Foundstone Wants YOU!

Looking for a security consulting job in the Washington, DC area? Foundstone is hiring senior consultants. If you're interested, email me at jobs [at] taosecurity [dot] com with your resume. We've got other positions open across the company too. Check them out here -- sales, engineering, public relations, and so on need help. Again, email me your resu...

Read More

Microsoft "Threats and Countermeasures" Guide

Microsoft published a new "Threats and Countermeasures Guide" (.exe, expands to .pdf) last month. Using my digital risk definitions provided by the Dynamic Duo (below), here's my evaluation of how well Microsoft uses the "threat" term in its new guide. A baseball analogy is used. Proper use of the term "threat" is bolded. "Securing your network environment requires that strong passwords be used by all users. This helps avoid the threat of an unauthorized user guessing a weak password through either manual methods or tools to acquire the credentials...

Read More

Orbitz Hacked; Watch Your Credit Cards

CNet reports that Orbitz was compromised, stating "Orbitz has notified law enforcement authorities about a recent security breach that has resulted in its customers' e-mail addresses falling into the hands of spammers." Apparently Orbitz is trying to dodge the California notification law by claiming "no indication that credit card information had been compromised." Orbitz uses are reporting receiving spam to email addresses used only at Orbitz. I am an Orbitz user, but the email address I use isn't exclusively for Orbitz. However, I hardly...

Read More

FreeBSD 4.9 Released Today

FreeBSD 4.9 was released today. Because I may use this OS as the platform for all tools in my Tao of Network Security Monitoring book, I bought a four-CD set from FreeBSD Mall that contains packages for the OS. It's also a small way to support the development of this free, open source OS. I'm hoping FreeBSD 5.2 will be released before the end of the year, since I'd prefer to write the book using that as my platfo...

Read More

"Words Matter" -- To the Tune of $200 Billion

No, I'm not talking about a lame class-action lawsuit or an outrageous punitive damages award. $200 billion refers to the "$150 billion spent building unnecessary telecoms networks in America and another $50 billion in other parts of the world," according to a statement by Andrew Odlyzko, quoted in a recent Economist survey (subscription required). Mr. Odlyyzko wrote many papers debunking the myth of explosive Internet growth. My favorite professor at the JFK School of Government, Phil Zelikow, counseled his students that "words matter." In...

Read More

New Spam?

Here's an email I received today. It reports I've been signed up for a mailing list and asks me to unsubscribe if I didn't sign up for the mailing list. Legitimate mailing lists tell you to ignore the message and do nothing if you didn't sign up. It looks like the mailing agent belongs to h24-71-223-11, who I guessed was 24.71.223.11. That IP resolves to h24-71-223-11.cg.shawcable.net. That machine is offering a mail server on port 25: 220 pd2mi3so.prod.shaw.ca -- Server ESMTP (iPlanet Messaging Server 5.2 HotFix1.18 (built Jul 28 2003)) However,...

Read More

SB 1386 Impotent While CardCops Monitor for Your Card

Kevin Poulsen wrote another excellent article at SecurityFocus. He describes how no one has reported compromise of consumer credit card data in the four months since California's SB 1386, now enshrined in the state's civil code as 1798.29 and 1798.82-1798.84, was enacted. The is not unexpected. How can the authorities know who was compromised? It takes months to years for companies to make such discoveries on their own.The most interesting aspect of the article is the mention of CardCops.com, which "offers consumers a paid notification service,...

Read More

The Dynamic Duo Discuss Digital Risk

I've been reading books and looking at product literature which discuss "security," "risk," "threat," and "vulnerability," each with a different definition. I don't think these terms are difficult to understand. I wrote the hopefully amusing vignette below to communicate my understanding of these terms. At least it won't bore you! Meanwhile, at the Hall of Justice...BATMAN: Robin, why the puzzled look?ROBIN: Sorry, Batman.B: Are my Bat Ears crooked again?R: No Batman. I've been reading some books and vendor marketing literature on security,...

Read More

What is Extrusion Detection?

Yesterday reading a brief article by Robert Moskowitz, I noticed the term "extrusion detection":"There's no sure way to track spying data that leaves your network. Perhaps the next big security tool will be outward-bound--extrusion-detection systems."Searching the Web, I found Mozkowitz mentioned the term four years ago, in this 29 Nov 99 article:"What you need is a reversed IDT (intrusion-detection tool), and perhaps an EDT (extrusion-detection tool) that will perform automatic searches for your own metatags..."However, Frank Knobbe has him beat,...

Read More

Foundstone Publishes White Paper on Integrating Vulnerability Assessment with Incident Response

A few months back I wrote a paper for my employer, Foundstone, on how we used the Foundstone software product (previously called "Foundscan," now known as "Foundstone Enterprise) when doing incident response. We found that after collecting IR data (not before, as some advocate) we could determine if the remediation action we recommended would be worthwhile. It's no use discovering an intruder has gained access via an unpatched IIS vulnerability if the organization also runs unpatched versions of OpenSSH! This whitepaper describes how best to...

Read More

Will Companies Let U Penn Collect Monitoring Data?

Thanks to the SANS Newsbites, I just read a fascinating article by Dan Verton at Computerworld. He reports that insurer AIG will "will offer discounted insurance rates to customers that deploy security sensors being developed by the Cyber Incident Detection & Data Analysis Center." CIDDAC, which doesn't have a web site I could find, consists of AdminForce LLC, Air Products and Chemicals, the U.S. Department of Justice, the Electric Power Research Institute, General Motors Acceptance Corp., Harvey & Mortensen Attorneys at Law, Independence...

Read More

Reliable Software Group Posts New Snort Code

Chris Kruegel wrote in focus-ids of a project called Alert Verification by William Robertson. According to the project description: "The verification component of the system is currently implemented as a set of NASL scripts mapped to Snort rules by CVE IDs. When a rule is triggered, the suspect packet and associated event data is queued for verification. A separate thread processes queued unverified alerts by running an associated NASL script against the target host to test for the presence or absence of the vulnerability corresponding to the...

Read More

Hacker History and Pictures

I found a site with two cool features. First, it offers a Hacker Pictures section showing famous people from the "scene" with short bios. Now you can see the "faces in front of the monitors." Second, there's a very up-to-date Hacker History page. The site, WBG Links, offers news and links as we...

Read More

Rudy Giuliani, White Hat?

Recently former NYC governer Rudy Giuliana announced a partnership with Ernst & Young to offer digital security consulting. This follows last year's alliance with Giuliani's own consulting practice. Here's the best part of the story: Competitors of the new enterprise greeted Mr. Giuliani into their midst warily. "What is he really bringing to the table as far as the security business part of it?" asked Chris Wysopal, the director of research and development for @stake, a company that also provides so-called white-hat hacking services. "I'm...

Read More

Hit By Credit Card Fraud Again

I just became a victim of credit card fraud for the second time in two years. My bank called to ask if I had made a purchase of approximately $59.97 to Proflowers.com today. I told them I had not, and they replied I was a victim of credit card fraud. I asked how they knew so quickly, since the amount was low and not exactly outside the realm of normal activity. They security rep said that charges to Proflowers.com were getting additional scrutiny. I called Proflowers.com but they would not give me any other details. I have two pieces of...

Read More

NetScreen Announces Deep Packet Inspection Firewalls

Trying to make Gartner's dreams come true, NetScreen announced new "deep inspection firewalls," prompting "Richard Stiennon, vice president of research at Gartner, Inc., [to say] 'because of the new worms, malicious code and cyber attacks that are now targeting application weaknesses and more applications and protocols are tunneling through firewalls, firewalls must provide a wider range of intrusion prevention capabilities along with advanced centralized management functionality.'" Only The Register reported the cost of running such a system...

Read More

New Security Organizations One Year After Attacks on Root Name Servers

A couple new security organizations have been created in the last month. First, the US-CERT was announced last month. I see a lot of talk about "information sharing," but I'm not sure how that's different from what the CERT at Carnegie Mellon does. This article mentions how the National Cyber Security Division of the Department of Homeland Security is "taking the lead on a cybersituation awareness project that can conduct near-real-time analysis of incident data nationwide... The division is currently working with SRI International, Symantec...

Read More

Dogs, Street Children and Hackers

Is that the name of the newest pop group? No, it's how Varujan Pambuccian, Romanian lawmaker and former programmer, describes his country in this article on Romanian hackers. I've tangled with these guys before, but it sounds like their country's officials are cracking down. From the story: "Computer crime flourished in Romania because the country lacked a cybercrime law until earlier this year, when it enacted what may be the world's harshest. The new law punishes convicts with up to 15 years in prison — more than twice the maximum for rape....

Read More

PBS Frontline Program on "Cyberwar"

This story summarizes a speech made by John Arquilla, co-director of the Center on Terrorism & Irregular Warfare at the Naval Postgraduate School in Monterey. Arquilla advocates building a "Corp of Hackers," saying "We have to re-examine that punitive approach to the hacking community, and try, instead, to turn it into something that can be useful, and perhaps even to reform some of these people away from their own illegal actions."I'd never heard of this guy, and was skeptical when the article stated "Arquilla... helped develop the offensive...

Read More

Surveillance Cameras Invade Privacy, Provide Little Security

An article at MSNBC makes excellent points regarding the ineffectiveness of surveillance cameras in the United Kingdom. From the story: "Very little evidence shows that speed cams reduce road deaths or that CCTV deters crime. It's only on the rare occasion that CCTV helps police catch criminals... Instead, there's an overwhelming feeling that too often surveillance is used not to make the country safer but to monitor innocent people and, in the case of speed cams, raise much-needed tax revenues. 'There's this notion starting to build in countries...

Read More

ISS Announces "Proventia" Products

Internet Security Systems launched a new product line this week, called the Proventia "all-in-one protection product." From the press release:"Today Proventia unifies firewall, virtual private network (VPN), anti-virus, intrusion detection and prevention into one engine, under one management system, to protect at the network and the gateway. In the future, Proventia will add application protection, content filtering and anti-spam functionality to the unified engine to extend protection across servers, desktops and laptops. Proventia’s simplified...

Read More

Review of Intrusion Detection Posted

Amazon.com just posted my five star review of Intrusion Detection. I read this book as background for my forthcoming The Tao of Network Security Monitoring and was pleasantly surprised. This isn't a book for practioners looking to operate intrusion detection systems or interpret event data from systems. However, the book provides a nice historical backdrop on the problems that have existed for decades in computer security. From the review: "Three...

Read More

Microsoft Windows Security Guides

Clients often ask for resources on Windows security, like checklists or guides. The NSA guides are frequently cited, and apply to routers, SQL Server 2000 and Oracle 91 Database Server. The Center for Internet Security offers many free benchmark documents. After seeing this article I went to the source at microsoft.com. I found these resources: NT 4 Server Security ResourcesMaintain Security with Windows 2000 Maintain Security with Windows Server 2003I'm trying to find a newsgroup which posts customer experiences installing new hotfixes and...

Read More

Review of Incident Response, 2nd Ed Posted

Amazon.com just posted my five star review of Incident Response and Computer Forensics, 2nd Ed. From the review: "IRCF2E is one of the few books in print where the word 'forensics' deserves to be on the cover. Many prominent 'forensics' titles deliver nothing useful to practitioners. As was the case with the first edition, investigators can use IRCF2E in operational environments to do real work. This book lays much of the groundwork for doing cases....

Read More

Marcus Ranum Rants Online and Offline

Marcus Ranum is one of the smartest security guys around. A few weeks ago he redesigned his web site in preparation for publication of his new book The Myth of Homeland Security. I hope to get a review copy. Marcus' comment in the latest edition of SANS Newsbites alerted me to his criticism of the so-called "computing monoculture" problem. He points out that the Computer & Communications Industry Association, which funded the "Cyber Insecurity" report (.pdf) that got Dan Geer fired, consists of "Sun Microsystems, Fujitsu, Nokia, Nortel...

Read More

Yen-Ming Chen's Blog

My friend Yen-Ming Chen sent me a link to his blog the other day. He's also a security consultant with Foundstone, and he updates his blog regular...

Read More

Osiris File Integrity Checker

Has anyone tried Osiris, an open source file integrity management system for Windows and UNIX? I like the fact that it runs on Windows and there's a ports tree entry for FreeBSD. At some point I'll try ...

Read More

Paper on Windows Memory Forensics

Fellow co-author of Real Digital Forensics Curtis Rose wrote a whitepaper titled Windows Live Incident Response Volatile Data Collection: Non-Disruptive User & System Memory Forensic Acquisition. Curtis used these techniques when we performed analysis for our book, so check out his paper for a preview....

Read More

NIST Releases New Security Guidelines

FCW reports NIST has released five new security publications: SP 800-35, Guide to Information Technology Security ServicesSP 800-36, Guide to Selecting Information Security ProductsSP 800-42, Guideline on Network Security TestingSP 800-50, Building an Information Technology Security Awareness and Training ProgramSP 800-64, Security Considerations in the Information System Development Life CycleOf these the first two are probably of most interest to security vendors. Customers frequently have no idea what to buy or how to make decisions, so they...

Read More

Gartner Warning Makes Sense

I've given Gartner grief for their "IDS is dead" message, but I just read a short document they produced on security reporting requirements:"On 9 October 2003, U.S. Homeland Security Secretary Tom Ridge stated that the U.S. government may require publicly traded companies to disclose details of their information security readiness to the Securities and Exchange Commission (SEC). The Department of Homeland Security plans to work with the SEC to develop requirements for the inclusion of security information in financial reporting; the U.S. Congress...

Read More

IDS Review Addresses Issues That Matter

Too many reviews of intrusion detection systems (IDS) focus on the pretty colors, blinking red lights, and other worthless aspects of popular products. A new reviewJoel Snyder, David Newman and Rodney Thayer of five IDS products is a breath of fresh air. First, they have a clue: "Gartner's analysis, unfortunately, is based on a profound misunderstanding of what network IDSs are good for and who should use them. Many network managers, and the analysts at Gartner, have put network IDS in the same bucket as firewalls: a technology designed to protect...

Read More

National Security Archive Online

My wife discovered George Washington University's National Security Archive. The Intelligence section is interesting as it contains a declassified copy of United States Signals Intelligence Directives, specifically USSID 18. From the description of the documents:"The version of USSID 18 currently in force was issued in July 1993 and "'prescribes policies and procedures and assigns responsibilities to ensure that the missions and functions of the United States SIGINT System (USSS) are conducted in a manner that safeguards the constitutional rights...

Read More

Comcast ISP Troubles

Connectivity to Taosecurity.com is intermittent due to Comcast network issu...

Read More

Understanding Legal Issues of Network Monitoring

While reading the recently published second edition of Incident Response and Computer Forensics, I noticed the legal material hadn't been updated. I visited the Electronic Privacy Information Center (EPIC) to get their take on legal restrictions on monitoring. Their USA PATRIOT Act page is extremely useful. To actually read the PATRIOT ACT, I suggest going to a .gov source like the Government Printing Office. Search for "public law 107-56" (PATRIOT was passed by the "107th Congress") and you'll find the law (text or .pdf).From the EPIC PATRIOT...

Read More

Information Security Education

After reading this dire Register.co.uk story on outsourcing IT jobs overseas, I checked out the NSA's National INFOSEC Education & Training Program. It lists 50 universities designated as Centers of Academic Excellence in Information Assurance Education. I noticed George Mason University (near my home) is listed, and offers a MS in Information Security and Assurance and a Ph.D. Concentration in Information Security and Assurance. I wonder what it would be like to take a course like STAT 789 - Advanced Topics in Statistics: Computer Intrusion...

Read More

A Lesson on Indications and Warning

I read a fascinating but scary Economist article titled Peril on the Sea. It presents classic examples of "indicators" that can be used to formulate intelligence "warnings" for decision-makers. (Indications and warning is defined in the DOD Dictionary of Military and Associated Terms. Definitions are taken from the DOD Joint Electronic Library's Joint Publication 1-02 [.pdf].) From the Economist article: "According to a new study ("Security in Maritime Transport: Risk Factors and Economic Impact" [.pdf, overview]) by Aegis Defence Services,...

Read More

Review of SQL Server Security Posted

Amazon.com just posted my five star review of SQL Server Security. As usual, the review appears first on my reviews page, but it should appear on the book page soon. From the review: "'SQL Server Security' (SSS) is a great security book, free of the bloat the affects both operating systems and many technical volumes. Weighing in at 322 pages, it's packed with the detail needed to securely deploy Microsoft SQL servers. Although many people contributed...

Read More

Beware the Beast

Securityfocus.com offers a fascinating story that combines hacking, spamming, identity theft, and financial fraud. According to Kevin Poulsen:"Dinh was the unhappy owner of $90,000 in "put" options that could have delivered a hefty payoff if Cisco Systems Inc. stock drooped below $15.00 a share-- but instead were close to expiring worthless. Rather than eat the loss, Dinh allegedly constructed an electronic shell game to offload the contracts on a innocent dupe. Dinh built a list of targets by posting innocuous queries as "Stanley Hirsch" to a...

Read More

Working as an Independent Contractor

While reading Network Computing, I found useful advice in the Career Coach column. If you want to be an independent contractor, how do you handle taxes, health insurance, and other services provided by traditional employers? NWC writer Lorna Garey suggests readers check the SOHO Resource Group, which was linked from Techies.com. Lorna writes: "The SOHO Resource Group, for example, which partners with Techies.com, will redirect your 1099 (self-employed/contractor)...

Read More

Sourcefire Redefines Intrusion Detection

This morning Marty Roesch, CTO and founder of Sourcefire, launched a new road show, sponsored by IBM, to describe his company's Real-time Network Awareness technology. Here are my notes on Marty's talk, which he began by noting that "Sourcefire is a security company," not just an IDS company. What follows are Marty's main points, regardless of whether I agree or not. Any personal commentary is specifically noted.CompanyAs a company, Sourcefire...

Read More

SRI Patent on "Hierarchical event monitoring and analysis"

I was doing research for my book "The Tao of Network Security Monitoring" and learned SRI was awarded a patent on 19 Nov 02 for "Hierarchical event monitoring and analysis." It's patent 6,484,203 and says: "A computer-automated method of hierarchical event monitoring and analysis within an enterprise network including deploying network monitors in the enterprise network, detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from the following categories: {network packet data transfer...

Read More

New Wireless Access Point

Shortly I'll report on my experiences with a new 802.11b wireless access point. I bought a ZyAIR B-2000 Wireless LAN Gateway with 4-port Switch, based partly on the good review linked from Practically Networked. I like the product's serial port, support for syslog event reporting, and future support via firmware upgrade for Wi-Fi Protected Access. I use a WAP built by SMC, but I fear it may be failing. The wired LAN side hasn't worked properly for years, and now my wireless signal is degrading abnormally.A book I'm perusing suggests three vendors...

Read More

CERT Publishes Report on CSIRTs

The CERT just published a new document titled "State of the Practice of Computer Security Incident Response Teams" (.pdf). This is a massive 276 page document which should help define CSIRT roles in the security community. I seem to remember taking part in a study like this when I worked at the AFCERT. I remember doing phone interviews with CERT and having visitors interview me and my cre...

Read More

Link Between Viruses and Organized Crime?

This story explores possible links between viruses and organized crime. My buddy Mike Shema is quoted: "'That is definitely a legitimate concern,' said Michael Shema, a widely recognized expert on Internet security and author of two books on the hacker mentality. Shema said there is considerable evidence to support what otherwise would be romantic conspiracy theories about the connection of viruses to the world of organized cri...

Read More

Hacker High School Asks for Help

I received an email recently from Pete Herzog, Managing Director of the Institute for Security and Open Methodologies (ISECOM). I wrote about this group on 25 Aug. Pete is looking for assistance with his Hacker High School project. Pete writes: "HHS is a non-profit, grassroots program originally designed as an after school computer club however with its 10 lesson workbooks. It can easily stand on its own as a small course, integrated into a course, or as a college study program for interested students. HHS exists as a learning tool for Security...

Read More

Earth Station Five Back Door

On 28 Aug I reported on Earth Station Five. I just read this post claiming a back door of sorts in ES5's peer-to-peer file sharing client. From the post:"There exists malicious code in ES5.exe's 'Search Service' packet handler. By sending packet 0Ch, sub-function 07h to the 'Search Service''s IP:Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. '..\..\..\WINDOWS\NOTEPAD.EXE'), the remote attacker could also delete files in eg. the windows and windows\system32...

Read More

How Best to Keep Operating Systems Current?

I'm surprised at the lack of information on how to keep current patches on large-scale enterprise deployments of operating systems and applications. Most documentation targets single machines. I was happy to find the Infrastructures.org site, which is dedicated to "the standarized tooling needed for mass customization within IT." The site houses cfengine, "an autonomous agent and a middle to high level policy language for building expert systems which administrate and configure large computer networks." This looks promising but complicated...

Read More

Building a Trusted Apple Operating System

At the IATF conference (see below) a member of the Secure Trusted Operating System Consortium spoke with myself and Keith Jones. This group is trying to build a "trusted" operating system using the underlying Apple Darwin operating system. Being a BSD fan, I should give the OpenDarwin OS a try. The main obstacle appears to be limited hardware support, although I expect that to improve. Thankfully, on the software side their is a Darwin Ports project...

Read More

IATF Forum Brings Government and Industry Together

Today I attended my first meeting of the Information Assurance Technical Framework (IATF) Forum. The IATF is organized by the National Security Agency (hi guys) to foster discussion among developers and users of digital security products. The Federal government is heavily represented. I attended in a role as a security vendor with Foundstone. Today's meeting focussed on Protection Profiles for intrusion detection systems. According to the Common Criteria, a Protection Profile (PP) is "an implementation independent statement of security requirements...

Read More