Jumat, 31 Oktober 2003
Foundstone Wants YOU!
We've got other positions open across the company too. Check them out here -- sales, engineering, public relations, and so on need help. Again, email me your resume.
Kamis, 30 Oktober 2003
Microsoft "Threats and Countermeasures" Guide
- "Securing your network environment requires that strong passwords be used by all users. This helps avoid the threat of an unauthorized user guessing a weak password through either manual methods or tools to acquire the credentials of a compromised user account." Comment:Bravo. A threat is a party with capabilities and intentions, and an unauthorized user as described fits that model. One man on base.
- "Because vulnerabilities can exist both when this value is configured, as well as when it is not, two distinct countermeasures are defined. Any organization should weigh the choice between the two based on their identified threats and the risks that they are trying to mitigate." Comment: Again, excellent. Two men on base.
- "Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures." Comment:That's the first out! Microsoft should have used the term "vulnerability," meaning blank passwords are a weakness that can be exploited.
- "The threat is that a globally visible named object, if incorrectly secured, could be acted upon by a malicious program which knew the name of the object." Comment: Out number two! Again, Microsoft should replace "threat" with "vulnerability." The "malicious program" is the real threat.
- "This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial of service (DoS) vulnerability because a server could be forced to shut down by overwhelming it with logon events." Comment: This is awkward, as it mentions "threat" and "vulnerability" in the same sentence. However, clarifying that the threat is "a backup operator" shows proper usage of the term. Microsoft loads the bases.
- "One potential threat is that of a user or users accidentally or deliberately filling the storage volume with data by causing an application log file to fill up the drive or by uploading files to the server." Comment: Another close call. The user is actually the threat, and the vulnerability is the weakness in design or configuration which allows that user to fill up the volume. I'll call that an RBI so Microsoft has a run on the board!
- "The second potential threat is that of directory traversal exploits, in which an attacker takes advantage of a bug in a network service to navigate up the directory tree to the root of the system volume." Comment: Another RBI! This context is shaky as an exploit is actually a tool, and not a threat in and of itself. However, the context mentions an attacker using this tool, so I call that a valid use of the term threat.
- "Firewalls located between the internal network and the Internet offer no protection against such internal threats." Comment: Microsoft puts another run on the board. Still two outs.
- "Therefore, before deploying IPSec for any specific scenario, carefully consider and document the potential security threats that IPSec is intended to address, your security requirements, the costs of deploying IPSec versus the cost of not using it, and therefore the expected business benefits." Comment: Four runs! This is a reference to considering the threat model.
Aside from a minor mention in the last pages, that's all.
What of the document's title?
"Threats and Countermeasures: Microsoft Solutions for Security Security Settings in Windows Server 2003 and Windows XP."
Sorry, that's Microsoft's final out. "Threats" should really be "vulnerabilities," but would Microsoft admit its product has vulnerabilities? The entire document outlines weaknesses in Microsofts products and suggests countermeasures to mitigate those weaknesses. Kudos to Microsoft for writing the doc, and congratulations on a four run inning!
Orbitz Hacked; Watch Your Credit Cards
Orbitz uses are reporting receiving spam to email addresses used only at Orbitz. I am an Orbitz user, but the email address I use isn't exclusively for Orbitz. However, I hardly get spam to the account I use for Orbitz. For the first 17 days of October, I received 5 spam emails. Over the last 12 days, I've received 20. That's not scientific, but something clearly changed recently.
It's likely that if intruders compromised Orbitz's account list they stole credit cards as well. This is NOT based on any "insider knowledge" of Orbitz or this case. I make this assessment based on experience working similar cases elsewhere. Keep an eye on your statements (online or offline) and report suspicious activity to the card issuer immediately. Changing your Orbitz password is a good idea too.
Rabu, 29 Oktober 2003
FreeBSD 4.9 Released Today
Selasa, 28 Oktober 2003
"Words Matter" -- To the Tune of $200 Billion
"Traffic on the Internet has been doubling every 100 days."
Looking at the citation for this statement we read it the source as a "December 1997 phone interview with John Osborn, JD Power and Associates." Most people blame WorldCom, including former CEO Bernie Ebbers. The Economist wrote about this last year. Mr. Odlyzko tracks down the origins of this "statistic" in his 2003 paper "Internet Traffic Growth: Sources and Implications" (.pdf).
This report and its "100 days" quote was cited in speech after speech by Commerce officials. The telecom industry and especially equipment makes believed the party would never end, so they kept laying cable and building equipment to meet demand that didn't exist.
What was really happening? The Economist writes:
"In the four years from the beginning of 1998, says Andrew Odlyzko, a telecoms guru at the University of Minnesota, the amount of fibre in the ground increased fivefold. Meanwhile, advances in the technology of feeding signals into fibres at one end and extracting them at the other increased the transmission capacity of each strand of fibre 100-fold, so total transmission capacity increased 500-fold. But over the same period demand for transmission capacity merely quadrupled, a rise that could easily be accommodated by existing networks."
The result? According to the Economist:
"Exactly how much money has gone down the telecoms drain is hard to quantify, but many estimates hover around the $1 trillion mark."
Words matter, Professor Zelikow! Maybe they matter to the tune of $1 trillion?
New Spam?
220 pd2mi3so.prod.shaw.ca -- Server ESMTP (iPlanet Messaging Server 5.2 HotFix1.18 (built Jul 28 2003))
However, that mail server doesn't allow mail relay.
I think the system which originated the email is (h0000864f50cd.ne.client2.attbi.com [24.62.13.114]).
A message from Yahoo! Groups wouldn't originate from a home AT&T user. The mailer agent is interesting too -- "Synapse, which is a synchronous TCP/IP library for Delphi, Kylix,
FreePascal, and C++ Builder," according to my friend John Ward. He also says "this was some tool written to be a dedicated, non-threading mass mailer due to its synchronious nature, probably a command line tool, written for either Windows or Linux."
From - Tue Oct 28 12:17:53 2003
X-UIDL: 20031028171245s1200r471be0032gq
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from mx1.domaindiscover.com ([216.104.161.40])
by sccrmxc12.comcast.net (sccrmxc12) with ESMTP
id <20031028171245s1200l47cve>; Tue, 28 Oct 2003 17:12:45 +0000
Received: from h24-71-223-11 (h0000864f50cd.ne.client2.attbi.com [24.62.13.114])
by mx1.domaindiscover.com (Postfix) with ESMTP id 6B2CD31804
for
From: conspiracies_revealed-subscribe@yahoogroups.com
To: CENSORED@CENSORED.com
Subject: -Confirmation-
Date: Tue, 28 Oct 2003 06:30:20 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text
Message-Id: <20031028171237.6B2CD31804@mx1.domaindiscover.com>
Thanks for signing up for yahoo groups conspiracies_revealed this is your
comfirmation email. You can log in via the website www.nasaconspiracy.net
used your email to sign up please click unsubscribe
SB 1386 Impotent While CardCops Monitor for Your Card
The most interesting aspect of the article is the mention of CardCops.com, which "offers consumers a paid notification service, in which he'll [CardCops] warn his customers if he spots their information in the chat rooms and websites frequented by credit card thieves." I was skeptical but the article claims "this month alone he [CardCops] traced stolen credit card information to breaches at five different online merchants, ranging from mid-sized businesses to modest mom-and-pop operations. When he contacted a sample of the exposed consumers, he was, in each case, the first to give them the bad news. "
Senin, 27 Oktober 2003
The Dynamic Duo Discuss Digital Risk
Meanwhile, at the Hall of Justice...
BATMAN: Robin, why the puzzled look?
ROBIN: Sorry, Batman.
B: Are my Bat Ears crooked again?
R: No Batman. I've been reading some books and vendor marketing literature on security, and I'm confused by their definitions of risk, vulnerability, and threat.
B: Oh, you've been researching to protect the Hall of Justice computer? Good for you. Tell me why you're confused.
R: I see so many people calling "vulnerabilities" and "threats" the same thing.
B: That's certainly not right. A vulnerability is a weakness in an asset which could lead to exploitation. A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset.
R: Huh?
B: Let's try a few examples. Consider Superman.
R: I do, often.
B: I don't want to hear about that. Superman is an asset to the Hall of Justice, true?
R: He's definitely an asset.
B: I bet you think so. Think of Superman as an asset of the Hall of Justice's crime fighting arsenal. What is his weakness?
R: Kryptonite?
B: Close. Superman's weakness -- his vulnerability -- is the fact that Kryptonite nullifies the effect of the Earth's yellow sun, removing his super powers.
R: So what is Kryptonite?
B: Kryptonite is a weapon, or tool. But on its own it's nothing -- unless used by an evil party.
R: Like Lex Luthor?
B: Exactly. Lex Luthor is a threat, but only if he's carrying Kryptonite.
R: Lex Luthor is the threat, because his intentions are to harm Superman and his capability is instantiated by possession of Kryptonite. How does risk fit into this?
B: Let's define risk. Risk is the possibility of suffering harm or loss. It's a measure of danger. The loss of Superman would deal a crushing blow to the Hall of Justice's ability to fight crime.
R: That means we're talking about the risk of loss of Superman's crime fighting abilities, or more generally the loss of Superman. I don't know how to express that formally.
B: Let me help. Risk is the product of multiplying measurements of threat by vulnerability by cost of replacing an asset, also called that asset's value. So, R = T x V x C.
R: You did say risk was a measurement of the probability of loss. I don't know what the numbers should be for any of those factors.
B: It's ok to assign arbitrary values, say 1 to 5 for each factor, as long as you use the same scale when measuring different risks. How would you assess the risk to the Hall of Justice now?
R: I would assign a Kryptonite-equipped Luthor as threat 4, with Superman's vulnerability as 4, and cost as 5, for a total of 80.
B: Why didn't you assign the threat and vulnerability to each be 5? A Kryptonite-equipped Luthor has capabilities and intentions, and Superman's weakness can kill him.
R: I assessed the threat as 4 because I know Luthor has Kryptonite, but I don't know if he has enough to kill Superman.
B: That is prudent. His capability to exploit Superman could be diminished. You're factoring in uncertainty. How about the vulnerability rating?
R: Superman isn't completely vulnerable, since we fellow Super Friends would protect him if Lex appeared.
B: So you mean we Super Friends could be considered countermeasures to Superman's vulnerability?
R: Yes! Is that why the risk equation doesn't explicitly mention countermeasures?
B: You catch on quickly Robin. Although countermeasures could be included in the risk equation, they complicate the issue mathematically. Better to decrease the vulnerability rating if the countermeasure effectively mitigates the asset's weakness.
R: Batman, I'm starting to understand. What is security then?
B: Security is the process of maintaining an acceptable level of perceived risk.
R: That seems awfully specific.
B: Let me explain with another example. You know Fort Knox? And the gold it protects?
R: Of course. Gold is the asset protected by Fort Knox.
B: Let's assess the risk of theft of Fort Knox's gold. Risk is the probability of loss, remember? Assume that Fort Knox is so well protected, it has no vulnerabilities capable of exploitation by any human, Super Friend, or Legion of Doom member. Only a force of nature could damage Fort Knox, like a meteorite from space wiping out Kansas.
R: Holy invincibility, Batman! Let me see... I'd say the threat is low, maybe a 1, since there are evil parties with intentions to steal Fort Knox's gold. Since Fort Knox is invulnerable to anything but a force of nature, no party has the capability to harm it. I'd assess the vulnerability as 1, since Fort Knox could still be wiped out by that meteorite from space. The cost of replacement is immense -- definitely 5. That gives is 1 x 1 x 5 = 5. That means...
B: That's right Robin. The risk to the loss of Fort Knox's gold is 5, a very small number.
R: So Fort Knox's gold is secure?
B: It's almost perfectly secure, especially compared to Superman as a Hall of Justice asset. Let's change the equation. Do you know of the Marvel universe?
R: The what?
B: It's the source of better movies than our own DC universe. Anyway, in the Marvel universe, a creature called the Hulk exists.
R: Tell me about this beast.
B: For the purposes of this argument, believe that the Hulk could smash his way into Fort Knox if he so chose.
R: Is the Hulk evil? Does he covet gold?
B: No, he's a powerful but misunderstood creature. Do you know what you just did?
R: Let me guess -- I performed a threat analysis?
B: Excellent Robin. Your shorts aren't too tight after all. Now, on to the next step -- risk analysis.
R: Given the presence of the Hulk, I would assess the threat as a 4, the vulnerability as a 2, and the cost as a 5.
B: Why did you raise the threat level? I told you the Hulk wouldn't harm Fort Knox.
R: Maybe the Legion of Doom could trick the Hulk into breaching Fort Knox? Then the Hulk would have the capabilities and intentions to exploit the Fort.
B: Very good.
R: And I rated the vulnerability as a 2 and not higher, as even a creature like the Hulk would have a tough time powering his way through all that concrete and steel, surely?
B: True enough. You're getting the hang of this, Robin.
R: Thanks Batman. You're swell. Can I try this sort of analysis using the Hall of Justice computer?
B: You bet. We run OpenBSD on the Hall of Justice machine. Do you know if it has any vulnerabilities?
R: Well, I haven't updated OpenSSH yet, so there is a vulnerability. That's a 5. Let me do a threat analysis next. I would identify the threat as the Legion of Doom. Specifically, I bet Brainiac could code an tool that would exploit the vulnerable OpenSSH daemon.
B: That means the Legion of Doom has the capabilities and intentions to harm the Hall of Justice computer. We call that a "current credible threat."
R: I'd rate the threat a 4, since we aren't 100% sure the Legion of Doom has an exploit. They definitely capable of writing it though. That leaves cost of replacement, which I would assess as a 5. The Hall of Justice computer is a piece of critical infrastructure. The risk of loss of the Hall of Justice Computer is 4 x 5 x 5 = 100. That's immense!
B: Get to patching, Robin.
R: How can we reduce risk, Batman?
B: We can't reduce risk directly. We can only affect each of the factors. For the threat component, we could eliminate the party completely. Alternatively, we could try change their intentions by addressing why they hate us. We could also remove their capability to harm us, such as removing their financing or destroying their weapons.
R: That sounds like a way to deal with terrorists.
B: Perhaps. On the vulnerability side, you could patch the weakness directly. You could implement access control or other counter-measures to limit the ability of intruders to exploit the vulnerability. All of these factors decrease the vulnerability rating.
R: You're so smart Batman.
B: Thank you. On the cost side, we could completely replicate the Hall of Justice computer and host it off-site. While exploitation of the Hall of Justice computer would still be devastating, by implementing redundancy we could lessen the cost of replacing a damaged Hall of Justice computer.
R: Thanks Batman. You've really helped me understand risk!
B: You're welcome Robin. I hear the Bat Phone ringing -- to the Bat Poles!
Note: Multiplying numbers together, without any measurement or rank, isn't exactly the "science" one would like to see in risk assessment. The purpose of this exercise is to discuss definitions and show how breaking out individual components of risk (i.e., threat, vulnerability, and asset cost) helps us think about the problem. This is obviously a naive exercise so I prefer to focus attention on the definitions and their translation into a fictional case study.
Jumat, 24 Oktober 2003
What is Extrusion Detection?
"There's no sure way to track spying data that leaves your network. Perhaps the next big security tool will be outward-bound--extrusion-detection systems."
Searching the Web, I found Mozkowitz mentioned the term four years ago, in this 29 Nov 99 article:
"What you need is a reversed IDT (intrusion-detection tool), and perhaps an EDT (extrusion-detection tool) that will perform automatic searches for your own metatags..."
However, Frank Knobbe has him beat, according to this 5 Nov 99 post, discussing SEC investigations of insider trading:
"...his sounds more like an Extrusion Detection than Intrusion... There are packages available that scan inbound and outbound emails for certain key words/key phrases, and dump these emails in a bucket where analysts (humans) can read, evaluate, and approve or deny them. I guess this raises the question if email scanners should be considered Intrusion Detection tools..."
Although much more recent, Ronald DuFresne wrote a short paper which mentions "EDS" but doesn't say a whole lot. Fidelis sells "Extrusion Prevention Systems" "for organizations with valuable digital assets that are concerned about the theft of proprietary information... Fidelis DataSafe EPS is an extrusion prevention system that detects and prevents the unauthorized network transfer of designated sensitive or valuable information."
Bamm and I used extrusion detection techniques during Code Red. It was easier to watch outbound traffic from our infected boxes than it was to monitor inbound intrusion attempts.
Rabu, 22 Oktober 2003
Foundstone Publishes White Paper on Integrating Vulnerability Assessment with Incident Response
Will Companies Let U Penn Collect Monitoring Data?
"The goal is to deploy what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible—and eventually the world—and feed incident data to a centrally managed operations facility at the University of Pennsylvania in Philadelphia... Although it has maintained a low profile to date, CIDDAC is the result of a volunteer effort by various private-sector IT companies and other firms, along with the Philadelphia InfraGard chapter.
The consortium has developed what it claims is a technical solution to the private sector's primary concern about information sharing: government access to proprietary data. 'We have a way to gather the appropriate information on cyberattacks and security incidents without digging through production data,' said Charles 'Buck' Fleming, acting executive director of CIDDAC and CEO of AdminForce LLC in Boulder, Colo.
CIDDAC is operating a prototype monitoring and operations center at facilities owned by AdminForce."
This will not work. No company is going to let AdminForce or anybody else deploy sensors in exchange for discounted insurance rates. I am flying to Dallas tomorrow on behalf of a client to evaluate the risks of outsourced managed monitoring. Having done managed monitoring in the Air Force and as a civilian, I know that clients require an extreme amount of trust in their managed monitoring vendor. I don't see security-minded organizations letting "CIDDAC" deploy sensors with the ability to see Internet-bound traffic. Does CIDDAC realize they are performing a wiretap?
The security research community's biggest problem is access to suitable data. This is caused by privacy concerns. Here's a paper on the subject. If privacy is such an issue, imagine how much bigger a problem it is to protect corporate secrets. Would a company allow a third party to watch its phone records for patterns of misuses? Of course not, unless the company trusts the vendor implicitly and creates iron-clad contracts protecting its data from disclosure and abuse.
Reliable Software Group Posts New Snort Code
"The verification component of the system is currently implemented as a set of NASL scripts mapped to Snort rules by CVE IDs. When a rule is triggered, the suspect packet and associated event data is queued for verification. A separate thread processes queued unverified alerts by running an associated NASL script against the target host to test for the presence or absence of the vulnerability corresponding to the detected attack. If the NASL script determines that the vulnerability does exist on the target host, the alert is marked as having been verified. If the NASL script determines that the vulnerability does not exist, the alert is marked as unverified. Finally, if no NASL script corresponding to the detected attack is found, the alert is marked as unverifiable. The alert is then released back to the Snort engine."
I wonder how fast this works? This is interesting because it is the first free implementation (known to me) of this sort of technique. It's a patch against Snort 2.0.2, so I hope to try it.
Visiting the RSG's site reminded me of the great papers they write. Giovanni Vigna is a publishing machine!
Hacker History and Pictures
Rudy Giuliani, White Hat?
Competitors of the new enterprise greeted Mr. Giuliani into their midst warily.
"What is he really bringing to the table as far as the security business part of it?" asked Chris Wysopal, the director of research and development for @stake, a company that also provides so-called white-hat hacking services.
"I'm not too worried," he said. "When we say, `We talk business,' it isn't like going out to the golf course. It's showing real numbers, and having the data to back it up."
So, Mr. Giuliani, could you comment on the BIND vulnerability that was exploited to threaten the root server system?
"I could make a comment on the Cubs game tonight," he said with a laugh, speaking by phone from Chicago.
And that is as it should be, said Allan Carey, an analyst with IDC, a research company. "He's talking on a different level; he's speaking to executives."
This story on a new report by the Economist Intelligence Unit quotes the foreward Rudy wrote for the report:
"$10m spent on corporate security will hit the bottom line today and may not show its worth for many years. But when a security incident does occur, that investment will pay for itself many times over. As mayor of New York, I remember thinking that the hundreds of millions of dollars we spent preparing for Y2K might have been wasted ... On the morning of 11 September, I realised that it wasn't. Having thought our way through a complete breakdown of the city's systems, we had the backups that allowed us to get a new command centre partly operational within two hours. Similarly, all of the work we did over the previous few years in preparation for a terror attack - including the drills, the tabletop exercises, and the creation of an emergency management centre - proved invaluable."
Selasa, 21 Oktober 2003
Hit By Credit Card Fraud Again
I have two pieces of advice:
- Watch those credit card statements closely! If you see something odd, report it immediately. Better yet, check your card status weekly or more regularly using your bank's online facilities.
- Set aside a single, low ceiling credit card solely for online purchases. Use other cards for "bricks and mortar" purchases. That way, if my "b&m" card receives a fraudulent charge, I know it wasn't a result of online fraud.
NetScreen Announces Deep Packet Inspection Firewalls
Only The Register reported the cost of running such a system on a real network:
"Robert Ma, a Senior Director of Product Marketing and Management at NetScreen, explained that because Deep Inspection looks deeper into traffic there is a trade off which means users looking to maximise performance should still consider deploying separate IDP and firewall appliances. For example, NetScreen's low-end 5GT firewall runs at 75Mbps normally but at only 18Mbps with Deep Inspection technology activated, according to preliminary figures."
I wonder what speed those inline "separate IDP and firewall appliances" run at?
New Security Organizations One Year After Attacks on Root Name Servers
"taking the lead on a cybersituation awareness project that can conduct near-real-time analysis of incident data nationwide... The division is currently working with SRI International, Symantec and Computer Associates International Inc. to develop an automated capability that would enable data to be shared immediately with various private-sector-run Information Sharing and Analysis Centers. The research and development effort includes plans to build a nonproprietary system that would allow any organization in the nation, regardless of IT infrastructure, to feed data into the incident analysis system.
'We will be deploying this in the federal sector starting at the US-CERT first so we can see in real time what is happening across the nation,' McDonald said."
Sallie McDonald is "the DHS's senior executive responsible for outreach and awareness efforts."
Not to be outdone, the Internet Software Consortium (ISC) announced today the creation of the Operations, Analysis, and Research Center (OARC), focused on the defense of the Internet's domain name servers. This is a response to last year's attacks on the root name servers. I found a site dedicated to news on the Internet infrastructure, with articles on DNS, ICANN, and other topics.
Speaking of DNS, one year ago today the root name servers were attacked. CAIDA offers good descriptions and graphs of what happened.
Senin, 20 Oktober 2003
Dogs, Street Children and Hackers
"Computer crime flourished in Romania because the country lacked a cybercrime law until earlier this year, when it enacted what may be the world's harshest. The new law punishes convicts with up to 15 years in prison — more than twice the maximum for rape.
Varujan Pambuccian, a lawmaker and former programmer, helped draft the new law after Romania's government realized the nation, which is racing to join the European Union by 2007, was getting a bad online reputation.
'We want a good name for our country,' he said. 'I'm very angry that Romania is so well-known for ugly things — for street dogs, street children and hackers.' Pambuccian said there was a noticeable decline in criminal activity in the first three months since the law took effect.
More than 60 Romanians have been arrested in recent joint operations involving the FBI, Secret Service, Scotland Yard, the U.S. Postal Inspection Service and numerous European police agencies."
PBS Frontline Program on "Cyberwar"
I'd never heard of this guy, and was skeptical when the article stated "Arquilla... helped develop the offensive cyber weapons used by the U.S. military in Kosovo, in Afghanistan and in the Gulf War." Google led me to this PBS interview, where we learn Arquilla helped build the Joint Surveillance and Target Acquisition Radar System while working for Central Command during the first Gulf War. JSTARS isn't what I'd call an "offensive cyber weapon," at least as far as computers go.
Still, this article wasn't a waste of time, as I made two discoveries. First, I learned Dorothy Denning now works at the Center on Terrorism & Irregular Warfare. Second, I found this Apr 03 PBS Frontline show called Cyberwar! is available in its entirety online. The title (especially the exclamation point) is derived from this 1993 paper by John Arquilla, Cyberwar Is Coming!. The show looks interesting and I plan to watch it and read the interviews when I have time.
Surveillance Cameras Invade Privacy, Provide Little Security
"Very little evidence shows that speed cams reduce road deaths or that CCTV deters crime. It's only on the rare occasion that CCTV helps police catch criminals...
Instead, there's an overwhelming feeling that too often surveillance is used not to make the country safer but to monitor innocent people and, in the case of speed cams, raise much-needed tax revenues. 'There's this notion starting to build in countries around the world that maybe we've been conned -- that these security measures are smoke and mirrors,' says Simon Davies, director of London-based advocacy group Privacy International. 'People here are demanding a proper threat assessment.'"
Did I hear the words "threat assessment"? Someone is thinking properly! So why did these cameras get deployed in the first place?
"The technology came into vogue after two bombs, planted by the Irish Republican Army, exploded in London's financial district in the early '90s. The response: To create a 'ring of steel' -- a network of CCTV cameras on the eight official entry gates to the City of London... Originally, citizens embraced the technology. Being watched at all times made them feel safe.
Ten years later, it's clear CCTV has done little to clean up the streets. Study after study shows that CCTV simply displaces crime to areas where no cameras are present rather than preventing it. According to a June, 2002, report from crime-fighting nonprofit NACRO, CCTV cuts crime only by 5%, vs. 20% reduction achieved by brighter street lighting."
This situation mirrors so many security issues in the United States. I'll defer to recent books by Bruce Schneier and Marcus Ranum, which I hope to review later this month.
Sabtu, 18 Oktober 2003
ISS Announces "Proventia" Products
"Today Proventia unifies firewall, virtual private network (VPN), anti-virus, intrusion detection and prevention into one engine, under one management system, to protect at the network and the gateway. In the future, Proventia will add application protection, content filtering and anti-spam functionality to the unified engine to extend protection across servers, desktops and laptops. Proventia’s simplified protection for every layer of business infrastructure eliminates the complexity associated with today’s legacy security products and greatly reduces the total cost of ownership for security – making protection affordable for enterprises."
ISS offers three Proventia products:
- Proventia A, an IDS appliance
- Proventia G, an IPS appliance
- Proventia M, a "multi-function" appliance
I looked at the produce demo site and made a few observations. Site Protector remains the overall management product. The Proventia M series offers "content blades" which can be enabled or disabled in software.
The Proventia A series IDS offers products like the A1204 which can monitor and make sense of redundant or load-balanced links.
ISS offers a newsletter called "Connect," with the October issue (.pdf) devoted to Proventia.
What's the competition for ISS' product? Symantec announced its Symantec Gateway Security 5400 Series last month. Cisco announced "integrated network solutions" in Feb 03, but they're not a "converged solution." You need a product finder to make sense of Enterasys's offerings. While I still believe Sourcefire has the superior detection solution, I can see the allure of these "single box" appliances.
Don't be fooled into thinking a single box can serve all of your security needs. While the ISS demos stress their products can complement firewalls, I don't trust putting prevention and detection functions into a single system. Almost by definition, the detection aspect will not detect some attacks, leaving no record of intrusion. Why? If the product could detect the attack, why didn't it prevent it? (That's what customers say they want, correct?) So, there needs to be an independent, network-audit product to evaulate how well the prevention product performs. That's network security monitoring my friends. NSM recognizes that prevention will always fail, and that when it does defenders need a way to quickly scope the extent and impact of a compromise.
Kamis, 16 Oktober 2003
Review of Intrusion Detection Posted
"Three years ago, as a captain in the Air Force CERT, I didn't think I had time to read books on theory and definitions like Rebecca Bace's Intrusion Detection. If a book didn't show packet captures, I didn't need it! Fast forward to 2003, as I research intrusion detection history and re-discover Bace's contribution to the field. Now, I consider her book so important that I consider most of it mandatory preparation for my own book. If you've got the time for 'high level' monitoring concerns, check out Intrusion Detection."
I added the book to my Weapons and Tactics Amazon.com Listmania List, along with a few other books reviewed in the last six months. You can access all of my recommended reading lists here.
In related news, I received word from Wiley that Snort: The Complete Guide to Intrusion Detection is listed in the publisher's database as "Publication Suspended Indefinitely." That's too bad, as Sourcefire employees and Snort coders Jeffrey Nathan, Dragos Ruiu, and Jed Haile were the authors.
Microsoft Windows Security Guides
After seeing this article I went to the source at microsoft.com. I found these resources:
- NT 4 Server Security Resources
- Maintain Security with Windows 2000
- Maintain Security with Windows Server 2003
I'm trying to find a newsgroup which posts customer experiences installing new hotfixes and service packs. microsoft.public.security is one option, but I'm still looking.
Rabu, 15 Oktober 2003
Review of Incident Response, 2nd Ed Posted
"IRCF2E is one of the few books in print where the word 'forensics' deserves to be on the cover. Many prominent 'forensics' titles deliver nothing useful to practitioners. As was the case with the first edition, investigators can use IRCF2E in operational environments to do real work. This book lays much of the groundwork for doing cases. Watch for Real Digital Forensics to be published next year, which walks readers through case-based evidence to teach how to collect, interpret, and analyze host- and network-based evidence."
Marcus Ranum Rants Online and Offline
"Computers, unlike biological organisms, can rapidly share immunity without having to actually be exposed to the pathogen in question. This is absolutely crucial to understand - it's quite possible that my machine may fix itself automatically so that a worm doesn't affect it. Computers have several main mechanisms for transmitting 'immunity': firewalls, antivirus software and antivirus software auto-update, Windows auto-update, and security-related knowledge bases or mailing lists."
"There is no 'monoculture' here. My system isn't just Windows. My security is effected (and affected) by a bewildering combination of default settings, software patch levels, default firewall rules (I just plugged it in, honest!), browser settings, and antivirus signature sets. We're not in anything like danger of becoming a "monoculture" unless every system was running the same software load-out, security policy, antivirus product, and patch level. In spite of the dearest wishes of countless system administrators, that simply isn't going to happen! So, as much as I hate to say it, Sun's marketing people may have been right, "The network is the computer" - and the network sure as hell isn't going to become a "monoculture" unless Microsoft builds all the firewalls, all the routers, all the switches, all the web accellerators, all the SQL databases and establishes everyone's security, routing, DNS, and update policies."
I don't agree with everything he says, but on the whole his argument makes sense. Debating via analogy is difficult and probably counter-productive. I'll report on his book after I've read it.
Yen-Ming Chen's Blog
Osiris File Integrity Checker
Paper on Windows Memory Forensics
NIST Releases New Security Guidelines
- SP 800-35, Guide to Information Technology Security Services
- SP 800-36, Guide to Selecting Information Security Products
- SP 800-42, Guideline on Network Security Testing
- SP 800-50, Building an Information Technology Security Awareness and Training Program
- SP 800-64, Security Considerations in the Information System Development Life Cycle
Of these the first two are probably of most interest to security vendors. Customers frequently have no idea what to buy or how to make decisions, so they turn to guides like these.
Gartner Warning Makes Sense
"On 9 October 2003, U.S. Homeland Security Secretary Tom Ridge stated that the U.S. government may require publicly traded companies to disclose details of their information security readiness to the Securities and Exchange Commission (SEC). The Department of Homeland Security plans to work with the SEC to develop requirements for the inclusion of security information in financial reporting; the U.S. Congress is preparing draft legislation with the same objective....
Boards of directors, CEOs and CFOs should assume that information security reporting will be required no later than the end of 2005 and assign responsibilities and establish reporting procedures. Chief information officers of public companies should assess their security reporting and metrics programs by the second half of 2004, to ensure their ability to issue IT security readiness reports when the expected legislation is enacted."
This is big news for the security industry, who has gained some new work from HIPAA and GLB regulations. If all publicly traded companies have to provide this reporting, we might all be very busy soon.
IDS Review Addresses Issues That Matter
"Gartner's analysis, unfortunately, is based on a profound misunderstanding of what network IDSs are good for and who should use them. Many network managers, and the analysts at Gartner, have put network IDS in the same bucket as firewalls: a technology designed to protect network assets. But it doesn't go there. A network IDS is to the security analyst what a protocol analyzer is to a network manager: a tool to look into a network and understand what is going on, security-wise. Lumping network IDS and firewalls together, or even network IDS and intrusion-prevention systems (IPS) together, is no more appropriate than considering 100M bit/sec switches and protocol analyzers together."
Second, their review focuses on real tasks by presenting scenarios, like "What happened to Paul?", a Windows 2000 system deployed as a sacrificial lamb. Third, they have a sense of what is important when doing monitoring:
"This test also exposed a problem common to all the products (except Barbedwire) - you can't see the offending packets. You never get to check the signatures to see if they are generating false positives."
The major downside is that only five IDS were tested, and Sourcefire wasn't included. The reviewers explain they didn't review Snort as an open source product because "Snort, like many complex open source tools, requires the security analyst to also be a system integrator: pick operating system, hardware, multiple applications, and bring them all together into a high-performance network IDS. Reviewing Snort would require us to play system integrator to start to capture the possibilities surrounding the popular detection engine."
National Security Archive Online
"The version of USSID 18 currently in force was issued in July 1993 and "'prescribes policies and procedures and assigns responsibilities to ensure that the missions and functions of the United States SIGINT System (USSS) are conducted in a manner that safeguards the constitutional rights of U.S. persons.' Section 4 (Collection, pp.2-6) specifies the circumstances under which U.S. SIGINT activities may intercept communications of or about U.S. persons, as well as the authorities of the Foreign Intelligence Surveillance Court, the Attorney General, and the Director of NSA to approve the collection of such information."
When I was a lieutenant at the Air Intelligence Agency, we used USSIDs to strictly guide our collection efforts.
Selasa, 14 Oktober 2003
Senin, 13 Oktober 2003
Understanding Legal Issues of Network Monitoring
From the EPIC PATRIOT report, I found these extracts applicable to network security monitoring. First, EPIC discusses watching "headers":
"Section 216 of the Act significantly expanded law enforcement authority to use trap and trace and pen register devices. Prior law relating to the use of such devices was written to apply to the telephone industry, therefore the language of the statute referred only to the collection of "numbers dialed" on a "telephone line" and the "originating number" of a telephone call. The new legislation redefined a pen register as "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted." A trap and trace device is now "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source or a wire or electronic communication."
By expanding the nature of the information that can be captured, the new law clearly expanded pen register capacities to the Internet, covering electronic mail, Web surfing, and all other forms of electronic communications.
...The USA PATRIOT does contain a provision requiring law enforcement to file under seal with the court a record of installations of pen register/trap and trace devices. This amendment may provide some measure of judicial oversight of the use of this enhanced surveillance authority."
You may remember stories on wiretaps from 2002. You can read the original evidence here. Next, EPIC discusses full content monitoring:
"Prior law prohibited anyone from intentionally intercepting or disclosing the contents of any intercepted communications without complying with the requirements of the wiretap statute, unless such interception and disclosure fell within one of several statutory exceptions. The USA PATRIOT Act, Section 217, creates a new exception, permitting government interception of the "communications of a computer trespasser" if the owner or operator of a "protected computer" authorizes the interception. The new exception has broad implications, given that a "protected computer" includes any "which is used in interstate or foreign commerce or communication" (which, with the Internet, includes effectively any computer). The "authorization" assistance permits wiretapping of the intruder's communications without any judicial oversight, in contrast to most federal communication-intercept laws that require objective oversight from someone outside the investigative chain.
The new law places the determination solely in the hands of law enforcement and the system owner or operator. In those likely instances in which the interception does not result in prosecution, the target of the interception will never have an opportunity to challenge the activity (through a suppression proceeding). Indeed, such targets would never even have notice of the fact that their communications were subject to warrantless interception. However, the USA PATRIOT Act does include an exception prohibiting surveillance of someone who is known by the owner of the protected computer "to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer."
At this point you may want to know more about PATRIOT by reading applicable laws. Remember that PATRIOT amended existing laws. To see the amended laws, you need to know the title and sections affected. For example, the EPIC article links directly to Cornell's US Code archive, e.g., Pen Register and Trap and Trace Statute or Interception and disclosure of wire, oral, or electronic communications prohibited, aka "The Wiretap Act." Alternatively, visit the Office of the Law Revision Counsel of the House of Representatives and search to find 18USC3121 or 18USC2511. Notice these laws don't just apply to the government -- they affect everyone.
Another resouce is part 3 of Slate's 4 part story on PATRIOT. The Electronic Frontier Foundation offers its views too.
Remember that state laws restrict monitoring. The Reporters Committee for Freedom of the Press offers an excellent guide to taping phone calls, with state-by-state summaries and an article on surreptitious recording. Use the state guide as a pointer to specific laws in each state, since the RCFP's focus is recording voice conversations and not electronic monitoring.
To validate the RCFP results I checked out the Code of Virginia and searched for "pen register" to get my bearings. I found Title 19.2, Criminal Procedure contains Chapter 6, Interception of Wire, Electronic or Oral Communications. 19.2-62, Interception, disclosure, etc., of wire, electronic or oral communications unlawful; penalties; exceptions is very similar to the Federal statute. The section below seems to give the only cover to perform monitoring:
"It shall not be a criminal offense under this chapter for any person... (f) Who is a provider of electronic communication service to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire or electronic communication, or a user of that service, from fraudulent, unlawful or abusive use of such service. "
Finding California's laws was a little more difficult. I visited the state's search page, and after not getting useful hits on "pen register" I tried "interception." That yielded Section 629.50-629.98, INTERCEPTION OF WIRE, ELECTRONIC DIGITAL PAGER, OR ELECTRONIC CELLULAR TELEPHONE COMMUNICATIONS of the Penal Code. Since this pertains to law enforcement actions, I used the information from the RCFP site to check Section 630-637.9, INVASION OF PRIVACY. Here I found that interception and recording is illegal, unless:
"(b) This section shall not apply (1) to any public utility engaged in the business of providing communications services and facilities, or to the officers, employees or agents thereof, where the acts otherwise prohibited herein are for the purpose of construction, maintenance, conduct or operation of the services and facilities of
the public utility..."
Let's conclude this research with a check on Texas' laws. The Texas Penal Code offers CHAPTER 16. CRIMINAL INSTRUMENTS, INTERCEPTION OF WIRE OR ORAL COMMUNICATION, AND INSTALLATION OF TRACKING DEVICE. Looking at Section 16.02 we read:
"A person commits an offense if the person:
(1) intentionally intercepts, endeavors to intercept, or procures another person to intercept or endeavor to intercept a wire, oral, or electronic communication...
c) It is an affirmative defense to prosecution under Subsection (b) that:
(1) an operator of a switchboard or an officer, employee, or agent of a communication common carrier whose facilities are used in the transmission of a wire or electronic communication intercepts a communication or discloses or uses an intercepted communication in the normal course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the carrier of the communication, unless the interception results from the communication common carrier's use of service observing or random monitoring for purposes other than mechanical or service quality control checks..."
Again we see language that mirrors the Federal statutes. Note I have avoided citing statutes which offer consent as a defense for doing monitoring. Consent can be obtained when intruders use "bannerable" services like telnet or FTP to access a victim. If an intruder doesn't access an interactive service, there's no way to obtain the intruder's consent and thereby use consent exceptions to justify monitoring.
For more information, read Dorothy Denning's latest. The Constitution Project released a survey of state wiretap laws last month.
Minggu, 12 Oktober 2003
Information Security Education
A Lesson on Indications and Warning
"According to a new study ("Security in Maritime Transport: Risk Factors and Economic Impact" [.pdf, overview]) by Aegis Defence Services, a London defence and security consultancy, these attacks represent something altogether more sinister. The temporary hijacking of the Dewi Madrim was by terrorists learning to drive a ship, and the kidnapping (without any attempt to ransom the officers) was aimed at acquiring expertise to help the terrorists mount a maritime attack. In other words, attacks like that on the Dewi Madrim are the equivalent of the al-Qaeda hijackers who perpetrated the September 11th attacks going to flying school in Florida."
Review of SQL Server Security Posted
"'SQL Server Security' (SSS) is a great security book, free of the bloat the affects both operating systems and many technical volumes. Weighing in at 322 pages, it's packed with the detail needed to securely deploy Microsoft SQL servers. Although many people contributed to the text, it doesn't suffer from internal redundancy. I highly recommend anyone operating SQL servers devour this book."
Sabtu, 11 Oktober 2003
Beware the Beast
"Dinh was the unhappy owner of $90,000 in "put" options that could have delivered a hefty payoff if Cisco Systems Inc. stock drooped below $15.00 a share-- but instead were close to expiring worthless.
Rather than eat the loss, Dinh allegedly constructed an electronic shell game to offload the contracts on a innocent dupe. Dinh built a list of targets by posting innocuous queries as "Stanley Hirsch" to a public forum on the trading discussion site stockcharts.com, and noting the e-mail addresses of people who responded. The next day, using the alias "Tony T. Riechert," he spammed those addresses with an offer to participate in a beta test of a new stock charting tool.
The "stock charting" tool turned out to be a Trojan horse called the "Beast," according to the government. An unsuspecting Westborough, Massachusetts investor -- unnamed in the complaints -- ran the program, and sometime thereafter accessed his online brokerage account with TD Waterhouse, while the Beast silently logged every keystroke. Dinh allegedly swept in later and downloaded the logs, obtaining the man's username and password. "
Read the rest of the article to learn more. Reuters offers additional coverage.
Working as an Independent Contractor
"The SOHO Resource Group, for example, which partners with Techies.com, will redirect your 1099 (self-employed/contractor) income into a personal Profit Center, converting the income to W-2 status.
SOHO offers access to conventional corporate benefits such as medical and dental insurance and a 401(k) plan. The fee--4 percent of the first $60K in annual income--may be well worth the price for the benefits and time and aggravation saved."
Several years ago I found the book From Serf to Surfer: Becoming a Network helpful. It's out of print, even though it's only three years old.
Selasa, 07 Oktober 2003
Sourcefire Redefines Intrusion Detection
- Company
- As a company, Sourcefire is firing on all cylinders. After being founded in Mar 01, they shipped their first IDS appliance in Nov 01, their 100th in Aug 02, their 1000th in Jun 03, and will ship their 2000th shortly. Projecting forward, they could be the #3 IDS vendor in terms of shipped units by year's end. Marty's estimates 100,000 installations of the open source version of Snort.
- Sourcefire received about $7.65 million in funding in Feb 02, and another $11 million in Feb 03. $8 million is cash in the bank. They were cash flow positive in Q3 of 03 and will be profitable in late Q1 of 04. During the last year, sales increased from $2.1 million to $23.2 million.
- In Feb 02 Sourcefire employed 4 people. Within the last year they've grown from 22 to 90 employees, supporting 300 customers.
- Detection Theory
- IDS is "an automated system that monitors traffic on a network and based on defined rules/policies alerts administrators to possible intrusions, misuses, or defined malicious behavior."
- The "fundamentall mission" of IDS is data reduction, which is accomplished via stateful packet inspection and protocol anomaly detection.
- IDS provides awareness (how is my network/security architecture working, and are policies enforced?) and analysis (when intrusions occur, what happened and how can I prevent future trouble?)
- "Classic IDS" does not "protect" networks. (Amen!)
- Other vendors hype "sensing technology," when data management is the real issue. Sourcefire has spent 5-6 man-years of research and development solving this issue.
- Most IDS' operate in a "contextual vacuum," unaware of network architecture, assets, and their criticality. (My comment: without context, human analysts collect and analyze the data necessary to make decisions manually.)
- Network Awareness
- Active vulnerability assessment tools are limited. Their "intermittent picture" missies laptops, multi-OS systems, and assets reconfigured by intruders to be hidden. Scanning for all active services takes too long, so not all protocols, ports, and services are found. Active scanning disrupts availability and consumes bandwidth.
- Passive discovery sees everything active on the network. It is "persistent" and "real-time," "all the time." It transforms traditional IDS into a "target-based IDS" by eliminating "nontextuals," or alerts without context.
- Passive discovery also performs vulnerability and protocol/port/service profiling, change detection, and policy compliance monitoring. Using confidence models (percentages based on observed traffic, or decaying half-life models when nothing else is seen), one can answer questions like "What hosts run SSH on ports other than 22 TCP?" or "What hosts run vulnerable SSH services?"
- Taken further, upon seeing an attack, the IDS can report if it sees a new protocol/port/service in time X, perhaps indicating installation of a back door.
- An IDS supplemented by RNA technology is "self-tuning." Admins can assign priorities to their assets and tell an RNA-assisted Intrusion Prevention System (IPS) which actions to take against various threats. Response range from simply alerting, to updating a policy on an access control device, to blocking packets or whole sessions.
- The Next Generation
- Next generation technology offers control (via firewall and traffic filter integration) and monitoring (via threat detection and policy enforcement).
- The "Sourcefire Insight System" consists of (1) "IDP" (intrusion detection and prevention -- thanks Yen-Ming!) capable of IDS, threat monitoring, policy enforcement, and intrusion prevention; combined with (2) RNA, offering asset profiling, vulnerability assessment, behavioral analysis, network mapping, and policy enforcement, and (3) a console, doing correlation, policy optimization, and sensor management. An "inline" IDP to provide its own access control (like IPS) is being researched.
- The Sourcefire console has two models, with the $18,000 box handling 40 million events and the ~$60,000 box handling 200 million events. Both use a proprietary embedded database that could handle 30,000 events per second before keeling over during the MSBlaster attacks.
- RNA technology is designed to be lightweight so as to facilitate embedding it elsewhere. Upcoming platforms will offer two network ports, and future boxes will have 6 six to seven.
Following the prepared talks, Marty gave a live demo of a beta version of RNA watching traffic from Sourcefire to the Internet. It could profile 40 unique services now. Visibility to hosts behind NAT and proxies is an issue, but research continues to address these issues. The product's visualization features actually looked useful, unlike other more expensive products I've seen. He showed nodes in cone trees, and hinted hyberbolic trees like those of CAIDA's walrus are forthcoming.
Overall, I highly recommend you sign up to see Marty speak. It's the clearest indication that Gartner has no clue regarding the future of IDS! If Gartner had done its homework, it might have read Ron Gula's 1999 paper on "Passive Vulnerability Detection," which explains many of the concepts put to operational use in RNA today. Ron's current implementation is NeVO.
Sabtu, 04 Oktober 2003
SRI Patent on "Hierarchical event monitoring and analysis"
"A computer-automated method of hierarchical event monitoring and analysis within an enterprise network including deploying network monitors in the enterprise network, detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}, generating, by the monitors, reports of the suspicious activity, and automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors."
I thought this was alarming until I started browsing through the linked patents and found just about everything under the sun has been patented. How can SRI or anyone expect a patent like this to withstand scrutiny, since anyone can point to Marty's 1999 LISA talk on Snort as prior art, or Todd Heberlein's 1990 paper on network security monitoring?
New Wireless Access Point
A book I'm perusing suggests three vendors for wireless products: HyperLink Technologies, Signull Technologies, and TechnoLab Inc..
CERT Publishes Report on CSIRTs
Link Between Viruses and Organized Crime?
"'That is definitely a legitimate concern,' said Michael Shema, a widely recognized expert on Internet security and author of two books on the hacker mentality. Shema said there is considerable evidence to support what otherwise would be romantic conspiracy theories about the connection of viruses to the world of organized crime.
Jumat, 03 Oktober 2003
Hacker High School Asks for Help
"HHS is a non-profit, grassroots program originally designed as an after school computer club however with its 10 lesson workbooks. It can easily stand on its own as a small course, integrated into a course, or as a college study program for interested students. HHS exists as a learning tool for Security Awareness Training and actually has as much in common with hacking as depicted in movies as a man does to a mouse."
Earlier Pete wrote me in response to my earlier story on ISECOM:
"I just wanted to say we are not competing with SANS on any level. Maybe you knew us as Ideahamster- a name we changed because the volunteers requested it. The name is different but the roots are the same. We are a small group proactively trying to better the security profession and security in general. Nobody on the team draws a salary through ISECOM as we are all volunteers. We operate as a non-profit out of Barcelona and provide a certification authority through a university, La Salle of Barcelona, on two 60-hour courses (OPST and OPSA) which are also taught at this and other universities. For these classes ISECOM does not charge for materials and trains the trainers for free. The little bit of money we make off certificates goes to support grassroots projects like Hacker Highschool where we teach Internet security, legalities, and ethics to teens from 13 to 18 in Highschools.
As time goes on, ISECOM will offer more projects, bring on more volunteers, translate our documents into more languages, and hopefully offer more classes at the university level."
Earth Station Five Back Door
"There exists malicious code in ES5.exe's 'Search Service' packet handler. By sending packet 0Ch, sub-function 07h to the 'Search Service''s IP:Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. '..\..\..\WINDOWS\NOTEPAD.EXE'), the remote attacker could also delete files in eg. the windows and windows\system32 folders, or any other folder on the same partition as any of the shared folders.
IMPORTANT: This is not a bug! They intentionally added this code to ES5. . . There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks, buffer overflow bugs, and so on), but these all seem to be unintentional."
If anyone knows more about this, please email me at blog at taosecurity dot com. Thanks to the new ticker at left for this scoop.
Update: I learned of ES5's response by reading this Slashdot thread. ES5 claims the function exists to allow remote upgrades of their client.
Kamis, 02 Oktober 2003
How Best to Keep Operating Systems Current?
In the medium term I'm looking at binary patches for my BSD operating systems, inspired by "An Automated Binary Security Update System for FreeBSD" (.pdf), posted at daemonology.net. While rebuilding from source works well, it's slow on older systems. I'm going to try building packages from source on fast systems that I can install elsewhere. Similar projects exist for OpenBSD and NetBSD. The OpenPkg project is another factor. Their goal is "the creation and maintenance of portable and easy to install software packages for use on the major Unix server platforms." It's based on .rpm.
Building a Trusted Apple Operating System
Being a BSD fan, I should give the OpenDarwin OS a try. The main obstacle appears to be limited hardware support, although I expect that to improve. Thankfully, on the software side their is a Darwin Ports project to keep the great BSD ports system working for this Apple project. The list of software is fairly small right now though.
IATF Forum Brings Government and Industry Together
This process seems driven by the National Information Assurance Partnership, (NIAP) a joint NIST-NSA group "designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers." The people who validate products appear to be part of the National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body, a group jointly managed NIST and NSA.
Obviously I haven't figured out how all of this works. For example, I don't know how the Evaluation Assurance Levels like "EAL4" fit in. I do know that companies trying to get a product through this process can spend "half a million dollars" and 15+ months, according to speakers at the IATF Forum. Is this better security? I don't know yet.
Besides the Common Criteria, other groups assess security products.
- Neohapsis' Open Security Evaluation Criteria (OSEC) seems much more practical and current.
- ISCA Labs assess a variety of products. They have certifuied some IDS already.
- The NSS Group describes itself as "Europe's foremost independent network and security testing organization." They tend to like Snort.
- While Talisker's site doesn't rate products, it is a comprehensive listing to security products and services.
Bob Hillery of the Insitute for Security Technology Studies at Dartmouth described the findings of the 2002 Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Needs Assessment. I'm going to watch the institute's what's new page for publication of their forthcoming nation-state "cyber threat" report.
You can watch for future events at the IAEvents Web site. Many require a clearance.