Thursday, May 28, 2015

Packet analysis practice part 3

Today, it's time for more practice with higher layer protocols. I bring you the third in an n-part series for packet analysis practice from the hex layer up.

1.  What is the embedded protocol, the destination port, and the amount of data not including protcol headers?
0x0000:  4500 004c 1986 4000 4006 9cba c0a8 0165
0x0010:  c0a8 01b6 0015 bf3c dad0 5039 2a8c 25be
0x0020:  8018 0072 06ec 0000 0101 080a 008a 70ac

2.  What is the embedded protocol, the destination port, and the amount of data not including protcol headers?
0x0000:  4500 006d 54a5 0000 8011 c165 0a03 0804
0x0010:  0a03 086c 0035 c84a 0059 dc20 83e7 8400
0x0020:  0001 0000 0001 0000 0974 6865 7361 7572

3.  What is the embedded protocol, the destination port, and the amount of data not including protcol headers?
0x0000:  45c0 0056 1114 0000 4001 f2ff c0a8 7a81
0x0010:  c0a8 7a01 0303 7308 0000 0000 4500 003a
0x0020:  8f29 0000 4011 75b6 c0a8 7a01 c0a8 7a81

The answers can be found here.

Packet analysis practice part 3 - Solutions

Here are the solutions to the third packet analysis practice exercise.  The questions can be found here.

1.
Embedded protocol: TCP
Total packet length:  76
IP Header length:  20
Protocol header length: 32
Data length: 24
Dest Port: 0xbf3c (48956)

2.
Embedded protocol: UDP
Total packet length: 109
IP Header length: 20
Protocol header length: 8
Data length: 81
Dest Port: 0xc84a (51274)

3.
Embedded protocol: ICMP
Total packet length: 86
IP Header length: 20
Protocol header length: 8
Data length: 58
Dest Port: ICMP doesn't use ports!

Wednesday, May 27, 2015

What's really behind the Wassenaar BIS rule proposals?

Much has already been written about the new Wassenaar amendments and why they are a bad idea.  If you're only going to read one post on the topic, don't read mine. Rob Graham did a much better job describing the problem here.  I might write something on that in the future, but only if I really feel I have something to add.  I did publicly comment on the proposed rules to BIS and you should too.  You have until July 20, 2015 to do so.

I'd like to comment on why I think rules like this are even in draft form.  Yes, certainly they benefit spying organizations and there's probably some invisible heavy hand there.  But the Patriot Act benefits them as well and that's falling apart in front of our eyes.  So what's the real problem?  I blame Hollywood.

Let's be honest, the infosec field is hard to understand.  My mom has no idea what I do for a living and I haven't really tried to explain it to her.  But I should.  Because every few months, she calls me and asks some inane question about whether I can help her do something that she saw my apparent peers do on CSI or NCIS.  And this has been going on since before CSI-Cyber or Scorpion were on TV.

My mom is at least one of the good guys.  She's interested in stuff like "helping the police by enhancing that photo from the surveillance system at work" or "hack into Instagram to see who is really bullying your niece."  My mom isn't dumb: she's a retired field grade Army Officer and an accomplished mental health nurse. She just doesn't understand what is and isn't possible in the world of cyber (ugh, I threw up in my mouth a little when I wrote 'cyber').

When hackers in Die Hard take down the national power grid using 0days and those in Swordfish can write bank firewall bypassing worms at will (apparently using some graphical coding language, the likes of which nobody has ever seen before) - what are average people to believe is or isn't possible?  Even if these are viewed as just minor exaggerations, the implications are still pretty scary. Of course, if you are reading this blog, you probably already know things don't work that way.  But wow do we suck at communicating it.

From Swordfish - what the literal f$#k is this?!

The average person is ignorant of detailed facts outside of their chosen profession.  Politicians and bureaucrats, the ones interpreting and crafting rules around Wassenaar, doubly so.  This congressman was worried Guam (yes, the island) might capsize if Marines were moved in a facilities consolidation.  In case you are curious, this guy has been re-elected several times since.  To my point, Rep Hank Johnson has zero chance of understanding the idiosyncrasies of Wassenaar, so just calling your elected official to complain is probably not an effective strategy (especially if you live in GA's 4th district).

I can't think of another professional field that would not stand up and fight back against Hollywood if their profession was mis-portrayed the way infosec is.  Could Hollywood get away with a show that portrayed all cops as dirty?  What about a show where all nurses were portrayed as drug addicts?  Or a show that documented how all teachers inappropriately touch their students when nobody is watching?  Nope, the professional groups wouldn't stand for it.

In infosec films, even the hero regularly breaks the law to get the job done.  As a group, we need to do more to correct the common person's impressions of infosec.  The "I Am The Cavalry" movement takes a lot of flack from people in the industry who think they aren't doing enough/doing it right/etc.  But I will say that at least they are doing something.  I don't have all the answers, but I believe the solution is three fold:

  1. Stop standing by while Hollywood butchers our profession.  It's insulting.  Instead of laughing 
  2. Take some time to do grassroots education.  I recently spoke to my daughter's 2nd grade class on career day. The teacher, who molds young minds, cut me off when describing a penetration test because she thought I was talking about breaking the law.  After a quick side discussion, we were back in business, but this is the sort of grassroots education that needs to happen.
  3. Talk to your elected officials as well or support an industry group that does.  They don't understand our issues any better than they understand the intricacies of open heart surgery.  Explain it to them.  They make the laws we'll all have to live with and garbage in/garbage out as the old saying goes.

I'd love to know what you think about this - how do we educate the public that what we do isn't horribly evil and in need of regulation?



Monday, May 25, 2015

Packet analysis practice part 2

I apologize for the delay in getting the next post in the series out, it was a rough week.  But happy Memorial Day! Enjoy the packet analysis practice and hug a vet today (with their permission of course).

After the previous practice on fragmentation, it's time to look at higher layer protocols.  I bring you the second in an n-part series for packet analysis practice from the hex layer up.

1.  What is the embedded protocol, the source port, and the amount of data not including protocol headers?
0x0000:  4500 005f 9bf3 4000 4006 a0a3 7f00 0001
0x0010:  7f00 0001 0019 be19 36b4 05e7 319f 5c69
0x0020:  8018 0200 bfad 0000 0101 080a 0b48 9e14

2. What is the embedded protocol, the source port, and the amount of data not including protocol headers?
0x0000:  4500 003c 3a00 0000 1f01 fcb3 0a02 0a02
0x0010:  0a03 4707 0800 1a5c 0200 3100 6162 6364
0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374

3. What is the embedded protocol, the source port, and the amount of data not including protocol headers?
0x0000:  4520 005a b67d 4000 f211 3920 4bb4 813a
0x0010:  c0a8 0b3e 0035 d2ff 0046 a2b3 a818 8500
0x0020:  0001 0001 0001 0000 0776 6572 7369 6f6e

As always, the answers are in the following post.

Packet analysis practice part 2 - Solutions

This section details the answers for the packet analysis practice questions in today's blog post.

1.
Embedded protocol: TCP
Total packet length: 95
IP Header length: 20
protocol header length: 32
Data length: 43
Source Port: 0x0019 (25)

2.
Embedded protocol: ICMP
Total packet length: 60
IP Header length: 20
protocol header length: 8
Data length: 32
Source Port: no source port for ICMP!

3.
Embedded protocol:  UDP
Total packet length: 90
IP Header length: 20
protocol header length: 8
Data length: 62
Source Port: 0x35 (53)

Monday, May 18, 2015

Packet analysis practice part 1 - Solutions

In the last post, I offered some extra questions for packet analysis in preparation for the GCIA exam.  In this post, I'll show the answers.  I'd put them in the same post, but I'm one of those people who can't help but see the answers if they are on the same page and that ruins the practice for me.

Answers:
=======
1. Middle fragment, MF is set. Offset is 32896 (convert 0x3010 to binary and take the low 13 bits, this is 4112. Multiply by 8 to get the answer).

2. First fragment, MF is set.  Offset is zero.

3. Last fragment, no flags are set.  Offset is (convert 0x1058 to binary and take the low 13 bits, this is 4184. Multiply by 8 to get the answer).

Packet analysis practice part 1

While teaching SANS SEC503 (Intrusion Detection In-Depth) I routinely create extra exercises for students throughout the week.  One of the things that trips students up when taking the GCIA is the ability to decode packets at the hex level.  As one of my students quipped last week "this isn't hard, it's just time consuming." Of course he's right.  While the GCIA is an open book exam, it is time constrained and questions asking students to decode packets tend to steal precious time away from GCIA candidates.  I've been asked repeatedly to share some of my extra practice exercises for students and I finally got around to making these a little more formal while teaching in Amsterdam this week.

One of the key concepts that IDS analysts should be familiar with is deep packet analysis.  You should know to examine packets at the hex layer is required and dive deep into analysis.  Even if you think you'll never do this on the job (you will eventually without even realizing it), you need to know how to do it for the GCIA exam.  And it's not just knowing how to do it, it's knowing how to do it quickly that matters too.

So with that said, I bring you the first in an n-part series for packet analysis practice from the hex layer up.  Today's practice focuses on IP fragmentation.  In these questions a "middle" fragment refers to a fragment that is neither the first nor the last.  Obviously, the hex dumps present only represent the beginning of the packet.

Questions:
1. What is the fragment offset?  Is this the first, last, or middle fragment?
0x0000:  4500 05dc 04d2 3010 4001 b8b0 c0a8 0b41
0x0010:  c0a8 0b0d 0800 cad2 0000 0000 4141 4141

2. What is the fragment offset?  Is this the first, last, or middle fragment?
0x0000:  4500 05dc 04d2 2000 4001 b8b0 c0a8 0b41
0x0010:  c0a8 0b0d 0800 cad2 0000 0000 4141 4141

3. What is the fragment offset?  Is this the first, last, or middle fragment?
0x0000:  4500 05dc 04d2 1058 4001 b8b0 c0a8 0b41
0x0010:  c0a8 0b0d 0800 cad2 0000 0000 4141 4141

The solutions are presented in the following blog post so you may check your work.

Sunday, May 3, 2015

College degrees in infosec

I hear people rant on Twitter and at conferences all the time that college degrees aren't needed for infosec jobs.  Of course, for those making this argument, certs aren't required either.  It should be all about what you know how to do - actions speak louder than words in infosec after all.





Note: I have great respect for Lesley and Sam cited above. Both of them are awesome contributors to our field and Sam has a Twitter headshot eerily similar to my own (reason enough to like him).  I don't know Jasper, but I'll assume he's cool.  Buy any of them a beer if you are lucky enough to meet them in person.
There's an obvious question of how to economically hire infosec candidates if I adopt a no cert/no degree model.  Should I interview everyone who applies to find out what they really know?  If not everyone, then who?  I'm sure I'll hear the usual "you should look at their research."  And I do this, but only when a resume gets to me.  To get through the HR gauntlet and get your resume in front of me you have to:

  1. Have the qualities HR understands to be valuable
  2. Know someone

Now that I've got that part out of the way, let me voice what I know is a very unpopular opinion.  I think college degrees do matter in infosec.  I heavily consider a BS (and much more so an MS or MBA) degree when I'm looking at a candidate.  Note that I didn't say BA.  If you got a BA and now want to do Infosec, you'd better be bringing it somewhere else.  Getting a BA and then deciding to do infosec tells me you are either newly passionate about science or have bad decision making skills.  Good news though - Starbucks needs another barista and your BA will serve you well there.

Why do I prefer a degree?
The first reason is pragmatic.  Many clients still have old hiring policies where degrees matter for their employees.  All things being equal, they'd prefer their consultants to provide staff that fit their organizational structure.  Degree++.

Reporting is critical in infosec.  Writing a quality report is at least as difficult as doing the technical work.  If the verbiage of your report suggests that the draft was written in crayon and then input into MS Word, then we have a problem.  I ask for writing samples of most candidates to avoid any surprises later.  Great side note: if you have a blog, I get a chance to see your writing style and we can avoid that.  Another great side note: if your blog posts look like the drafts were in crayon (or the final product is in comic sans), I've seen all I need to see.  How is this related to a degree?  Well, to get your BS or MS, you had to write... a lot.  Yes, we all know the story of the college grad who can't write for anything. But in general, I am more likely to find quality writing from someone with a degree.  Degree++.

What about background?  Every time I talk to a CS major in infosec who says "I didn't learn anything about my job in college" I call shenanigans.  Did you learn SSLstrip to help you in pentest?  $MFT parsing to assist in forensic investigations?  Probably not.  But you did learn how to think about technology.  Most importantly you learned to program.  You understand (or have an exposure to, depending on your school) computational complexity calculations.  Does query complexity matter?  Yeah. What about memory management?  Yes, even if you never write a memory manager.  This is basic, but important stuff that most without a degree lack.  But based on your degree and the school you went to, I know you have a minimum level of understanding about foundational topics that most self taught "infosec pros" simply do not have.  Degree++.

Weak rigor in research is another area that college degrees help.  Too many infosec researchers fail to apply any standard methods to their research and their results have more holes than swiss cheese.  Oh yeah, and I can't read their freaking reports (see above) so in many cases I can't even understand how badly they've failed.   Degree++.

Don't get a degree from just anywhere to check a box
I'm a huge fan of non-traditional education.  But there are some schools with a really bad reputation.  Investigate them before dumping your money into a school that sucks.  Choosing the wrong school may actually hurt you.  And for goodness sake, before wasting your time, do some OSINT.  You may find some people will exclude you based solely on the poor reputation of your education.  If you have other experience, education, research, etc. then your school matters less to me.  But I know what most popular degree programs include and more importantly what they do not.  Choose a good school  or you'll regret it as Lesley notes below.


The End
I could keep writing on this all day, but I'll stop here.  I've made my case and nothing you can say will dissuade me.  Have I hired people without a degree?  Sure.  But they are seriously bringing it in some other area.  If you are entry level without other credentials and lack a degree you should probably talk to someone else.

Footnote: If you ever interview with me for a threat intel/OSINT job and haven't read at least some of my blog/other research and presentations before the interview, you are not very good at your chosen job.