Risk Mitigation

If you've been following the last few days of posts, I've been thinking about security from a more general level. I've been wondering how we can mitigate risks in a digital world where the following features are appearing in nearly every digital device.Think about digital devices in your possession and see if you agree with this characterization of their development. Digital devices are increasingly:Autonomous: This means they act on their own, often without user confirmation. They are self-updating (downloading patches, firmware) and self-configuring...

Read More

Analog Security is Threat-Centric

If you were to pass the dark alley in the image at left, I doubt you would want to enter it. You could imagine all sorts of nasty encounters that might deprive you of property, limb, or life. Yet, few people can imagine the sorts of danger they encounter when using a public PC terminal, or connecting to a wireless access point, or visiting a malicious Web site with a vulnerable browser.This is the problem with envisaging risk that I discussed earlier...

Read More

Why Prevention Can Never Completely Replace Detection

So-called intrusion prevention systems (IPS) are all the rage. Since the 2003 Gartner report declaring intrusion detection systems (IDS) dead, the IPS has been seen as the "natural evolution" of IDS technology. If you can detect an attack, goes a popular line of reasoning, why can't (or shouldn't) you stop it? Here are a few thoughts on this issue.People who make this argument assume that prevention is an activity with zero cost or down side. The reality is that the prevention action might just as easily stop legitimate traffic. Someone has...

Read More

Thoughts on Patching

As I continue through my list of security notes, I thought I would share a few ideas here. I recorded these while seeing Ron Gula discuss vulnerability management at RMISC.Many people recommend automated patching, at least for desktops. In the enterprise, some people believe patches should be tested prior to rollout. This sounds like automated patching must be disabled. I'm wondering if anyoen has implemented delayed automated patching. In other...

Read More

Return on Security Investment

Just today I mentioned that there is no such thing as return on security investment (ROSI). I was saying this two years ago. As I was reviewing my notes, I remembered one true case of ROSI: the film Road House. If you've never seen it, you're in for a treat. It's amazing that this masterpiece is only separated by four years from Swayze's other classic, Red Dawn. (Best quote from Red Dawn: A member of an elite paramilitary organization: "Eagle Scouts.")In Road House, Swayze plays a "cooler" -- a bouncer who cleans up unruly bars. He's hired...

Read More

Two Good IEEE Security and Privacy Articles

One of my favorite aspects of attending USENIX conferences is receiving free copies of magazines like IEEE Security and Privacy. The March/April 2005 issue (ok, I'm way behind when I use the freebie method) features two articles that might be interesting to security folks. First, if you want a good summary of trusted computing, read Protecting Client Privacy with Trusted Computing at the Server (.pdf). To get insights on the differences between computer science and computer engineering, try Turing is from Mars, Shannon in from Venus (.pdf)....

Read More

GAO Hammers Common Criteria

I've written about Common Critera before. If you also think CC is a waste of money, read GAO: Common Criteria Is Not Common Enough by Michael Arnone. It summarizes and comments upon a report by the Government Accounting Office titled INFORMATION ASSURANCE: National Partnership Offers Benefits, but Faces Considerable Challenges. Mr. Arnone writes:GAO also criticized the National Information Assurance Partnership (NIAP) for not providing metrics or evidence that the Common Criteria actually improves product security. In addition, the Common Criteria...

Read More

Forensics Warnings from CIO Magazine

The April 2006 issue of CIO Magazine features an article called CSI for the Enterprise?. It addresses the rise of electronic data discovery (eDiscovery in some quarters) tools. For a management magazine, the article makes several useful points:Beware the Forensics LabelMany salespeople attach the label "forensics" to their security and compliance analysis tools, and that can be very misleading. In law enforcement circles, "forensics" means a well-defined set of discovery and investigative processes that hold up in court for civil or criminal...

Read More

Disaster Stories Help Envisage Risks

The April 2006 issue of Information Security Magazine features an article titled Security Survivor All-Stars. It profiles people at five locations -- LexisNexis, U Cal-Berkeley, ChoicePoint, CardSystems, and Georgia Technology Authority -- who suffered recent and well-publicized intrusions. My guess is that InfoSecMag managed to arrange these interviews by putting a "happy face spin" on the story: "We know your organization was a security mess, but let's look on the bright side and call you an all-star!" Although the article is light on details,...

Read More

Risk and Metrics

I ran across some thought-provoking articles in the April 2006 CIO Magazine. The editor's introduction summarizes a major problem with calculating IT spending:As sophisticated as the technology and its countless uses have become, all too often the benchmark used to determine the proper level of an enterprise’s IT spending is alarmingly simplistic: the percentage of overall revenue for which IT accounts...Benchmarking IT spending as a percentage of revenue is a truly useless metric. Unfortunately, according to Koch [mentioned next], it remains...

Read More

Insights from Dr. Dobbs

I've been flying a fair amount recently, so that means I've been reading various articles and the like. I want to make note of those I found interesting.The March 2006 issue of Dr, Dobb's Journal featured a cool article on Performance Analysis and Multicore Processors. I found the first section the most helpful, since it differentiates between multithreading and hyperthreading. I remember when the FreeBSD development team was criticized for devoting so many resources to SMP. Now it seems SMP will be everywhere.In the same issue Ed Nisley writes...

Read More

Ethereal 1.0 Looms

Thanks to Anthony Spina for pointing out that Ethereal 0.99 was released yesterday. Jumping from 0.10.14 in late December to 0.99 now indicates to me that 1.0 will finally appear any day now.The release notes mention a new tool -- dumpcap. Dumpcap is a pure packet capture application, unlike Tcpdump or Tethereal. Those two programs are also protocol analyzers, and at least in the case of Tethereal that means larger memory footprints. I tried...

Read More

ENIRA Partners with Lancope

I've wanted to say something about ENIRA for several months now, but I've been under a non-disclosure agreement. This morning, however, I noticed this press release which quotes me. What's the fuss? ENIRA is a nearby company (in northern Virginia) that sells a Network Response System. It's essentially an incident containment appliance that isolates hosts when directed to do so. It's neither an IDS nor firewall -- layer 3, 4, 7 (IPS), or otherwise. ENIRA learns your network topology by accessing infrastructure devices (switches, routers, firewalls,...

Read More

Three New Pre-Reviews

Several publishers were kind enough to send me review copies of three books last week. The first is Securing Storage: A Practical Guide to SAN and NAS Security by Himanshu Dwivedi. I have very little practical experience with SAN and NAS, and less with security for those technologies. I hope this book can get me up to speed on those topics.The second book is Practical VoIP Security by Thomas Porter. VoIP is being deployed everywhere, and I doubt security is being taken as a serious consideration. In many cases, VoIP traffic is being carried...

Read More

Future Public Training Dates

Most of my training is private. I wanted to let you know of a few public one-day or more classes I will be providing in the coming months. I will teach a one day course on Network Security Monitoring with Open Source Tools at the USENIX 2006 Annual Technical Conference in Boston, MA on Friday, 2 June 2006. This is the course to attend if you want to learn the essential components of network security monitoring. We will use tools on my Sguil VM in this class.I am happy to report that USENIX accepted a proposal for a new class as well. I will...

Read More

Best Comment of the Year

If you don't read the comments for this blog you missed the best response of the year, attached to my earlier story on rootkit.com. T. Arthur points out the irony of a Hacking Exposed author pointing the finger at rootkit.com. Apparently Hacking Exposed is "the best selling computer security book ever, with more than 500,000 copies sold." Does that mean Stu and friends created half a million more threats? Are they responsible for all the script kiddies running attacks they learned about in HE? If you follow McAfee's logic, the answer is yes....

Read More

Dealing With Sguil Partition Issue

I operate several Sguil sensors in production environments for clients. At one location I have a single box deployment where the Sguil sensor, server, and database occupy a single FreeBSD platform. This wasn't the original configuration, but I am making do with what I was given.Here is the current df -h output.# df -hFilesystem Size Used Avail Capacity Mounted on/dev/aacd0s2a 989M 76M 834M 8% /devfs 1.0K 1.0K 0B 100% /dev/dev/aacd0s2f 989M 106K 910M 0% /home/dev/aacd0s2h ...

Read More

How Could I Have Missed This

It took this Slashdot thread to connect me with one of the greatest pieces of music produced in this century:Symantec RevolutionIf you believe that, you deserve to listen to all 3:10 of it.This is right up there with the Balmer videos, except there's only audio. Update: It gets better. Here's Check Point's anthem. I like the Symantec one bett...

Read More

McAfee Points Its Finger in the Wrong Direction Again

I just read Does Open Source Encourage Rootkits? and the associated McAfee report. In the article we have this quote:Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.In its "Rootkits" report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware...

Read More

Cool News Taps from Net Optics

You know I am always on the prowl for new networking gear to perform network security monitoring. In fact, I may write a whole new book about the subject, pulling enterprise network instrumentation coverage from future editions of The Tao and other books and concentrating it in a single volume. In the spirit of sharing information on new gear, I am happy to let you know about two cool new products from Net Optics. The first is the 10/100 Teeny...

Read More

Profiling Sensors with Bpfstat

In the TaoSecurity lab I have three physical boxes that perform monitoring duties. I wanted to see how each of them performed full content data collection. Note: I do not consider what I am about to blog as any sort of thorough or comprehensive test. In fact, I expect some of you to flail about in anger that I didn't take into account your favorite testing methodologies! I would be happy to hear constructive feedback. I am aware that anything resembling a test brings out some of the worst flame wars known to man. With those caveats aside,...

Read More

FreeBSD Status Report First Quarter 2006

The FreeBSD Status Report First Quarter 2006 has been posted. Notable items include Colin Percival meeting his fundraising goal -- thank you! Remember that BSDCan 2006 takes place 12-13 May in Ottawa. I will be elsewhere that week and unable to attend. The Status Report lists lots of cool developments that are worth perusing. I noticed the End-of-life security schedule says FreeBSD 5.4 will no longer be supported after 30 May 20...

Read More

Share Pictures of Your Network Gear

I'm creating a class describing how to access network traffic in order to conduct network security monitoring. I'd like to know if anyone would mind sharing photos of their network closets, with descriptions of the gear in the rack and their network diagram. I'm looking to learn how you get connectivity from your ISP, where that link goes, and what your core, distribution, and access layers look like. I don't need to know about your desktops or whatever. I really just want students to get a look at a network closet and the sorts of connectors,...

Read More

Installing FreeBSD Java Binaries

I just posted about the new FreeBSD Java packages. I figured I would try them out and show how the process works. It's been a while since I last described installing Java, back when compiling from source was required.After downloading the binary for FreeBSD 6.0, I tried to install it.orr:/tmp# ls -al diablo-jdk-freebsd6-1.5.0.06.00.tbz -rw-r--r-- 1 richard wheel 54624741 Apr 13 07:30 diablo-jdk-freebsd6-1.5.0.06.00.tbzorr:/tmp# pkg_add -v diablo-jdk-freebsd6-1.5.0.06.00.tbz...

Read More

FreeBSD News

freebsd.png" align=left>I have a few news items of interest to FreeBSD users. First, FreeBSD 6.1-RC1 is now available. The schedule has not been updated, but I'm hoping to see the new release before or during the first week in May. I bet the developers will try to get it out the door before the end of this month, though.If you use Java on FreeBSD, you'll be happy to hear that Java JRE 1.5 and JDK are available as binaries, courtesy of the FreeBSD Foundation. Securing the license to make this happen cost $35,000. This is how our donations...

Read More

Review of The Definitive Guide to MySQL, 3rd Ed Posted

Amazon.com just posted my three star review of The Definitive Guide to MySQL, 3rd Ed. From the review:I read and reviewed MySQL Press' MySQL Tutorial by Luke Welling and Laura Thomson two years ago. I thought Tutorial was a great, concise (267 pages including index) MySQL overview. I hoped The Definitive Guide to MySQL 5, 3rd Ed (DG, 748 pages) would extend my understanding of MySQL beyond the coverage in the Tutorial. Unfortunately, I found the...

Read More

Tips on MySQL Accounts in Sguil VM

In an otherwise unremarkable book on MySQL, I found good advice on database accounts and authentication. Here is what the accounts look like in the Sguil VM I just released.taosecurity:/home/analyst$ mysql -u root -pEnter password: Reading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -AWelcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 6 to server version: 5.0.18Type 'help;' or '\h' for help. Type '\c' to clear the buffer.mysql> use mysql;Reading...

Read More

Bug in Latest VMware Server Beta Affects Sguil VM

A bug in the latest VMware Server Beta (22874) affects my newest Sguil VM. I like to deploy the VM so that VM management interface lnc0 is bridged to /dev/vmnet0, and the sniffing interface lnc1 is bridged to /dev/vmnet2. On Linux this means that /dev/vmnet0 corresponds to eth0 and /dev/vmnet2 corresponds to eth1.You can see in the screen capture at right that my second interface is listed as a "custom" network associated with "VMnet2".When I tried...

Read More

Simple Bandwidth Measurement

If you read my first book you know I prefer small applications that run in Unix terminals to more complicated programs. I decided to get a sense of the bandwidth being monitored at several sensors deployed at client sites. I did not want to install MRTG or Ntop to answer simple questions like "What is the maximum bandwidth seen by the sensor?" or "What is an average amount of traffic seen?"I decided to try bwm-ng. It's in the FreeBSD ports tree as bwm-ng. (Don't think I'm abandoning FreeBSD for Debian. Nothing can beat FreeBSD's package system...

Read More

Virtualization is the New Web Browser

I read the first post by the president of VMware, Diane Greene. She discusses a subject that has been gnawing at my brain since I heard that Microsoft began offering Virtual Server as a free download. Ms. Greene makes two points. First, she promotes VMware's Virtual Machine Disk Format (VMDK) as an open alternative to Microsoft's Virtual Hard Disk Image Format Specification (VHD). I would obviously like to see an open standard prevail against a closed one.Second, she argues discusses "the question of whether virtualization should be tightly...

Read More

Converted FreeBSD SMP System to Debian

I decided my Dell PowerEdge 2300 needed to switch from FreeBSD to Debian. I wanted to try using this SMP system to run VMware Server Beta, which runs on Windows or Linux. I'd like to record two notes about how I got this system running Debian with the 2.4 kernel.First, the Dell PowerEdge 2300 uses a Megaraid RAID system that is not supported by the 2.6 kernel that ships with Debian. I couldn't get the 2.4 version of the installation process to recognize the RAID either, meaning Debian didn't see a hard drive on which to install itself. I found...

Read More

Specifications for my Next Laptop

I've been running Windows 2000 and FreeBSD on my Thinkpad a20p for six years, and I've been considering replacements. That machine offered various features for which I had waited many months, such as a graphics card with 16 MB RAM, mini-PCI architecture for onboard Fast Ethernet, etc. Now I find myself considering the features I would like to see in my next-generation laptop. While I don't have any specific vendor or model in mind, here are the features I want:Intel Core Micro CPU, probably Merom- and Santa Rosa-based, offering dual cores, Virtualization...

Read More