Review of Investigative Data Mining for Security and Criminal Detection Posted

Amazon.com just posted my four star review of Investigative Data Mining for Security and Criminal Detection. From the review: "I read 'Investigative Data Mining for Security and Criminal Detection' (IDM) after attending the 2003 Recent Advances in Intrusion Detection (RAID) conference. Researchers at RAID mentioned "self-organizing maps," "neural networks," "machine learning," and other unfamiliar topics. Mena's book helped me understand these subjects...

Read More

Five Years Ago Today...

Five years ago today I left the information warfare planning directorate at Air Intelligency Agency and joined the Air Force Computer Emergency Response Team at then-Kelly Air Force Base in San Antonio, Texas. Back then we were part of the Air Force Information Warfare Center, tasked with monitoring all of the intrusion detection systems deployed inside border routers at Air Force's installations. I was a new captain and had voluntarily attended...

Read More

What is BitTorrent?

Whenever new software appears, like the latest Knoppix (3.3 appeared yesterday), I read at Slashdot that "BitTorrent" links are available. I decided to investigate this and found myself at the BitTorrent web site. Like the pages of most developers, it's cryptic and not immediately apparent how to use the software.This Wiki page was more helpful, clueing me in to the fact that BitTorrent is a peer-to-peer file-sharing system. O'Reilly wrote about...

Read More

Try Tenable Security's NeVO before 30 Sep 03!

I downloaded the demo version of Tenable Security's NeVO today. I was unable to get it to work on Red Hat Linux 7.3 but I did install it successfully on FreeBSD 4.8 RELEASE. NeVO is a passive vulnerability scanner. It sits and watches your network for services and protocols which could be exploited by an intruder. It doesn't actively check for vulnerabilities like an assessment product might do. This is similar to Sourcefire's RNA or "Real-time Network Awareness" concept. Below is an example of NeVO's output. It's in the .nsr format produced...

Read More

Cell Phone Spam

Some overzealous activitst for legalizing marajuana sent a text message spam message to my cell phone last week. Someone named "Alison" from, claiming to be from the ACLU, sent a URL to an advocacy site. I won't publish the URL to deny her the publicity she seeks. The phone number from which the spam was allegedly sent shared the same area code and first three digi...

Read More

Suggestion for Patching Windows Dial-Up Users

Larry Seltzer makes a great recommendation for Microsoft to assist its Windows dial-up users:"One way to make things easier for dial-up users, and even broadband users in many cases, would be to issue periodic update CDs. Imagine a disc with all of the updates on it and a program, it could even be written in Windows Script Host, to check a system for which updates need to be installed, apply them in the correct order and even reboot in between. Such a program would not be hard to write. Microsoft could charge a trivial amount for the discs but...

Read More

"Snort not backdoored, Sourcefire not compromised"

I'm not going to cite the source of the rumors which prompted this story, since I don't want to give publicity to those seeking it for its own sake. Rather, I though it important to post in its entirety a recent message Marty Roesch of Sourcefire sent to the snort-users mailing list. By the way, sign up for one of Marty's seminars, coming to a city near you. I'll see him in DC on 7 Oct. Now for Marty's post:Date: Sun, 21 Sep 2003 20:44:11 -0400 From: Martin Roesch To: full-disclosure@xxxxxxxxxxxxxxxx Subject: [Snort-users] Snort not backdoored,...

Read More

Reviews of TCP/IP Analysis and Troubleshooting Toolkit, Real 802.11 Security, and Network Performance Toolkit Posted

Amazon.com recently posted three new reviews. From the four star review of TCP/IP Analysis and Troubleshooting Toolkit, whose author provides videos of trace analysis: "As a network security monitoring analyst, I like to read network troubleshooting books. They help me understand protocols I see on the wire, usually using case studies that are far more exciting than reading dry Request For Comment (RFC) documents. "TCP/IP Analysis and Troubleshooting...

Read More

Project to Customize Windows

We need more projects like XPlite. This is a system to "modularize" Windows components to facilitate their removal and reinstallation, if necessary. Windows would be much easier to secure if we could install the absolute minimum number of packages to support our applications. This is why I like the FreeBSD ports system. I install a base FreeBSD OS, and load the ports tree. Within the ports tree, I add whatever I need, and the ports system only adds what's necessary to support that application. Brilliant? Perhaps -- but that's FreeBSD, and...

Read More

Verisign -- "The Value of Trust"?

I can't believe the stunt Verisign is pulling now. The screen shot says it all. Essentially, all nonexistent domain names are resolving to 64.94.110.11, which itself resolves to sitefinder-idn.verisign.com. I learned about this issue through the NANOG (North American Network Operators Group), Slashdot, this article, and Verisign's "notification". The talk I've seen involves sitefinder.verisign.com, but that resolves to 12.158.80.10 for me. I even...

Read More

Thoughts on OpenSSH Vulnerability

If you've read this blog for a while you'll notice I try not to regurgitate the day's headlines. If my brain is my RAM, this blog is my hard drive -- a place I'd like to keep stories archived. So, rather than restate the OpenSSH issues (it doesn't take much, does it?), I'd like to record this thought. How should organizations posture themselves against threats to core infrastructure? Since OpenSSH is the recommended means to administer all sorts of devices, its importance approaches that of BGP, DNS, and similar services. We're familiar with...

Read More

Good Samaritan Saves Bank's Behind

A good Samaritan who buys computers from eBay saved the Bank of Montreal's behind. According to this story: "Geoff Ellis, a 26-year-old masters student living in North York, purchased the computers last week from Ecosys Canada Inc., a computer asset-management firm in Mississauga. He paid $400 each for two powerful IBM Netfinity servers that would have cost about $5,000 new. Ellis buys, fixes up and then resells used computer equipment on eBay.com. He had posted the two machines on the popular online auction site for six hours before he noticed,...

Read More

RAID News Posted

Scroll a few pages down and you'll see I posted my thoughts on last week's RAID conference in Pittsburgh. Enj...

Read More

Installing a Free X Server on Windows XP

I needed to export X sessions to my Windows XP laptop, so I turned to Cygwin/XFree86. In less than 10 minutes I had am xterm from a FreeBSD machine appear on my Windows XP desktop. Here's how I did it.Download and execute Cygwin setup. The Cygwin/XFree86 User's Guide gives plenty of hand-holding if you need it. I selected all of the XFree86 packages plus OpenSSH. You'll see why OpenSSH was included shortly.Once Cygwin has finished installing,...

Read More

Happenings at TruSecure

This Register story gave details on a good virus prevalence report (available in their whitepaper library. It describes TruSecure's assessments of important viruses of the past few years. I also saw Marcus Ranum wrote a paper on false positives while he was an "independent consultant." I then read this press release saying TruSecure hired Marcus as "Senior Scientist" on 19 Aug. Good luck Marc...

Read More

Way to Go Mike Fratto

Congratulations to Mike Fratto of Network Computing magazine for speaking the truth about the intrusion detection vs. intrusion prevention debate in two articles. First, from Inside NIP Hype ("NIP" meaning "Network Intrusion Prevention"): "NIP is not a replacement for firewalls and won't be in the foreseeable future. Why? The fundamental problem is false positives -- the potential to block legitimate traffic. Before you can prevent attacks, you have to detect them, but NIP systems rely on intrusion detection, which is hardly an exact science....

Read More

RAID Conference Concludes

Today I drove home from the 6th annual Recent Advances in Intrusion Detection (RAID) conference held at Carnegie Mellon University. The picture at left shows the nearby University of Pittsburgh's magnificent Cathedral of Learning, which is just about the coolest name for a building I can imagine. (It reminds me of Kwai Chang Caine's answer to a question on what he does: "I work, eat, learn.") This was my first RAID conference, and I took several pages of notes on what IDS researchers are doing. The conference began with a presentation by Richard...

Read More

Anton Chuvakin submitted a post alerting me to an article by Gartner gadflies John Pescatore, Richard Stiennon, and Anthony Allan. From the article: "You should continue to detect intrusions. However, you shouldn't invest in stand-alone, network-based intrusion detection systems (IDSs)... by 2006, most enterprises will perform intrusion detection as part of firewall processing with next-generation firewalls... There have been enough advances in algorithms and high-speed network security processors to enable next-generation firewalls to perform...

Read More

Slides on NSM Webcasts Posted

I recorded a second webcast on network security monitoring for SearchSecurity.com. This webcast focuses on tools to implement NSM, namely tcpdump, argus, snort, and trafd/trafshow. I talk about their use and capabilities. You can view it here. I posted the slides here. Previously I recorded a webcast on NSM theory with my friend Bamm Visscher, lead author of Sguil. You can view it here or here and read answers to questions submitted by listeners....

Read More

IT Security Hottest Job

Challenger, Gray & Christmas named "IT Security" the "hottest" job for 2003 and 2004, according to this EarthWeb.com article. From the story:"The post of chief privacy officer just got the nod for the highest-paying hot job, bringing in an average salary of $122,360. An IT manager or security manager came in ninth on the list of high-paying hot jobs with an average salary of $91,470. Security is simply hot this year. The security industry came in second, just behind preventative health care, for the hottest industry of this year and next....

Read More