Tenable is proud to announce a newly formed partnership with the Univeristy of Maryland's Cybersecurity Center. The partnership will focus on preparing the future security workforce and collaborating on cybersecurity challenges.

"COLLEGE PARK, MD AND COLUMBIA, MD – The University of Maryland (UMD) and Tenable Network Security, the leader in Unified Security Monitoring and creator of the awardwinning Nessus vulnerability scanner, have announced a new partnership to establish collaborative activities in the area of cybersecurity. The partnership will promote cybersecurity education, research and technology development through UMD's newly established Maryland Cybersecurity Center (MC2, or MC-squared). UMD and Tenable plan to leverage one another's resources, knowledge base, and unique perspectives to develop innovative solutions to cybersecurity challenges."

Read the full press release.

Tenable has participated in several security challenges in the past, you can read more about our past experiences at these events here:

• The Mid-Atlantic Regional CCDC 2010 Event - Part I
• The Mid-Atlantic Regional CCDC 2010 Event - Part II
• Cyberdawn - A Diverse Cyber Exercise - Part I
• A Diverse Cyber Exercise - Part II
• NYC InfraGard Capture The Flag Event

Getting to ShmooCon each year is always challenging (as is trying to get home). Mother Nature seems to enjoy disrupting the travel to and from the conference, which is held in Washington, D.C in January or February of each year. Despite the weather issues, I've always found it to be a conference worth attending. It features quality talks, leading security researchers sharing thoughts and ideas and several extra events such as "Firetalks" and "Hacker Karaoke".

From Printer to Domain Admin

I've always been fascinated with the concept of attacking printers. The common misconception of "oh, it’s only a printer" makes them a prime target for attackers because people believe that printers pose little to no security risk. This mindset typically translates to the following conditions, which help to fuel my fascination:

Brucon is a security conference held in Brussels, Belgium. This was the second year of Brucon and it was comprised of two days worth of training and two days worth of presentations. It’s a decent sized conference of about 300 people total, including speakers and attendees. Everyone at the conference was extremely nice and very hospitable. The organizers went above and beyond to make sure that attendees had a good time, were able to get around the city and (most importantly) share ideas about information security in an open environment.

Please join Tenable's own Ron Gula, Renaud Deraison, Marcus Ranum and Paul Asadoorian for a Security Showcase on October 6, from 8:30am to 2:00pm at the New York Marriott East Side, 525 Lexington Ave. at 49th Street in New York City. Breakfast and lunch will be provided during this half-day FREE event.

Topics we will cover include:

During lunch you will also be given a live demonstration of our enterprise solutions as they relate to the themes above.

Contact Donal McRae (dmcrae -at- tenablesecurity.com) to reserve your seat (space is limited for this event). We hope you can make it as the showcase is a rare opportunity to receive firsthand insight from four leading experts.

July hasn’t been hot enough for me and some of the other Tenable staffers, so we will be heading to the desert of Las Vegas in a few weeks to attend Black Hat USA 2010! Since 1997, the Black Hat conference has provided a neutral ground for security researchers, government agencies and information security professionals to integrate their varied perspectives. This will be my ninth year at Black Hat and I’ve always found it to be an intense couple of days meeting up with almost everyone I know in the Infosec field. I’m delighted that Tenable will be represented in the Black Hat Trainings, Black Hat Briefings, Black Hat vendor area and DEF CON this year.

Tenable’s Product Evangelist, Paul Asadoorian, will be teaching two sessions of a brand-new (seriously – we’re still editing it) Advanced Nessus Training Class.

This class is intended for those who are already familiar with Nessus and will cover special techniques and testing situations that you may not be familiar with. There will be a lot of hands-on lab work, assisted by Tenable’s lead Trainer, David Poynter (so that Paul can keep talking, one of his favorite activities). The first session will be held on Saturday and Sunday (July 24 & 25) and the second session on Monday and Tuesday (July 26 & 27). There are still a few seats open in both sessions, but they are filling up fast!

The SANS Penetration Testing Summit was held this year at the Hyatt Baltimore in Baltimore, MD on June 14 - 15 and was focused on “What Works in Penetration Testing".

The event was held just across from Camden Yards, home of the Baltimore Orioles.

Tips For Penetration Testers

I participated in a panel discussion with Joshua Wright, Vincent Liu and Joshua Abrams titled, "Most Effective New Technique You've Applied in the Past 12 Months". We started by having each of us share two fun, new or interesting penetration testing techniques that we've applied in the past year. It was a great discussion, covering topics such as wireless, vulnerability assessments and what tools to get started with.

I shared a story with the audience about lock picking. The story details the travels of my friend (let's call him "Bob") who was put into a situation where he had to pick a lock. Bob did not have his lock-picking set and was forced to use more crude tools. In the end, Bob ended up prying off the entire doorknob with even more rudimentary and crude tools. I then circled back around to the lessons learned and how they apply to both lock picking and penetration testing:

Two weeks ago, several Tenable colleagues and I traveled to Boston to attend and speak at the SOURCE conference. The SOURCE conferences, founded by Stacy Thayer, are small in size but big on content. Since the conference is fairly intimate (this year’s had approximately 250 attendees), I had the chance to talk to many people in the hallways about security, attend some great talks and deliver a presentation on the state of embedded systems security.

SOURCE continues to be a great conference held in Boston, Massachusetts and Barcelona, Spain. It has a great atmosphere, the caliber of people in information security who attend are top notch and the presentations are great. Tenable submitted three presentations to SOURCE that were all well received and are described below:

Tenable is again returning to the SOURCE Boston conference, held at the Seaport Hotel from April 21-23. This year Tenable will be delivering three presentations: Tenable CEO Ron Gula will be presenting a talk titled “How to Detect Penetration Testers” on Wednesday from 10:00am to 10:50 am; Carole Fennelly and Kelly Todd will be participating in the Vulnerability Management panel on Thursday from 10:00 to 10:50; and Paul Asadoorian will be presenting a talk titled “Embedded System Hacking and My Plot to Take Over the World” from 2:00 to 2:50 on Thursday. This blog provides a brief overview of these presentations.

Ron Gula’s talk, “How to Detect Penetration Testers” describes methods of detecting authorized penetration testers from a variety of technical and political aspects. Very often audit organizations feel the need to run a “surprise” audit on one of their divisions. This is intended to see how the target organization reacts to an unannounced penetration attempt, but very often results in disrupted production services and a lot of political finger pointing. This presentation provides tips and insights to make better use of firewall logs, netflow data and systems logs both to protect from situations that will embarrass the security program as well as protect resources from the real intruders.

Physical Access: RFID Badges

This year's competition debuted an RFID badge hacking system. The Red and Blue teams had separate rooms that were governed by badges and a badge reader. The Red team badges were allowed access only to the Red team room and vice versa for the Blue teams. I really wanted to hack the badge system right out of the gate. There were a couple of motivators involved (including the fact that my friend Larry put the system together), and if we bypassed the RFID reader the Red team would gain physical access to the systems after the Blue teams went home for the night.

Above you can see a successful badge scan using RFIDIOT. Yes, I did a happy dance of joy once I got it working.

Before the competition started I mapped out a plan of attack. Since all of the Red team members were in the same room and I had access to their badges, I planned to scan them and record all of the values. This would give me knowledge of the known values, making any other value a potential Blue team code. Before I could scan the badges, I needed to set up a reader. Larry had a reader for players to use, but I wanted to set up one of my own (besides, I did not trust Larry… what if he defected to a Blue team?). After about two hours of fighting with software library installations, failed dependencies and USB drivers, I finally had a working reader. I was using RFIDIOT to do the reading, which are Python scripts developed by Adam Laurie. While it is a great contribution to the security community, the documentation could have been more comprehensive (if you are looking to contribute to an open source project, here is your chance!). Having little to no experience with RFID, it was a challenge to figure out how to correctly configure my reader and set it up to read our badges, but persistence prevailed and just before the competition started I was reading Red team badges.

How to Score at a Hacking Competition

Over the past weekend I participated in my second CCDC, or Collegiate Cyber Defense Competition.The event put college students in a defending role in five “Blue teams” and "real-world attackers" in the offensive role (pun intended) as the “Red team”. Points are incurred against the Blue teams when their systems become compromised, services are unavailable, or their systems go down. The defending team with the lowest score wins and is sent to a national "cyber exercise" competition. The event hosts a job fair, keynotes by speakers such as Marcus Ranum, a full spectator area and this year hosted two film crews who interviewed players and captured the action. You can watch the videos from last year's CCDC event on their YouTube channel.

At a hacking challenge it can be tough to keep the Red team in line and following the rules. However, the very nature of hacking involves breaking the rules! All of the Red team members did an excellent job of being hackers, and being responsible. While there is no Red team winner, we had some of the highest scoring Red teams in the event's history. You can read more about the Blue team winner and rankings on the CCDC web site.

Hacking challenges have become a bit of a hobby to me in the past few years. I've participated in two previous events and wrote about them here on the Tenable blog. The first was the NYC Capture the Flag event and the second was "Cyberdawn", a diverse cyber exercise. I learn so much by attending these events and participating as a "Red team" member. As the Red team, we set out to compromise systems, run a program that would update a scoring engine, maintain access and disrupt services and operations. It’s a tough balance to maintain; the more aggressive you become on the systems, the more the defending teams notice. Changing a password and locking the teams out incurs points, however they will notice and reset a password. Smart Red team members implant different ways to access the system, such as SSH key trusts and rootkits, to gain a foothold on the systems throughout the competition.

As the Red team captain, I developed a strategy for guiding and organizing the Red team members. We divided into sub-teams and assigned the following roles to each of the members:

ShmooCon has always been one of my favorite conferences. It is very well run and provides a small, intimate environment to discuss all things related to hacking and information security. You truly feel a part of this conference in every way. For example, you are encouraged to throw small stress balls called "Shmooballs" at any speaker you disagree with. The conference founders felt that many conferences had talks that were complete nonsense yet no one would stand up to say anything in opposition. As a speaker at ShmooCon you may literally find yourself running for cover. This year there was even a "Shmooball Launcher" contest,
that scored the homemade launchers in several different categories.

Larry Pesce participating in the Shmooball launcher contest at ShmooCon 2010 in Washington, DC. Larry's Shmooball launcher proudly displayed the Nessus banner throughout the conference and received a lot of attention from curious conference attendees.

This year's ShmooCon had some excellent presentations and workshops, including one that reportedly used Nessus to find a directory traversal vulnerability in VMware (more to follow on that one). Some of the other highlights include:

Recent investigations into the Google "Aurora" incident uncovered evidence that Chinese attackers used a 0-day exploit for Internet Explorer to gain access to Google employees’ computer systems. This event has sparked the release of Microsoft Security Bulletin MS10-002 - Critical , and a public exploit for the vulnerability. To mitigate this vulnerability, Microsoft originally recommended that customers upgrade to Internet Explorer 8, and enable DEP (Data Execution Prevention). On January 21, 2010 Microsoft released an "out-of-band" patch for the vulnerability, which fixes the problem on Internet Explorer version 6, 7 and 8. Methods exist to reliably exploit Internet Explorer versions 6 & 7, and there are several people who have working exploits for IE version 8, including Dino Dai Zovi, a well-respected vulnerability researcher. (A concise list of the details surrounding this issue can be found in this article).

Being Proactive

Many organizations are likely to implement the patch released by Microsoft since the issue has been receiving a lot of media attention. Patching because of a media event is an all-too-common mistake made by many organizations that cannot be convinced to implement new security measures until exploits make the news. Patching systems needs to be part of an organization’s overall strategy – not just a reaction to a media event. When new technologies become available as upgrades to your existing systems, put a plan in place to test and migrate to them, especially if they offer increased security. The organizations doing this today are looking at the latest exploit and implementing their patch strategy as part of the standard operating procedure.

Marcus presents an awesome story about the Internet, software, and security. Watch as he goes into detail on how protocols work, problems with FTP, HTTP, and much more! The purpose was to show how small mistakes made in the design of software and the Internet have shaped the security industry. You can watch the full version of the talk below:

Passwords are just so easy to abuse...

It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required.

Hacker "ftp" at work, winning the game using built-in tools such as bash, python and SSH.

Cyber Exercise

Over this past weekend I attended Cyberdawn, a cyber exercise that was hosted by Battlefield High School in Haymarket, Virginia.

Last week I made an appearance on epispde 119 of the Risky Business podcast with Patrick Gray. I spoke with Patrick about training and certification, specifically how it applies to the Information Security field and its importance in your career development.

We're also joined by a special guest in our sponsor segment this week, Paul Asadoorian, the host of the PaulDotCom Security Weekly podcast. Paul's dayjob is as Tenable's "Evangelist". He won't be evangelising anything this week though, he's popping by to talk about training. Paul did work for SANS, and we'll be asking Paul what he thinks training and certification are good for.

You can download the full episode from the http://risky.biz website.

Tenable will be hosting a webinar about the new SANS Consensus Audit Guidelines commonly known as the "CAGs". Tenable CEO Ron Gula will discuss the main points and recommendations of the CAGs with industry experts Rich Mogull, CEO of Securosis, and Dr. Eric Cole, a Fellow at the SANS Technology Institute, noted author and president of Secure Anchor.

Our very own Brian "Jericho" Martin appears on episode 115 of Risky Business. Brian discusses the latest Microsoft DirectShow ActiveX bug, the workarounds, the process, and controversy surrounding this vulnerability.

We also hear from Brian "Jericho" Martin -- he's the maintainer of the open source vulnerability database and he also works for Tenable Network Security, our sponsor. He'll be along in this week's sponsor interview to have a chat about that nasty DirectShow ActiveX bug that's doing the rounds at the moment -- did Microsoft drop the ball on this one? Well, the answer is maybe, as you'll hear.

You can download the full episode from the http://risky.biz website.

Tenable CEO, Ron Gula will interview Digital Bond Researcher Jason Holcomb about project Bandolier. Bandolier is a project funded by the Department of Energy which focuses on securing a wide variety of SCADA and Control System applications through configuration hardening. The project has produced several configuration auditing polices for Nessus ProfessionalFeed and Security Center users. Mr. Holcomb will discuss the specific types of Control System technologies that have been audited, how they can be obtained, the types of Nessus audit functions that have been used and also demonstrate how these scans can be used on production networks and Control Systems.

Title: "Control System Auditing with Nessus - Project Bandolier"
Date: Thursday, June 4, 2009
Time: 2:00 PM - 3:00 PM EDT

Register now by clicking the link below:
https://www1.gotomeeting.com/register/169860257

Tenable sponsored a booth at this year's ShmooCon and ran a Texas Hold'em table to help raise money for the Hackers for Charity organization. We raised close to $400 from conference attendees and scheduled "guest" players such as Paul Asadoorian from PaulDot.Com, Simple Nomad from NMRC, Jericho from Attrition, Chris Hoff and many others.

Playing poker with self proclaimed hackers, security experts, CIOs, CSOs, and students was very enlightening. There was at least one joke about "risk management" each hour. A lot of players liked the chance to get to sit down with some of the other attendees and speakers that have been around for a while.

Not surprisingly, although there were plenty of people playing and donating, there were not a lot of people who wanted to be photographed playing poker when they should have been in the presentations learning about security. Here is a sanitized photograph of the event at one point when we were down to just two players:

Thanks again to everyone that came by the booth, played some poker, asked about Nessus and complained about FDCC or PCI.

Will 2009 bring newer and more comprehensive versions of regulations such as PCI or FDCC? Is your organization already positioned to leverage the benefits of configuration management and transparent audit of IT resources?

With a focus on configuration and vulnerability management for enterprise networks, Tenable CTO Ron Gula, will discuss the latest trends in compliance standards, strategies for a positive audit experience and how this process can lower your organization's operational costs and maximize availability.

Title: "Winning at the Compliance Game"
Date: Tuesday, February 3, 2009
Time: 1:00 PM - 2:15 PM EST

Register now by clicking on the link below:
https://www1.gotomeeting.com/register/706770928

If you are unable to attend the live webinar, it will be recorded and made available online at the above URL shortly after it occurs.

The next DOJOSEC is this week. I've been invited to speak about the latest compliance trends in PCI and FDCC. Also presenting will be Shaf Ramsey of TechGaurd Security and Dale Beauchamp of the Transportation Security Administration. Mr. Ramsey will discuss the future of virtual worlds such as HIPIHI and the implications they will have for information security. Mr. Beauchamp is a digital forensics expert and will discuss practical memory analysis. 

The time and location of the event are:

January 8th - Thursday - 6:00 PM to 9:30 PM
Charles I. Ecker Business Training Center
6751 Columbia Gateway Drive
Columbia, MD 21046

DOJOSEC is a series of presentations organized by Sun Tzu Data.  Past speakers have included Johnny Long and Bruce Potter. They have many more seminars planned and I recommend signing up to their newsletter to learn more.

Note: This webinar has occurred and you can hear the recorded session at this link.

Would you like to hear thought leaders from Symantec, Qualys, Tenable and Courion discuss various approaches to policy compliance? If so, please visit the http://whitehatworld.com/ website and register for the live "Policy Compliance Thought Leadership Roundtable" webinar on December 3rd, 2:00 PM EST.

Panel members include:

• Peter Distefano, Symantec
• Marcus Ranum, Tenable Network Security
• Kurt Johnson, Courion
• Terry Ramos, Qualys

In our one-hour, live panel, we will discuss the pros and cons of vulnerability scanning, configuration auditing, patch auditing, network access control, user provisioning, log analysis, agent based monitoring and how these can be used to effectively monitor and demonstrate compliance.

During the past few months, I've also had the chance to be part of several WhiteHatWorld "Thought Leadership Roundtables" which are now available in their archive section. These include:

• Web Application Security
• Vulnerabiltiy Management
• Phishing
  

 These are free one-hour webinars which have some very good insights and are vendor neutral.

Another Black Hat conference for the record books! It’s traditional for me to have a panic attack on the eve of Black Hat, trying to pull the Hacker Court team together to work on our presentation (“Hack MyFace”) and swearing I’m never doing this again. This year was even worse: the defendant, Simple Nomad, and the judge, Richard Salgado, both had to cancel at the last minute. We still had to work out evidence details (as Simple Nomad once pointed out, it would be easier to actually hack into a system than generate fake evidence) and now had to find replacement players. Richard Salgado noted that “anyone can be a judge”, but who could fill Simple Nomad’s stylish boots?

Fortunately, fellow NMRC member and Hacker Court veteran, Weasel, came to the rescue to play “Simplé Gnomad”, complete with bathrobe, and sunglasses. Hacker Court co-founder, Jonathan Klein, stepped in as a very intimidating Judge.

This case hinged on the fact that the defendant , responding to a journalist’s inquiry, used a zero-day exploit to hack into a presumed social networking site, “MyFace” with the encouragement of the site’s owner, Mudge, who was really a Secret Service Agent investigating social networking exploits. The site was actually a Virtual Machine (VM) on a server that housed other case VMs (agency budget cut-backs). The defendant not only compromised the security of the “MyFace” site but also broke out of “MyFace” and obtained information about sensitive on-going investigations.

In his opening statement, Prosecutor Paul Ohm accused the defendant of three charges of computer crime: Unauthorized Transmission of a Program; Unauthorized Access to Computers; Obtaining Information by Computer from Government Computer.

Defense attorney Jennifer Granick countered that the defendant was entrapped and that the real villain in this case was the inept Agent Mudge who authorized the defendant to test the security of a system that he owned and who clearly told the defendant there were “no limits.” There was no way the defendant could know that he should stop at the first VM since he was told by the site’s alleged owner that there were “no limits.”

Agent Mudge testified that he engaged the defendant to test the security of the “MyFace” and determine if the defendant had a working zero-day exploit. He described monitoring the system during the defendant’s exploit attempt and finally receiving an email from the defendant that noted “eight VMs are a lot for the hardware your host is running on.” This referred to the other VMs used for other investigations. Mudge did not think these VMs were at risk because “they were all perfectly sandboxed from one another.” Apparently, he was mistaken.

During forensic analysis, it was discovered that the defendant obtained a highly sensitive file named “OngoingSecretInvestigations”, which contained the name of the case agent and target for each VM. This was a serious problem since Mudge did not know the identity of the hacker and could not have this sensitive information made public.

Mudge testified that he traced the intruder’s IP address to the “L33t’s Coffee & Tea” in Burbank, California, an Internet café. The barista remembered the journalist being with a regular customer who always wore a bathrobe and sunglasses. Mudge staked out the coffee shop, finally observing the suspect leaving and followed him to a Ralph’s market, where the suspect bought a carton of half & half and paid with a check for $0.73. After the suspect left, Mudge obtained a copy of the check, which contained the suspect’s home address, where Mudge discovered the zero-day exploit in a briefcase. The briefcase was introduced into evidence and opened in front of the judge, who gazed with astonishment at the glowing light and asked “Is that what I think it is?”

Mudge was badgered by Jennifer Granick on cross and forced to admit that he did not impose limits on Simplé Gnomad’s testing.

The next witness called was the journalist who allegedly met with Simplé Gnomad in the coffee shop, Simon Ross (played by Brian Martin). Mr. Ross testified that he ran a blog called “simonsayssecurity.gryppad.com”. When asked to identify the person he met in the coffee shop, Mr. Ross’s attorney, Kurt Opsahl, objected and cited that his client was protected by the reporter’s privilege and should not be required to answer the question. Judge Klein ruled that the government had not exhausted its means to get the IP address from other sources so the journalist could not be compelled to turn that information over. However, it was also ruled that the journalist could be compelled to testify to events he witnessed in the coffee shop and Simon Ross (aka Brian Martin) was ordered to testify. When he (quite rudely) refused to cooperate, Mr. Ross was held in contempt and (forcefully) subdued by the bailiff.

The final witness was the defendant himself, Simplé Gnomad (played by Weasel in bathrobe and sunglasses). Jennifer Granick tried to talk her client out of testifying, since this could add additional charges of obstruction if he is found guilty. However, Simplé Gnomad wanted to clear his name and stated that he was framed.

After closing statements by the prosecution and defense, Judge Klein read the Jury Instructions and the case was turned over to the audience for deliberation with about two minutes left in our time slot. An informal show of hands produced the following verdict:
18 U.S.C. § 1030(a)(5)(A)(i)– Unauthorized transmission of a program
Not Guilty
18 U.S.C. § 1030(a)(5)(A)(ii) - Unauthorized Access to Computers
Not Guilty
18 U.S.C. § 1030(a)(2)(B)–Obtaining Information by Computer from Government Computer
Guilty as charged

Ok, so this was running roughshod over the legal process but most trials don’t have to clear the room so that Caesar’s catering staff can clean up all the beer bottles and plates left on the floor. As we wearily parted ways at the bottom of the escalator, Paul Ohm asked “So, ready to start work on next year’s?”

Hacker Court is once again returning to the Black Hat Briefings! For our seventh Black Hat presentation, we will be conducting a mock court trial focused on the issues of entrapment, journalist privilege and wiretapping, titled "Hack MyFace."

What is "Hacker Court?"

Hacker Court is a loose organization of attorneys, security professionals and hackers with the goal of demonstrating the dynamics, frustrations and complexity of computer crime trials.

Teaching Points
The Hacker Court mock trials endeavor to teach a technical audience the reality of computer crime trials.
Before joining Tenable, I was a free-lance security consultant and developed a particular interest in computer crime cases after personal experience in dealing with an intrusion. I thought I knew a lot about the process, but it wasn’t until I actually worked on a case with the Federal Defender’s Office in NY that I realized just how naïve I was on how the legal system really worked. The defendant was even more naïve and honestly thought that a “jury of his peers” meant that people like Simple Nomad, Jericho and Rain Forest Puppy would serve on the jury. After all - his “peers” were hackers!

Since then, I’ve been involved in other cases and these are a few of the major lessons I’ve learned:
1. Defendants lie, even to their own defense team
2. Admissibility of evidence is up to the judge, not the technology or its merit
3. A jurist with an infosec background would be disqualified from serving on a computer crime case
4. Defense experts cannot talk about the case no matter how much the defendant smears them to his friends
5. There are no “Matlock” moments
6. The trial is all about the attorneys’ performances
7. Technical evidence is boring, especially to the jury
8. A case will most likely not be prosecuted unless there is a 95 chance of a conviction. Corollary: if you go to trial, you're probably going down.
9. Cross examination of witnesses is brutal
10. The trial may take place years after the crime

The most important (and scary) lesson I learned is that the case will be won or lost by the side that makes their story compelling and interesting. Technical details are neither.

How it's Done
The Hacker Court mock trials demonstrate these points by enacting a courtroom environment where the audience is the jury. There is no pre-set outcome and we take great pains to make the sure the deck is pretty evenly stacked (which differs from most trials where the prosecution usually wins). Although we work out the facts of the case ahead of time, much of the testimony from witnesses is ad-libbed, often with amusing results.

Hacker Court differs from an actual trial in that we streamline the process and have some fun with it. An actual trial can take weeks - we have 2 hours, which normally wouldn’t cover the opening remarks. Most trials are also extremely boring, despite what you may see on TV. We take many liberties to make it fun, which no judge in his right mind would tolerate in an actual trial. For example, our 2004 presentation “Pirates of the Potomac: The Curse of the Bl4ck Perl” featured Simple Nomad as “Captain Jack Hack” (aka “Cracker Jack”), a hacker accused of “war-sailing” up the Potomac.

This Year's Case
This year’s presentation will once again feature Simple Nomad as the defendant, a “l33t” hacker who frequently posts to a blog run by a journalist who investigates cases of identity theft and exposure of personal information. Nomad claims to have a zero-day exploit that will work on any social networking site and is goaded by another blog poster to prove it by exploiting a social networking site called “MyFace.”

A more complete case summary, along with Speaker bios, may be found at the Black Hat site.

Both sides will argue their case on August 6, 2008 at the Palace 1 ballroom during the Gala Reception of Black Hat. Who will win? That's for the audience to decide! So if you’re coming to Black Hat, grab some food and drink from the Gala and join us in the Palace 1 ballroom!

On August 6th, 2008, I will be participating in a Vulnerabiltiy Management webinar hosted by WhiteHatWorld. We will be discussing best practices for scanning and configuration auditing. Panelists also include representatives from Qualys and Rapid7. To register, please visit this link or visit http://www.whitehatworld.com/ to learn more and view their library of recorded webinars.

I will be participating today in a White Hat World "Thought Leadership Roundtable Webcast" today at 2:00 PM EST on the topic of Phishing. Other panel members include representatives from Secure Computing, SonicWall, and Missing Link Security Services. To register for the event or watch the recorded session after it occurs, please use the following link:

• White Hat World Webcasts

The event is free, but requires registration. Tenable will be participating in several other White Hat World webcasts in the near future.

For those readers that are located in Europe, Marcus Ranum, Tenable’s CSO, will be speaking at two events in Q2 of 2008:

On April 23rd and 24th, Marcus Ranum will be speaking at the Mnemonic Risk Management and Information Security Conference 2008 in Norway. The conference will be held at the Ulleval Business Class. He kicks off the conference with his talk titled: “Lateral Thinking in Security”.

Computer security, as a field, appears to be trapped in a hamster-wheel of repeating the same ideas over and over again. And the results are clear: 15 years into the field, more systems are getting compromised than ever, in spite of billions of dollars and thousands of man-years invested. Why is this happening? It's possible that we're going about doing things backwards and trying harder isn't going to result in any improvement. In this presentation, he'll look at a few things that don't work as well as they should, and he'll try to come up with "plan B" options.

On June 4, 5 and 6, Marcus Ranum will be keynoting the SÉCURITÉ DES TECHNOLOGIES DE L'INFORMATION ET DE LA COMMUNICATION in Rennes, France. Marcus will begin the conference with his keynote titled: “Anatomy of The Security Disaster”

Computer security has historically been a disaster and continues to be a disaster. Many practitioners have attempted to explain it in terms of risk management, failure to communicate, or lack of education. In reality, it is a simpler social problem, and is not solvable by any means short of a redesign of human behavior. The view he will present has implications for the real meaning behind why economic models represent "market failures" and risk management approaches are merely "hand-waving."

For more information on other Tenable upcoming speaking events, please visit:

• http://www.tenablesecurity.com/news/index.php?view=speaking

There are a few events occurring before the end of the year that Tenable will be participating in:

2007 DHS Security Conference and Workshop
Baltimore Maryland, August 27-30, 2007
I will be speaking at 3:45 this Monday, August 27 about how configuration management changes the way network security monitoring and incident response occur in non-obvious manners. Many of these sessions are only open to the US government.

"Hack In The Box" SecConf 2007
Kuala Lumpur, Malaysia, September 3-6, 2007
Several members of Tenable's research team will be attending the conference. We're traveling from all over the world to attend -- you should to.

NIST IT Security Automation Conference
Gaithersburg, Maryland, September 19-20, 2007
Tenable will be exhibiting at this conference which focuses on how the SCAP program is being used by government agencies and commercial vendors to audit computer systems against government best practice standards. Several Tenable customers will be at this event as well as members of our research team. I will also be speaking about current and future Tenable efforts in this area.

New England  Information Security Forum
Boston, Massachusetts , September 17-18, 2007
I highly recommend this event for anyone in the Boston region who is a technical manager. You'll get to meet with other experienced peers and then meet with vendors in a non-marketing, very technical venue.

7th annual Fall Cyber Security Symposium on the UNCC campus
Charlotte, North Carolina, October 10, 2007
Tenable will be exhibiting on campus, answering questions about Nessus, different types of compliance  auditing and demonstrating our products. If you would like to attend this event, please email neclarke@uncc.edu.

Day Con 2007
Dayton, Ohio, October 12-13, 2007
Several members of Tenable's research team will be attending the conference. We will also be participating in monitoring of the "HackSec International" competition.

Midwest Information Security Forum
Chicago, Illinois, October 29-30, 2007
I highly recommend this event for anyone in the Chicago region who is a technical manager. You'll get to meet with other experienced peers and then meet with vendors in a non-marketing, very technical venue.

Techno Forensics 2007
Gaithersburg, Maryland, October 29-31, 2007
Tenable will be exhibiting at this network forensics event. I will also have a chance to speak about how new types of network and event monitoring are changing how organizations monitor users and collect forensics.

Tenable Network Security will be hosting a webinar on March 21, 2:00 PM to 3:00 PM EST. This presentation will consider how configuration auditing and vulnerability monitoring can be performed by the Nessus vulnerability scanner when managed by the Security Center.

It will be led by Dave Breslin who is Tenable's Director of Sales Engineering. Dave is a Certified HIPAA Professional and a Certified HIPAA Security Specialist.

To register for the webinar, please use the following URL:
https://www.gotomeeting.com/register/486062528

If HIPAA Compliance auditing is of interest, readers should request a copy of Tenable's HIPAA Application Notes and Product Evaluation guides which detail how specific HIPAA requirements can be monitored and reported on with Tenable products.

Tenable's CSO, Marcus Ranum, discusses many of the trends, assumptions and misconceptions about computer security facing us today. Mr. Ranum discusses why security mechanisms fail and why it is such a hard state to be "secure". Slides and audio are available below:

Tenable continues to offer interesting content. We've added three new presentations and interviews to our list of webinars.

Interview with Thomas Ptacek, Founder of Matasano Security
November 28, 2006 -- 2:00 PM - 3:00 PM EST
https://www.gotomeeting.com/register/140139085

The Six Dumbest Ideas in Computer Security - By Tenable CSO, Marcus Ranum
December 11, 2006 -- 2:00 PM - 3:00 PM EST
https://www.gotomeeting.com/register/544902356

Active and Passive SCADA Network Monitoring
December 12, 2006 -- 11:00 AM - 12:00 AM EST
https://www.gotomeeting.com/register/320188680

Next week I'd like to remind readers that I'll be interviewing Richard Bejtlich of Tao Security.

Interview with Richard Bejtlich, Founder of Tao Security
November 17, 2006 -- 10:00 AM - 11:00 PM EST
https://www.gotomeeting.com/register/313888669

Also, the previous "Network Based Anomaly Detection" and "Future of Vulnerability Management" webinars have been recorded and posted. If you missed the original talks, you can get to the recorded webinars at your convenience here:

Network and Behavioral Anomaly Detection
https://www.gotomeeting.com/register/115997810

The Future of Vulnerability Management
https://www.gotomeeting.com/register/646873749

Tenable will be hosting a series of interview based webinars over the next few months.

Our first interview will be with noted network security monitoring expert, Richard Bejtlich of Tao Security. Richard has written several books including the "Tao of Network Security Monitoring", "Real Digital Forensics" and "Extrusion Detection".

We're accepting questions from the webinar audience and collecting them during registration. To register for the webinar, please use the following URL:

https://www.gotomeeting.com/register/313888669

Tenable has many new events between now and January 2007. They are all outlined below. More are being added as we speak, including a series of interviews with leading computer and information security experts.

I'd also like to point out the last entry on the schedule - the SCADA Security Scientific Symposium. This is being organized by Digital Bond. I will be presenting at the event about how algorithms can be used to discover a variety of security issues on IP based SCADA networks. Space is limited to 70 attendees, but the talks will also be available to "virtual" symposium attendees who have registered for online viewing.

Webinar - Leveraging Nessus to Address FISMA Regulatory Concerns
October 24, 2006 -- 11:00 AM - 12:00 PM EDT
This presentation reviews FISMA compliance issues and demonstrates how the Security Center can be used to manage multiple Nessus vulnerability scanners. Email sales@tenablesecurity.com to register for this webinar.

Conference - InfoSecurity Event
October 25, 2006, NY, New York
Tenable will have a booth at this show and Tenable's CTO, Ron Gula, will be on a vulnerability management panel with other product vendors.

Conference - Fall 2006 Computer Security Symposium
October 25, 2006, Charlotte NC

Webinar - Network and Behavioral Anomaly Detection
October 27, 2006 -- 10:00 AM - 11:00 AM EsT

Webinar - The Future of Vulnerability Management
November 3, 2006 -- 11:00 AM - 12:00 PM EST

Conference - 33rd Annual CSI
November 6-8, 2006, Orlando Florida
Tenable's CTO, Ron Gula, will be speaking on the current and future trends in vulnerability detection, security management and compliance.

Conference - University of Florida IT Security Awareness Day
November 8, 2006, Gainesville FL

Forum - Midwest Information Security Forum
November 7-8, Chicago IL
Tenable is also offering the 1-day Nessus certification training class in conjunction with this event. The class is taught by Tenable's CSO, Marcus Ranum.

Webinar - Nessus Compliance Checks
November 10, 2006 -- 11:00 AM - 12:00 PM EST

Forum - SCADA Security Scientific Symposium
January 25 -25, Miami Beach, Florida
Tenable's CTO, Ron Gula, will discuss algorithmic approaches to discovering anomalies on IP networks running SCADA applications.

We've gotten requests for more webinars on a variety of topics. Below is the current schedule of webinars presented by Tenable in the month of October. These include an additional "Future of Vulnerability Management" talk, as well as sessions on the Nessus 3 compliance audit capabilities, network behavioral anomaly detection and passive SCADA network monitoring. Each session requires registration and completion of a short survey.

The Future of Vulnerability Management
October 10, 11:00 AM EST
https://www.gotomeeting.com/register/800578374

The Future of Vulnerability Management
October 12, 9:00 AM EST
https://www.gotomeeting.com/register/987349111

Nessus Compliance Checks
October 12, 2:00 PM EST
https://www.gotomeeting.com/register/917710907

Network and Behavioral Anomaly Detection
October 13, 10:00 AM EST
https://www.gotomeeting.com/register/167372290

The Future of Vulnerability Management
October 17, 11:00 AM EST
https://www.gotomeeting.com/register/981647110

Nessus Compliance Checks
October 19, 9:00 AM EST
https://www.gotomeeting.com/register/191464433

Passive SCADA Network Monitoring
October 20, 3:00 PM EST
https://www.gotomeeting.com/register/627584779

I have several webinars scheduled over the next few weeks which will be of interest to readers.

The Future of Vulnerability Management - October 3, 7 and 17

This talk will help folks understand many of the converging technology and compliance trends, and how it will effect their future. I review many of the different types of technologies and techniques that are in use today to discover, audit and manage vulnerabilities. The talk then discusses how these map into IT Controls, their effectiveness  and what this means for our jobs and overall network security.

Please register for the webinars at the following URLs:

Oct 3, 11:00 EST
https://www.gotomeeting.com/register/759264977

Oct 10, 11:00 EST
https://www.gotomeeting.com/register/800578374

Oct 17, 11:00 EST
https://www.gotomeeting.com/register/981647110

IT Security - September 22

This Friday, Sept 22, I am on a panel with several colleagues in the information security field. We've each prepared brief opening remarks about recent trends in security policies, threats and technologies in order to set the stage for questions from the participating audience. If you'd like to listen or participate, please register here. The webinar is sponsored by D&E Communications. 

In New York City? Tenable Network Security is sponsoring a free networking event hosted by (ISC)2 and The Institute for Applied Network Security. The event is July 19th at the Crowne Plaza Times Square (4:30 to 6:30 PM, including cocktails and food). This reception, is being held in conjunction with attendees from The Institute for Applied Network Security and their 6th Annual New York Metro Information Security Forum. I will be attending the event along with some of Tenable's staff and customers.