2009 Blog Rewind: The Three-Way Handshake is a Lie!

As I close out my look at some of the most influential posts published here in 2009 I conclude with a post that garnered widespread industry recognition and sparked many discussions, Tod Beardsley's "TCP Portals: The Handshake's A Lie". The post, only published a month ago, drew thousands of readers and dozens of comments. More importantly it shed some light on a potentially damaging vulnerability:

Whenever I interview someone for an Application Engineer or Security Research position, my favorite introductory question is, "Can you describe for me the TCP three-way handshake?". It is a fine baseline question to understand a candidate's knowledge of modern networking. Answers range from "SYN, SYN/ACK, ACK,", to a full description of ARP, to initial sequence number generation. It's a good springboard question, because then you can start talking about spoofing addresses, port scanning, the significance of IPIDs, and more.

We are hiring a lot here at BreakingPoint, which means I'm asking this question a lot. After the fourth or fifth interview, I decided one morning to look over RFC 793 to make sure that I really did know everything there is to know about the handshake. That is when I found out that we've all been living a lie.

Read the full post, "TCP Portals: The Handshake's A Lie".

And once again thank you to all of our fantastic contributors to this blog and to the readers that continue to provide us with commentary and insight. Happy New Year.

2009 Blog Rewind: IPv6, CyberWar, Ruby String Processing...Oh My!

Looking through our posts from 2009 it struck me how diverse our topics can be, a testament to the strong team of writers we have contributing to the community. Three posts had nearly identical impact when you consider views, comments and inbound links. Yet the three all take on vastly different topics.

First, you have Brent Cook's "6 Surprising Facts about IPv6", which inspired many people to start looking at IPv6 a bit more deeply:

Working lately with our IPv6 support, I have a long list of fun facts to share. As you know, IPv6 is a 128-bit addressing scheme designed to solve the various problems with 32-bit IPv4, or AKA the next 'big thing'.

Read the full post, "6 Surprising Facts about IPv6".

Not surprisingly, since it has garnered so much attention in 2009, was our series on cyberwar, USCYBERCOM, the cyber coordinator and more. This has been a topic I felt was very important and started writing about it in "Four Critical Priorities for USCYBERCOM":

During most of the past year, military and cybersecurity experts have been calling for the creation of a cyber command within the Department of Defense (DoD). On June 23rd Secretary Robert Gates' memorandum established U.S. Cyber Command (USCYBERCOM) to address the current risks and "secure freedom of action in cyberspace". The announcement was met with much fanfare from the defense community, but simply announcing USCYBERCOM is the easy part. Actually building the command center is the real challenge.

Read the full post, "Four Critical Priorities for USCYBERCOM".

Finally we end this second to last edition of 2009 Blog Rewind with another post from Dustin D. Trammell. This time Dustin takes on "Ruby String Processing Overhead":

The important point to note is that String object constructors initialized with literal strings only seem to provide a performance benefit on longer strings and using processed strings seem to provide the performance benefit when using shorter strings. This means that there is a measurable string length threshold at which using one or the other initialization method becomes statistically significant for your project, and a window of length sizes within which it doesn't really matter all that much which method you use.

Read the full post, "Ruby String Processing Overhead".

Check back later for the final 2009 Blog Rewind and the most read post of 2009!

2009 Blog Rewind: Protocol Reverse Engineering

As we take a look back at 2009 our next two posts were read tens of thousands of times, both talking about protocol reverse engineering. The first post, written by Dustin D. Trammell, took a look at "Automated Protocol Reverse Engineering":

In my research into this discipline I have come across a number of techniques for automating the task of protocol reverse engineering. No one solution offers a 'silver bullet' that magically produces a protocol specification of an unknown protocol, but various automated techniques combined with manual processes can come rather close to this lofty goal if employed against a large data set of protocol traffic and with an appropriate amount of pre-processing of that data set.

Read the full post on Automated Protocol Reverse Engineering.

Following up on Dustin's post, Tod Beardsley wrote about Manual Protocol Reverse Engineering just a week later:

Accurate, rapid analysis of proprietary binary protocols is pretty hard, requiring a familiarity in usual socket programming practices, a determined patience, and a whole lot of note-taking. Closed binary protocols are rarely as simple as ICMP ping, they often have no real documentation, and the people who do know how they work usually keep their mouths shut.

Read the full post on Manual Protocol Reverse Engineering.

2009 Blog Rewind: Testing The Juniper SRX

As the year runs down I thought I would look back at some of our blog posts that made the biggest impact in 2009. Over the next few days I'm going to reprint portions of posts here at BreakingPoint Labs, just in case you might have missed them during the year. The list was created by examining the most read, the most shared and the most commented on posts throughout 2009.

First up was a post written in February around the testing of the Juniper SRX:

The impact of testing using real blended application traffic and live security attacks was never more apparent than at last week’s event at Juniper Networks. The company brought in Dennis Cox and other BreakingPoint experts to deliver a full day of presentations and live demos to underscore the importance of this approach to 70+ Juniper engineers and technical marketing experts.

Read the full post on testing the Juniper SRX.

The Curious Case of Cybercrime at Citigroup

UPDATE: Internal memo to Citibank branchs released.

On the same day that the Obama administration is finally expected to appoint a new cybersecurity coordinator, it came to light that the FBI was investigating a possible theft of tens of millions of dollars from Citigroup's Citibank subsidiary. Information about the breach is sparse at the moment, but it seems to have happened several months ago and could be tied back to the "Russian Business Network", a Russian gang of cybercriminals. The details are so murky that Citigoup won't even admit it has occurred:

Joe Petro, managing director of Citigroup's Security and Investigative services, said, "We had no breach of the system and there were no losses, no customer losses, no bank losses." He added later: "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."

If it is true, and the numbers of dollars stolen prove to be accurate, then there has been nearly $300 million stolen in the U.S. alone last year by cybercriminals. And this includes only the losses banks and other organizations have actually reported. The number is certainly much higher. Cyberattacks against U.S. businesses has gotten so bad that former White House cybersecurity director Melissa Hathaway has declared it an epidemic.

We could keep spouting out depressing numbers and the fact that attacks like this will be commonplace in 2010. But we are in the middle of the holiday season, so let's bring some of that optimistic spirit to the table. Reading The Wall Street Journal's report of the Citibank attack one line seemed to be the silver lining:

The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case.

Obviously none of these agencies are publicly commenting on this attack, therefore we can't be sure how closely they worked together, how quickly information was shared and what they did to "counter the attack". But this is a bright spot in our fight against cybercriminals. In July of this year I wrote, "Four Critical Priorities for USCYBERCOM", in which I spent much of the post urging more communication across agencies. Not only to help counter any attacks, but to help prevent attacks from spreading throughout our critical infrastructure. In this case it seemingly happened.

Many folks might be surprised to see DHS and NSA working on a bank robbery. But today's bank heists not only mean millions of dollars stolen, but may also be a harbinger to broader attacks. Get into the door at Citibank and you can conceivably connect to other banks and organizations, including government agencies, doing business with the bank. Makes sense to get DHS and NSA working with the FBI right away.

Should be an interesting first day for Howard Schmidt.