Posts

Showing posts from July, 2005

Notes for USENIX Security Students

In a few hours I will be teaching Network Security Monitoring with Open Source Tools at USENIX Security in Baltimore, MD. I have two items of interest for my students concerning their slides. First, the default Tethereal ring buffer syntax has changed. My first book, and the Tethereal slide, use this syntax: tethereal -n -i -s -a duration:3600 -b 24 -w The new syntax requires a filesize whenever -b (ring buffer mode) is invoked, like so: tethereal -n -i -s -a filesize:1000000 -a duration:3600 -b 24 -w Also, there is a slide missing before the Trafshow screen shot. It should look like this .

ISS Pursues Lynn Presentation Copies

Image
It looks like I spoke too soon about the Lynn affair being closed. ISS is now pursuing Web sites posting Mike Lynn's presentation. For example, Rick Forno has removed his copy of the Lynn slides after receiving a cease-and-desist letter from lawyers representing ISS. The document (.pdf), by DLA Piper Rudnick Gray Cary US LLP attorney Andrew P. Valentine features this piece of exceptional grammar: "The posting is located on your [Forno's] website... and relates to a presentation that ISS decided not go give [sic] at the Black Hat 2005 USA Conference in Las Vegas, Nevada." The letter also states "On Wednesday, ISS and Cisco sued Mr. Lynn and Black Hat for claims of copyright infringement, misappropriation of trade secrets, and breach of employment agreement in connection with improper distribution of the material. On Thursday, Judge Jeffrey White of the United States District Court for the Northern District of California issued a permanent injunction preven

New Cisco Advisory and Statements

I guess we can wrap up the Cisco and ISS vs. Mike Lynn and Black Hat saga by mentioning the new Cisco security advisory released today: IPv6 Crafted Packet Vulnerability , which states: "(IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation." Assuming these details are correct -- and who knows now? -- this is not an earth-shattering discovery. However, this may have been a sample vulnerability Mike demonstrated to explain his technique. He may have picked this vulnerability because he thought it would not affect much of the Internet, but he needed to let people know that his technique was already in use by malicious parties. Cisco's main security pa

Mike Lynn Presentation Online

Rick Forno has posted a .pdf of Mike Lynn's presentation. So much for the removal of pages from the Black Hat books by Cisco goons! This is a pathetic charade that public relations personnel and lawyers should study in the future. Cisco and ISS have handled this in exactly the wrong way. Did they ever think they could supress information at a hacker convention , of all places? Bruce Schneier has weighed in as well: "Despite their thuggish behavior, this has been a public-relations disaster for Cisco. Now it doesn't matter what they say -- we won't believe them. We know that the public-relations department handles their security vulnerabilities, and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsibl

Mike Lynn Settles

It appears Black Hat presenter Mike Lynn has avoided personal disaster , acccording to Brian Krebs: "Under the terms of a permanent injunction signed by a federal judge this afternoon, Lynn will be forever barred from discussing the details about his research into the vulnerabilities he claimed to have discovered in the widely used Cisco hardware." I recommend reading the rest of Brian Krebs' story for details. I saw this NANOG post refer to a FrSIRT advisory, but the relevant FrSIRT page has been removed (though not without trace). In case anyone has forgotten, I remember attending the presentation by FX of Phenoelit.de at Black Hat USA 2003 involving heap-based overflows in Cisco IOS. It was an extension of work he presented at Black Hat USA 2002 . His Ultimaratio page has more info, and he published a Phrack article and an exploit for Cisco IOS 11.x. Maybe Mike Lynn's mistake was working for a security company (ISS) and with a vendor (Cisco) and being a

Snort 2.4 Released

Snort 2.4.0 has been released . Here are the release notes . The obvious change in this release is the removal of all rules from the snort-2.4.0.tar.gz tarball. The rules are available separately . Marty assures me that the rule download page will have rules available for non-subscriber and non-registered Snort users by close of business today. Update: All rules are available -- even those for unregistered users. Nice work Sourcefire.

Distributed Traffic Collection with Pf Dup-To

Image
The following is another excerpt from my upcoming book titled Extrusion Detection: Security Monitoring for Internal Intrusions . I learned yesterday that it should be available the last week in November, around the 26th. We’ve seen network taps that make copies of traffic for use by multiple monitoring systems. These copies are all exactly the same, however. There is no way using the taps just described to send port 80 TCP traffic to one sensor, and all other traffic to another sensor. Commercial solutions like the Top Layer IDS Balancer provide the capability to sit inline and copy traffic to specified output interfaces, based on rules defined by an administrator. Is there a way to perform a similar function using commodity hardware? Of course! The Pf firewall introduced in Chapter 2 offers the dup-to keyword. This function allows us to take traffic that matches a Pf rule and copy it to a specified interface. Figure 4-17 demonstrates the simplest deployment of this sort of s

Free Michael Lynn

Ex-ISS X-Force researcher Mike Lynn is in a world of hurt right now. Yesterday he delivered a briefing at Black Hat on Cisco security flaws. Lynn decided to resign from ISS instead of complying with the wishes of his employer and Cisco to keep his discoveries quiet. For a lot more detail, I strongly recommend reading the Brian Krebs Security Fix blog hosted by the Washington Post. Krebs is in Las Vegas and has spoken with Lynn, who "has been served with a temporary restraining order designed to prevent him from discussing any more details about the flaw...[and] is sheduled to appear in federal district court at 8:00 a.m. Thursday." (!) I think it's time to start a Free Michael Lynn campaign to pay for his legal bills. Update: Within this Slashdot thread is a comment by someone claiming to be Mike Lynn . Here is Cisco's statement. Also, SecurityFocus has a good article with this statement: "Lynn outlined a way to take control of an IOS-based router, usi

Snort "Not Eliligible" for Zero Day Initiative

I recently wrote about TippingPoint 's Zero Day Initiative (ZDI), a pay-for-vulnerabilities program. Thank you to the poster (whom I will keep anonymous) for notifying me of this article Vendors Compete for Hacker Zero Days by Kevin Murphy. It features this quote: "[C]ompetitors will have to sign agreements to the effect that they will not irresponsibly disclose the information, and that any data they provide to their own customers cannot be easily reverse engineered into an attack, he [3Com’s David Endler] said. "'Some technology based on Snort would not be eligible because Snort by its nature is open,' Endler said, referring to the open-source IDS software. 'But there are products based on Snort that are closed. We’ll have to take it on a case-by-case basis.'" This means Sourcefire will never be able to learn of ZDI vulnerabilities. Any registered Snort user can download Sourcefire VRT rules and see everything except rules younger than five d

Public Network Security Operations Class

I am happy to announce the first public Network Security Operations class is tentatively scheduled for the last week in September, starting Tuesday 27 September and ending Friday 30 September. The class is tentatively scheduled to be held at Nortel PEC in Fairfax, VA. I plan to offer 13 seats to the public, at a cost of $2995 per seat. The course offers four sections, one per day: Network Security Monitoring : theory, tools, and techniques to detect sophisticated intruders Network Incident Response : network-centric means to contain and remediate intrusions Network Forensics : collect, protect, analyze, and present network-based evidence to prosecute or repel intruders Live Fire Exercises : apply the preceding three days of skills in an all-day, all-lab environment More information is contained in either the color .pdf or the grayscale .pdf flyers. Once I have confirmed the location and time, I will post those details at the TaoSecurity training page. Interested parties should

Unable to Specify Interface for TCP Portmapper

Image
I'm crushed. Today while working on a FreeBSD system with multiple interfaces, I noticed the portmapper (rpcbind) listening where I didn't think it should be. # sockstat -4 | grep rpcbind root rpcbind 354 10 udp4 127.0.0.1:111 *:* root rpcbind 354 11 udp4 10.0.0.1:111 *:* root rpcbind 354 12 udp4 *:1007 *:* root rpcbind 354 13 tcp4 *:111 *:* The UDP version was listening on interface 10.0.0.1 as I expected. What was the TCP version doing listening on all interfaces? Also, what was port 1007 UDP doing? I checked my /etc/rc.conf file to see if I had messed up the synatx. rpcbind_enable="YES" rpcbind_flags="-h 10.0.0.1" That looked ok to me. I double-checked with /etc/defaults/rc.conf. # grep "^rpcbind" /etc/defaults/rc.conf rpcbind_enable="NO" # Run the portmapper service (YES/NO). rpcbind_program="/usr/sbin/rpcbind" # p

Human Error Results in Being 0wn3d

Bill Brenner's article in the July 2005 Information Security magazine clued me in to a press release by the Computing Technology Industry Association (CompTIA). They announced the results of their third annual CompTIA Study on IT Security and the Workforce. From the press release: "Human error, either alone or in combination with a technical malfunction, was blamed for four out of every five IT security breaches (79.3 percent), the study found. That figure is not statistically different from last year." This study and the 2004 edition appear to be the source for other reports that claim 80% of security breaches are the result of human error. Note the CompTIA study says "Human error, either alone or in combination with a technical malfunction," is to blame. Nevertheless, I am not surprised by this figure. I rarely perform an incident response for an organization that is beaten by a zero day exploit in the hands of an uber 31337 h@x0r. In most cases someo

New RSS Feed

Image
My RSS feed from 2rss.com is reporting "Bandwidth Limit Exceeded. The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later." Those looking for a new RSS feed can use http://feeds.feedburner.com/Taosecurity . I will try to get this new icon on the blog template when Blogger cooperates.

SC Magazine IPS Reviews

Recently I received the new SC Magazine and noticed a new Group Test addressing so-called intrusion prevention systems . The reviewer was Christopher Moody, but I was unable to get any sort of background information on him. He has written most of the recent SC Magazine Group Tests, however. As you can read in the story, or in this press release , the Sourcefire IS-2000 won SC Magazine's "Best Buy" award. From the review: < "Its high level of protection and simple rule writing using the Snort engine make it a good standalone product. But it is when it is used as part of the 3D System that it really takes off. Sourcefire’s Defense Center provides excellent centralized management and reporting, and its Real-time Network analysis appliance gives a wider look at the network to help secure it." The Top Talyer IPS 5500 Attack Mitigator was the SC Magazine Recommended product, even though it had a "small attack signature database compared to other prod

Thoughts on Web Application Security Consortium

Rather than post to his own blog , Aaron Higbee decided to bait me with a link to the Web Application Security Consortium 's Web Security Threat Classification guide. Uh oh, there's that magic word -- "threat." Immediately I suspected this document's use of the word "threat" in the title might be problematic, as I doubted it would be a classification of the parties with the capabilities and intentions to exploit vulnerabilities in assets. The document description states "The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues." That so

Lancope's Take on NetFlow

Earlier this year I had a chance to try a Lancope Stealthwatch appliance. Recently Adam Powers from Lancope weighed in on the focus-ids list with ways NetFlow records can be best utilized for security purposes. This is part of a thread started by Andy Cuff (aka Talisker ). To hear more from Lancope, check out their WebEx Wednesday at 11 AM eastern. David Sames started a second interesting focus-ids thread about IDS evaluation. The thread evolved into a discussion of the functions of various security devices. After a great post by Devdas Bhagat, I joined the fray. You can even see a vendor say I make "wrongheaded argument[s]". Oooh, scary. :)

Thoughts on TippingPoint Zero Day Initiative Program

Through the accursed Slashdot I learned of Tipping Point 's Zero Day Initiative program. (Incidentally, I just figured out that Slashdot is like Saturday Night Live : we all remember it being a lot better years ago, it stinks now, yet we still watch.) According to this CNet story by Joris Evers, which cites TippingPoint's rationale for the program: "'We want to reward and encourage independent security research, promote and ensure responsible disclosure of vulnerabilities and provide 3Com customers with the world's best security protection,' David Endler, director of security research at TippingPoint, said in an interview." This program is similar to the iDEFENSE Vulnerability Contributor Program launched in 2002 amidst much fanfare . This April 2003 interview with iDEFENSE VPC Manager Sunil James is also enlightening. Part of the VCP is a retention reward program that paid a $3,000 bonus to the Danish CIRT and $1,000 to l0rd_yup for vulnerab

Sourcefire Certified Snort Integrator Program

Did you see Sourcefire 's press release on its Certified Snort Integrator Program? If you're not in this program, and you use Snort to provide services or products to third parties, you can't deploy or sell sensors with Sourcefire VRT rule sets. The only exception involves major release versions of Snort, e.g., 2.3.0 or 2.4.0, each of which are packaged with the latest rules at the day of release. The press release says "charter members of the program include: Astaro, BRConnection, Catbird Networks, Counterpane Internet Security, e-Cop, Netreo, NTT DATA CORPORATION (Japan), ProtectPoint, SecurePipe, StillSecure, VarioSecure Networks, VeriSign, Voyant Strategies and WatchGuard." If you own a Snort-based appliance or contract with a third party to provide Snort-based services, is your vendor on this list? If not, ask your vendor why not, and how they intend to keep their rules up-to-date. If you run Snort on your own to protect your own enterprise, this new pro

1000th Post

Image
This is the 1000th TaoSecurity Blog post. Thankfully, after being broken for months, Blogger fixed the post tracking counter in time for me to notice this milestone. I started the blog on 8 January 2003 as a place to post word of new Amazon.com book reviews . I haven't read a new book since May, because I have been extremely busy launching my new company TaoSecurity . I plan to resume reading books very shortly, probably starting with Extreme Exploits . The blog has now evolved into a place where I record tips on using FreeBSD and other operating systems and applications. I also post thoughts on network security monitoring and related security topics. I constantly refer back to posts here to remember how I configured a program or what my thoughts were on a certain subject. I detest keeping bookmarks, so I try to store anything of value here. A bookmark has no context and says nothing about how or why I recorded it. In brief, this blog helps me keep a grip on developments

FreeBSD Status Report Second Quarter 2005

Image
The latest FreeBSD Status Report makes for interesting reading. Many of the ongoing tasks are Google Summer of Code projects. Nmap author Fyodor posted that Google is spending $2 million to fund projects this summer, including ten for Nmap itself . I highly commend Google for devoting a small portion of its market capitalization to these coding efforts. Emily Boyd will redesign FreeBSD.org . Previous work includes the PostgreSQL Web site. Previews are posted here . Dario Freni is reengineering and rewriting FreeSBIE to include it in the source tree. Andre Oppermann is trying to raise enough money to fund three full months of dedicated development on improving the TCP/IP stack. I will contact the FreeBSD Foundation to see if they will accept tax-deductible donations on his behalf. Chris Jones is working on making gvinum ready for prime time. Andrew Thompson has an OpenBSD-like if_bridge interface ready for FreeBSD 6.0. Andrew Turner is integrating into FreeBSD the BSD I

Ron Gula Podcast

I finally got a chance to listen to a new podcast with Ron Gula . Sondra Schneider from Security University interviewed Ron. The podcast lasts about 26 minutes and discusses Ron's experience as a NSA red team aggressor and his work at BBN. I specifically liked Ron's discussion of the difference between access control and monitoring. He said making a firewall change affects customer service level agreements; hence, firewalls were part of operations as they had direct impact on moving packets. Monitoring was typically not an operational function, because it was passive and was not access control. Ron said IPSs need to be treated as part of operations (they are a firewall, after all) because they block traffic. Ron also pointed out confusion between credit card theft and identity theft. Some people consider the two events to be the same. This is not the case, since recovering from a stolen credit card is much easier. Here is Ron's bio, for those of you not familiar w

FreeBSD Quality

Image
The topic of the quality of FreeBSD has recently appeared in several places. Earlier this week SecurityFocus reported on the results of a study by Coverity . From Coverity's 27 June 2005 press release: Coverity "released software defect and security vulnerability results for FreeBSD 6.0... [and] found 306 software defects in FreeBSD's 1.2 million lines of code, or an average of 0.25 defects per 1,000 lines of code." That is interesting, considering they did the study well over a month ago, before 6.0 was even in BETA status. Also: "FreeBSD security is getting better very quickly - over the course of a year, FreeBSD's code size doubled, while the total number of defects went down by 50%." The SecurityFocus story made this observation: "Not all the potential flaws found by analysis tools are security holes. For FreeBSD, while 306 problems were flagged by Coverity's software, only 5 issues could be triggered by user input. The software classif

Visa and AmEx Pull the Plug on CardSystems

Thanks to Richard Stiennon for informing me that Visa and American Express will no longer allow CardSystems Solutions to process their credit cards. I am stunned, but in a good way. If companies begin to take security seriously, I will be very pleased. If this turns into a rationale to justify the current "compliance = security" mindset, then nothing will change and more organizations will be compromised. The CardSystems news page reported yesterday that "John Perry, President and CEO of CardSystems "look[s] forward to the opportunity to share CardSystems' story with the [Congressional] Subcommittee." I found the press release by the House Financial Services Subcommittee on Oversight and Investigations saying the hearing is today at 10 am.

BSD Certification Group Publishes Survey Results

Image
Yesterday the BSD Certification Group published the results of their task analysis survey. The 147 page report is available here . I found these excerpts interesting: The survey saw an "often expressed desire to see the eventual certifications emphasize advanced achievement and mastery of Unix knowledge in general and BSD usage in particular. Yet, desires that the certification be difficult to obtain were balanced by the concern to not neglect younger, enter level candidates or those more experienced who are coming to BSD from other computing platforms." "A proposition that specific knowledge of all BSDs be required was rejected by most in favor of emphasis on general Unix concepts, with an understanding of how and why BSD is unique. 'Linux vs. BSD' style topics were commonly rejected. A focus on BSD similarities instead of BSD differences was more often expressed. Interestingly, the least preference was for coverage of only a single BSD." Among all re

Excerpt from Network Forensics Chapter

A crucial component of using trusted tools and techniques is ensuring that the network evidence collected by a sensor can be read and analyzed in another environment. This may seem like an obvious point, but consider my recent dismay when I tried to analyze the following trace supposedly captured in Libpcap format. I started by using the Capinfos command packaged with Ethereal . On a regular trace, Capinfos lists output like the following. bourque:/home/analyst$ capinfos goodtrace File name: goodtrace File type: libpcap (tcpdump, Ethereal, etc.) Number of packets: 1194 File size: 93506 bytes Data size: 213308 bytes Capture duration: 342.141581 seconds Start time: Thu Jun 23 14:55:18 2005 End time: Thu Jun 23 15:01:01 2005 Data rate: 623.45 bytes/s Data rate: 4987.60 bits/s Average packet size: 178.65 bytes On the trace in question, Capinfos produced this odd output. bourque:/home/analyst$ capinfos bad2.tcpdump.052705 capinfos: An error occurred after reading 1 packets from "ba

Scary New Dangers in Cyberspace

I sometimes watch TV, and I happened to catch a story on ABC World News Tonight called "Your Computer's Stealth Identity Thief." I listened carefully and learned about something scary called a "keylogger." I even saw some cool shots of Symantec's cyber ninjas tapping away on their uber-31337 keyboards. I really paid attention to the tips to help protect [my]self against key logging, spyware, and other computer viruses like "Do not click OK on pop-up windows without first reading them thoroughly." The next time I see a pop-up that says "It's ok, I won't 0wn j00," I'll feel better! Obviously I am jaded by stories about old technology. For pete's sake, Bugbear from mid-2003 had a keylogger built in. I'm sure there are even older examples out there. Worse, none of the "tips" mention the steps that would really make a difference, in order of least to most impact on change of user habits: Patch your system

News from Visa on Payment Card Industry Standards

Today I got an email from Visa about their participation in the Payment Card Industry standards. They wrote: "A key component of PCI Data Security Standard implementation success is merchant and service provider compliance. When Standard requirements are enforced, they can provide a well-aimed defense against data exposure and compromise. This is why on-site PCI validation assessments performed by Visa-approved Qualified Data Security Companies (QDSC) have become increasingly critical in today’s environment. The proficiency with which a QDSC conducts an assessment can have a tremendous impact on the consistent and proper application of PCI measures, and controls. Given this very important fact, Visa is modifying its process to qualify security companies that choose to take on the role of a QDSC... At a high level, to meet the new qualification requirements, security companies must: (a) apply as a firm for qualification in the program; (b) provide documentation of financial stabi

Stiennon on Enforcement

Richard Stiennon's blog makes a great point today. He says "The entire IT security market is focused on protections. This is great as more and more protections by default are deployed. But I believe that enforcement actions must be taken as well. There is some sign that cooperation between enforcement agencies in the UK, Israel, and Russia have been effective. The most important was the breaking up of a ring of cyber-extortionists in 2003 that dramatically slowed the number of DDOS incidents. As it will be a while before prosperity finds its way to every corner of the globe it is imperative that law enforcement agencies start working together to track down and jail cyber criminals now." He is completely correct. Remember the risk equation: Risk = Threat x Vulnerability X Cost (of asset). We security practitioners (and our clients) can only really influence the vulnerability aspect of the equation. We can't usually decrease the value of an asset, either. Only tho

Draft of Extrusion Detection Submitted for Copyeditin

I am happy to report that I just submitted the final draft of my next book Extrusion Detection: Security Monitoring for Internal Intrusions to my publisher, Addison-Wesley . The new book is a sequel to The Tao of Network Security Monitoring: Beyond Intrusion Detection . I think readers will find the new book very interesting. Thus far my reviewers have provided positive feedback. For those interested in the mechanics of book writing: I thought of the idea last summer, just after my first book arrived. I signed a contract in November, then began writing in January. My first due date was 1 April for half the book in draft form, followed by the rest of the book in draft form by 1 June. I've been working on addressing reviewer feedback since late June, and now the book is ready for copyediting. The chapter-level table of contents is listed next. Network Security Monitoring Revisited Defensible Network Architecture Extrusion Detection Illustrated Enterprise Network Instrumentati

FreeBSD 6.0-BETA1 Available

Image
The availability of FreeBSD 6.0-BETA1 was just announced . I am excited to see this release approaching. Here are a few excerpts from the release announcement thread that may be of interest. Colin Percival: "The FreeBSD Security Team will support FreeBSD 5.x until at least the end of September 2007." Colin Percival: "If I was deploying a new server today, I'd install FreeBSD 5.4. If I were planning on installing a new server next month, I'd install FreeBSD 6.0-BETA-whatever-number-we're-up-to-by-then." Scott Long: "There will be a 5.5 release this fall and possibly a 5.6 a few months after that. Per the standard procedure, the security team will support the branch for 2 years after the final release. There will likely be other developers who have an interest in backporting changes to RELENG_5 for some time to come, just as has been done with RELENG_4. So the earliest that RELENG_5 will be de-supported is late 2007." Scott Long: "Part

New Libpcap and Tcpdump Available

Yesterday Libpcap 0.9.3 and Tcpdump 3.9.3 were released at Tcpdump.org . The changelog lists "Support for sending packets" as a new feature. This is the biggest release since 0.8.3/3.8.3 in March last year. I hope to see the FreeBSD ports tree updated to include these new versions, although eventually they will be imported into the base system.

Network Trace Archival and Retrieval

I don't pay close enough attention to the Pcap mailing lists. While doing research on WinPcap , I learned of a new project hosted at the WinPcap site called Network Trace Archival and Retrieval (NTAR). The Web site says "the main objective of NTAR is to provide an extensible way to store and retrieve network traces to mass storage." I found this post by NTAR developer Gianluca Varenni make the claim that NTAR is "a working prototype of a library that reads and writes the PCAP-NG format." PCAP-NG is a reference to the PCAP Next Generation Dump File Format as documented in an expired RFC Draft. If you would like to learn more about NTAR, check out the NTAR-workers mailing list. Searches of the tcpdump-workers mailing list show references to PCAP-NG back in February 2005, although a search of the Ethereal-dev mailing list has a mention in October 2003 !

Auditors in Charge, but 0wn3d Anyway

I read in the latest SC Magazine this comment from Lloyd Hession, CSO of Radianz . "'What is really happening is the head of security is losing control over the security agenda, which is being co-opted by audit and this umbrella of controls... The ability to decide which security projects get funded is being taken out of the security officer's hands... This focus on regulatory issues is causing a loss of control over the security agenda, which is being pushed and dictated by the audit and controls group and meeting the requirements of the regulation." I see this focus on "controls" as more of the "prevention first and foremost" strategy that ignores the importance of detection and response. I had this reaction when I saw Dr. Ron Ross of NIST speak at a recent ISSA meeting. The NIST documents seem to focus on prevention through controls, and then they stop. The unfortunate truth is that prevention eventually fails , as readers of the blog and m

Net Optics Seminar on Passive Monitoring Access

I just received word that Net Optics will be hosting a free seminar titled Fundamentals of Passive Monitoring Access . It will start at 0830 on Wednesday 3 August 2005 at the Hilton Santa Clara in Santa Clara, CA. You will notice the seminar description uses terms like pervasive network awareness and defensible network , which I described when I spoke at Net Optics in May . I am scheduled to speak again at a Net Optics event in September in California. I will post details when available.

Verisign to Acquire iDEFENSE

The 45 survivors at iDEFENSE must be breathing a sigh of relief. Verisign will buy iDEFENSE for $40 million. That is $100 million less than the cost to acquire Guardent in December 2003. Verisign has over 3,500 employees according to its fact sheet , and it seems to be making ever bigger advances into the security market. I would be interested in hearing from any iDEFENSE insiders (anonymously here) what they think of this acquisition.

How Do You Read TaoSecurity Blog?

Would anyone care to mention how they read this blog? I ask because an owner of a site that aggregates blog postings thoughtfully asked my permission to include TaoSecurity Blog content on his site. I said I preferred to not have this blog's content aggregated and posted elsewhere. I prefer readers to visit this site directly or use the provided XML or RSS links. What are your thoughts?

How to Misuse an Intrusion Detection System

I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email: (jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels) (washington|london|new york) Here is part of my reply to the Bleeding-Sigs thread. These rules are completely inappropriate. First, there is no digital security aspect of these rules, so the " provider exception " of the wiretap act is likely nullified. Without obtaining consent from the end users (and thereby protection under the "consent exception"), that means the IDS is conducting a wiretap. The administrator could go to jail, or at least expose himself and his organization to a lawsuit from an intercepted party. Second, the manner in which most people deploy Snort would not yield much insight regarding why these rules triggered. At best a normal Snort user would get a packet containing content that caused Snort to

New Desktop Computing Variant from ClearCube

Image
Clued in by Slashdot I learned of this ZDNet article on ClearCube . This company sells "blade desktops." Users see have a device ClearCube calls a " user port " on their desk. Remotely connected to the user port by Cat 5, fiber, or IP is a " PC blade " mounted in a " cage " sitting in a server room or data center. Smart management software allows administrators to switch user ports from blade desktop to blade desktop if one fails. The following diagram explains the same concepts in a single figure. Regular blog readers may remember my enthusiasm for thin clients like the Sun Ray and wonder how I view these blade desktops. For casual users who surf the Web, read email, and use office software, blade desktops are overkill. I think the Sun Ray is a better solution. For those who need Microsoft products, I imagine a solution incorporating VMWare would be appropriate. I see blade desktops as a possible way to provide dedicated hardware t