a lot like FISMA shops: Assess, Remediate, Certify, etc.  against some standard or set of standards.  Nothing could be further from the truth.  “Cyber security” issues are of a strategic business and programmatic nature. We know how to fix computers, we don’t know how to define what security means to our businesses, how computers affect our operations, and we don’t know our risk appetites. In other words, “cyber security” in an executive (CEO, CFO, COO, CTO, CIO) issue, not one for technologists.

3. Computers vs Infrastructure vs Business Assets: We don’t care in most sectors if our computers work. Really, we don’t. What we care about is that our energy grid keeps pumping out power, our chemicals get mixed right, our cars are manufactured correctly, our financial transactions are accurate, our goods get delivered on time, etc.  These are the “assets” we are protecting. We are not protecting the internet, we are not protecting government computer systems. We are protecting the national operational interests of the United States.

4. Think globally, act locally: We’re so used to thinking about single companies and single systems within those companies that we forget that everything we do cooperates to larger goals. Our enterprise systems work together to achieve business goals which must be protected. Our business goals within critical infrastructure sectors, in aggregate, also work together to support national goals. For instance, the thousands of independent companies in “the transportation sectors” all combine to “move people and goods throughout the US and the world on time, to the correct destination, in acceptable condition”.   Many decision makers believe that it’s ok to ignore this larger context and focus on single system security or, at best, enterprise security. This is dangerous. Since these systems are interdependent whether we acknowledge it or not, they can be be used to exploit each other and damage our soft assets (goals) if we don’t regular take a look at and secure the larger picture.