iplosion security

After the DAVIX Visualization Workshop in Las Vegas, Christoph Puppe approached us and asked if we were interested in having DAVIX bundled with the upcoming information security special edition of the iX magazine. Since iX is a very well-established German periodical for IT professionals, we simply could not turn down such a generous offer.

Raffy, Christoph and I put together our heads and in lightning speed we wrote up an article about DAVIX. The article gives an introduction to the information visualization process, the DAVIX toolset and features a sample analysis of checking network policy compliance using network flows captured with Argus and visualized with AfterGlow.

The special edition due to be released on October 16 comes with a multi-boot DVD with several live CDs. Apart from DAVIX there will be Avira Rescue, BackTrack 3, Damn Vulnerable Linux (DVL) and (R)ecovery (I)s (P)ossible on the disk. In particular DVL is a very interesting piece. It is a Linux distro containing as many vulnerable software packages as possible. If you are looking for a playground to train your skills or a simple way to get an environment for teaching security classes, this is it!

From a data mining and visualization perspective the conferences in Las Vegas offered a couple of highlights for me. First of all Raffy’s book Applied Security Visualization was finally launched and I had the first chance to see and hold the book with the DAVIX CD in my own hands at the bookseller booth. After hours of reviewing the book and building the live CD during the last eight months, it was a great relief that it was finally done.

I very much anticipated Greg Conti’s and Erik Dean’s talk on binary visualization (PPT Slides). Their newest tools DanglyBytes allows for interactive analysis of binary data in multiple views. The different views decode data in multiple ways. There is a view that just prints the bit stream in a window while another decodes a series of bytes as RGB value. Their demo of a Windows error dump was a revelation: Using a slider on one of the views they could adjust the column width of the view. While moving the slider Google and Wikipedia images began to appear out of the noise. I am looking forward to play around with it myself.

Another interesting discovery at the Blackhat vendor area was the company Lookingglass with their software as a service (SaaS) called ScoutVision. They have built an infrastructure that stores Internet meta information in a database and provides its customers a client software to access and visualize this information remotely. For well paying customers they offer a service where clients can tie in their own IT data.

While preparing for the DAVIX Visualization Workshop in the CTF lounge, I saw a dude visualizing network traffic in Processing. I approached him and we started chatting about visualization. Interestingly he did neither know about secviz.org nor DAVIX. Over the course of DEFCON I found out that many people are toying around with visualization as well but there is no interaction between these people. This is definitively a thing that we should be working on over the upcoming months. I hope that DAVIX will help to contract people interested in security visualization.

On Sunday our DAVIX Visualization Workshop was on (Slides). During our introductory talk on DAVIX there were about 120 attendees. We were very surprised to see such an interest although many DEFCON participants have already gone home and it was during the last three hours of DEFCON. So there is definitively potential for future activities.

After months of building and testing, the long anticipated release of DAVIX - The Data Analysis & Visualization Linux® - arrived last week during Blackhat/DEFCON in Las Vegas. It is a very exiting moment for me and I am curious to see how the product is received by audience. So far the ISO image has been downloaded at least 600 times from our main distribution server. Downloads from the mirrors are not accounted.

Additionally, Raffael Marty’s book Applied Security Visualization is now available in print. DAVIX was built with this particular book in mind. If you are looking for a methodology and not just a workable tool set, then the book is what you are looking for. The book covers all steps from the very basics to complete case studies and contains many hands-on examples. Therefore, the book together with DAVIX 1.0.1 is the perfect match for getting you started with security visualization. For a preview of the book’s content check out the rough cuts version.

All those eager to get their hands dirty immediately can find a description as well as the download links for the DAVIX ISO image on the DAVIX homepage. I wish you happy visualizing!

Although it has been very quiet on this blog for quite a while, lots of activities in the background have been keeping me busy. During the last six months I have been working on my new pet project DAVIX that relates to my interest in security data mining and visualization. But let me start at the beginning.

While playing around with visualization I found that there are lots of tools on the net but getting them to run can cause quite some headaches. So I thought that it would be cool to have an environment where all those tools are available ready to use. As time went by, the idea of a Linux live CD system materialized in my mind. Between Christmas and New Year, while watching 24C3 live streams in the background, I started playing around with SLAX, a modularized Slackware based live CD system. I found it very useful to my purpose and decided to start with it as base for the visualization live CD.

Since I knew that Raffael Marty was writing his book Applied Security Visualization, I contacted him in January 2008 and told him about my project and asked which tools should be included on the CD. Raffy was hooked by the idea from the get go and he asked me bluntly if I would do the CD for his book. Of course I agreed immediately. To get jump started with adding visualization tools, Raffy provided me with the chapter 9 of his books, which contains a list of visualization tools and instructions on how to get them running. At around the same time I got selected into the technical review board for Raffy’s book and I alternately reviewed chapters from Raffy’s awesome book and built the CD.

Since the live CD project was nameless at the time, I thought about an appropriate name for it. After toying with a couple of ideas I came up with the name DAVIX as a short form of Data Analysis and Visualization Linux®. I also liked the reference to the biblical figure David who fought against the giant Goliath. In terms of our project it means that with the “small” live system DAVIX you fight the gigantic heaps of log files and network captures.

DAVIX currently integrates about 180 software packages that contribute to about 40 high level tools for capturing, processing and visualizing data. The project is now in its final rounds of building and testing and will officially release during Greg Conti’s Blackhat and DEFCON talks. For all of you who want first hand experience with DAVIX, Raffy and I invite you to our DAVIX Visualization Workshop at DEFCON 16. The session will be held on Sunday, August 10th 2008 at 2 PM to 4 PM.

See you in Las Vegas!

Last year I traveled through Canada. One of my stopovers was in Ottawa. Very nice friends of mine have recommended that I shall pay a visit to the Parliament Hill and take a tour through the Center Block. To my surprise the parliament offers free tours through the buildings. So I decided to participate.

On entering the building, everybody got an airport quality security check with x-ray and metal detector and we were asked to shutdown our mobile phones. Then I enjoyed the tour through this magnificent building with stops at the House of Commons and the Senate as well as the newly renovated library.

When the tour came to an end, the guide announced further points of interest. As one of her final sentences she said that stuff, which got confiscated during the security check, can be collect at the desk right next to the exit of the building. I found that pretty wired. What could that be? A magnum, a rifle, a bomb, a lighter, matches? Then I let my thoughts pass…

When I moved towards the exit I observed a young guy with dreadlocks and his girl friend in the process of collecting their confiscated goods: A secateurs and a handsaw!

My dear friend Raffy Marty has Blog-Tagged me. Well, so far I have not heard about this. So, what is it? When you get Blog-Tagged, you have to write five not commonly known things about yourself to your blog and then you name the next five “victims”. The basic idea is that your blog readers get to know you a bit better.

So what kind of implications or additional benefits has Blog-Tagging? It is a way to increase your Google PageRank, which is obviously a good thing if you want to grow your audience. Since you most likely refer back to the blog which has Blog-Tagged you the original blog gets an additional backlink. When all your “victims” will do the same with your blog, you get an additional five backlinks. Since not everybody knows about Blog-Tagging, additional backlinks to explaining blogs or sites will occur.

Not being a killjoy, I will now give my five “confessions” :

Read the rest of this entry »