Friday, October 31, 2003

Foundstone Wants YOU!

Looking for a security consulting job in the Washington, DC area? Foundstone is hiring senior consultants. If you're interested, email me at jobs [at] taosecurity [dot] com with your resume.

We've got other positions open across the company too. Check them out here -- sales, engineering, public relations, and so on need help. Again, email me your resume.

Thursday, October 30, 2003

Microsoft "Threats and Countermeasures" Guide

Microsoft published a new "Threats and Countermeasures Guide" (.exe, expands to .pdf) last month. Using my digital risk definitions provided by the Dynamic Duo (below), here's my evaluation of how well Microsoft uses the "threat" term in its new guide. A baseball analogy is used. Proper use of the term "threat" is bolded.


  • "Securing your network environment requires that strong passwords be used by all users. This helps avoid the threat of an unauthorized user guessing a weak password through either manual methods or tools to acquire the credentials of a compromised user account." Comment:Bravo. A threat is a party with capabilities and intentions, and an unauthorized user as described fits that model. One man on base.

  • "Because vulnerabilities can exist both when this value is configured, as well as when it is not, two distinct countermeasures are defined. Any organization should weigh the choice between the two based on their identified threats and the risks that they are trying to mitigate." Comment: Again, excellent. Two men on base.

  • "Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures." Comment:That's the first out! Microsoft should have used the term "vulnerability," meaning blank passwords are a weakness that can be exploited.

  • "The threat is that a globally visible named object, if incorrectly secured, could be acted upon by a malicious program which knew the name of the object." Comment: Out number two! Again, Microsoft should replace "threat" with "vulnerability." The "malicious program" is the real threat.

  • "This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial of service (DoS) vulnerability because a server could be forced to shut down by overwhelming it with logon events." Comment: This is awkward, as it mentions "threat" and "vulnerability" in the same sentence. However, clarifying that the threat is "a backup operator" shows proper usage of the term. Microsoft loads the bases.

  • "One potential threat is that of a user or users accidentally or deliberately filling the storage volume with data by causing an application log file to fill up the drive or by uploading files to the server." Comment: Another close call. The user is actually the threat, and the vulnerability is the weakness in design or configuration which allows that user to fill up the volume. I'll call that an RBI so Microsoft has a run on the board!

  • "The second potential threat is that of directory traversal exploits, in which an attacker takes advantage of a bug in a network service to navigate up the directory tree to the root of the system volume." Comment: Another RBI! This context is shaky as an exploit is actually a tool, and not a threat in and of itself. However, the context mentions an attacker using this tool, so I call that a valid use of the term threat.

  • "Firewalls located between the internal network and the Internet offer no protection against such internal threats." Comment: Microsoft puts another run on the board. Still two outs.

  • "Therefore, before deploying IPSec for any specific scenario, carefully consider and document the potential security threats that IPSec is intended to address, your security requirements, the costs of deploying IPSec versus the cost of not using it, and therefore the expected business benefits." Comment: Four runs! This is a reference to considering the threat model.


Aside from a minor mention in the last pages, that's all.

What of the document's title?

"Threats and Countermeasures: Microsoft Solutions for Security Security Settings in Windows Server 2003 and Windows XP."

Sorry, that's Microsoft's final out. "Threats" should really be "vulnerabilities," but would Microsoft admit its product has vulnerabilities? The entire document outlines weaknesses in Microsofts products and suggests countermeasures to mitigate those weaknesses. Kudos to Microsoft for writing the doc, and congratulations on a four run inning!

Orbitz Hacked; Watch Your Credit Cards

CNet reports that Orbitz was compromised, stating "Orbitz has notified law enforcement authorities about a recent security breach that has resulted in its customers' e-mail addresses falling into the hands of spammers." Apparently Orbitz is trying to dodge the California notification law by claiming "no indication that credit card information had been compromised."

Orbitz uses are reporting receiving spam to email addresses used only at Orbitz. I am an Orbitz user, but the email address I use isn't exclusively for Orbitz. However, I hardly get spam to the account I use for Orbitz. For the first 17 days of October, I received 5 spam emails. Over the last 12 days, I've received 20. That's not scientific, but something clearly changed recently.

It's likely that if intruders compromised Orbitz's account list they stole credit cards as well. This is NOT based on any "insider knowledge" of Orbitz or this case. I make this assessment based on experience working similar cases elsewhere. Keep an eye on your statements (online or offline) and report suspicious activity to the card issuer immediately. Changing your Orbitz password is a good idea too.

Wednesday, October 29, 2003

FreeBSD 4.9 Released Today

FreeBSD 4.9 was released today. Because I may use this OS as the platform for all tools in my Tao of Network Security Monitoring book, I bought a four-CD set from FreeBSD Mall that contains packages for the OS. It's also a small way to support the development of this free, open source OS. I'm hoping FreeBSD 5.2 will be released before the end of the year, since I'd prefer to write the book using that as my platform.

Tuesday, October 28, 2003

"Words Matter" -- To the Tune of $200 Billion

No, I'm not talking about a lame class-action lawsuit or an outrageous punitive damages award. $200 billion refers to the "$150 billion spent building unnecessary telecoms networks in America and another $50 billion in other parts of the world," according to a statement by Andrew Odlyzko, quoted in a recent Economist survey (subscription required). Mr. Odlyyzko wrote many papers debunking the myth of explosive Internet growth. My favorite professor at the JFK School of Government, Phil Zelikow, counseled his students that "words matter." In this case, the words that mattered were those in a 1998 Department of Commerce report The Emerging Digital Economy (.pdf):

"Traffic on the Internet has been doubling every 100 days."

Looking at the citation for this statement we read it the source as a "December 1997 phone interview with John Osborn, JD Power and Associates." Most people blame WorldCom, including former CEO Bernie Ebbers. The Economist wrote about this last year. Mr. Odlyzko tracks down the origins of this "statistic" in his 2003 paper "Internet Traffic Growth: Sources and Implications" (.pdf).

This report and its "100 days" quote was cited in speech after speech by Commerce officials. The telecom industry and especially equipment makes believed the party would never end, so they kept laying cable and building equipment to meet demand that didn't exist.

What was really happening? The Economist writes:

"In the four years from the beginning of 1998, says Andrew Odlyzko, a telecoms guru at the University of Minnesota, the amount of fibre in the ground increased fivefold. Meanwhile, advances in the technology of feeding signals into fibres at one end and extracting them at the other increased the transmission capacity of each strand of fibre 100-fold, so total transmission capacity increased 500-fold. But over the same period demand for transmission capacity merely quadrupled, a rise that could easily be accommodated by existing networks."

The result? According to the Economist:

"Exactly how much money has gone down the telecoms drain is hard to quantify, but many estimates hover around the $1 trillion mark."

Words matter, Professor Zelikow! Maybe they matter to the tune of $1 trillion?

New Spam?

Here's an email I received today. It reports I've been signed up for a mailing list and asks me to unsubscribe if I didn't sign up for the mailing list. Legitimate mailing lists tell you to ignore the message and do nothing if you didn't sign up. It looks like the mailing agent belongs to h24-71-223-11, who I guessed was 24.71.223.11. That IP resolves to h24-71-223-11.cg.shawcable.net. That machine is offering a mail server on port 25:

220 pd2mi3so.prod.shaw.ca -- Server ESMTP (iPlanet Messaging Server 5.2 HotFix1.18 (built Jul 28 2003))

However, that mail server doesn't allow mail relay.

I think the system which originated the email is (h0000864f50cd.ne.client2.attbi.com [24.62.13.114]).

A message from Yahoo! Groups wouldn't originate from a home AT&T user. The mailer agent is interesting too -- "Synapse, which is a synchronous TCP/IP library for Delphi, Kylix,
FreePascal, and C++ Builder," according to my friend John Ward. He also says "this was some tool written to be a dedicated, non-threading mass mailer due to its synchronious nature, probably a command line tool, written for either Windows or Linux."

From - Tue Oct 28 12:17:53 2003
X-UIDL: 20031028171245s1200r471be0032gq
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from mx1.domaindiscover.com ([216.104.161.40])
by sccrmxc12.comcast.net (sccrmxc12) with ESMTP
id <20031028171245s1200l47cve>; Tue, 28 Oct 2003 17:12:45 +0000
Received: from h24-71-223-11 (h0000864f50cd.ne.client2.attbi.com [24.62.13.114])
by mx1.domaindiscover.com (Postfix) with ESMTP id 6B2CD31804
for ; Tue, 28 Oct 2003 09:12:37 -0800 (PST)
From: conspiracies_revealed-subscribe@yahoogroups.com
To: CENSORED@CENSORED.com
Subject: -Confirmation-
Date: Tue, 28 Oct 2003 06:30:20 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text
Message-Id: <20031028171237.6B2CD31804@mx1.domaindiscover.com>

Thanks for signing up for yahoo groups conspiracies_revealed this is your
comfirmation email. You can log in via the website www.nasaconspiracy.net
If you didn't sign up or someone else has
used your email to sign up please click unsubscribe

SB 1386 Impotent While CardCops Monitor for Your Card

Kevin Poulsen wrote another excellent article at SecurityFocus. He describes how no one has reported compromise of consumer credit card data in the four months since California's SB 1386, now enshrined in the state's civil code as 1798.29 and 1798.82-1798.84, was enacted. The is not unexpected. How can the authorities know who was compromised? It takes months to years for companies to make such discoveries on their own.

The most interesting aspect of the article is the mention of CardCops.com, which "offers consumers a paid notification service, in which he'll [CardCops] warn his customers if he spots their information in the chat rooms and websites frequented by credit card thieves." I was skeptical but the article claims "this month alone he [CardCops] traced stolen credit card information to breaches at five different online merchants, ranging from mid-sized businesses to modest mom-and-pop operations. When he contacted a sample of the exposed consumers, he was, in each case, the first to give them the bad news. "

Monday, October 27, 2003

The Dynamic Duo Discuss Digital Risk

I've been reading books and looking at product literature which discuss "security," "risk," "threat," and "vulnerability," each with a different definition. I don't think these terms are difficult to understand. I wrote the hopefully amusing vignette below to communicate my understanding of these terms. At least it won't bore you!

Meanwhile, at the Hall of Justice...

BATMAN: Robin, why the puzzled look?

ROBIN: Sorry, Batman.

B: Are my Bat Ears crooked again?

R: No Batman. I've been reading some books and vendor marketing literature on security, and I'm confused by their definitions of risk, vulnerability, and threat.

B: Oh, you've been researching to protect the Hall of Justice computer? Good for you. Tell me why you're confused.

R: I see so many people calling "vulnerabilities" and "threats" the same thing.

B: That's certainly not right. A vulnerability is a weakness in an asset which could lead to exploitation. A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset.

R: Huh?

B: Let's try a few examples. Consider Superman.

R: I do, often.

B: I don't want to hear about that. Superman is an asset to the Hall of Justice, true?

R: He's definitely an asset.

B: I bet you think so. Think of Superman as an asset of the Hall of Justice's crime fighting arsenal. What is his weakness?

R: Kryptonite?

B: Close. Superman's weakness -- his vulnerability -- is the fact that Kryptonite nullifies the effect of the Earth's yellow sun, removing his super powers.

R: So what is Kryptonite?

B: Kryptonite is a weapon, or tool. But on its own it's nothing -- unless used by an evil party.

R: Like Lex Luthor?

B: Exactly. Lex Luthor is a threat, but only if he's carrying Kryptonite.

R: Lex Luthor is the threat, because his intentions are to harm Superman and his capability is instantiated by possession of Kryptonite. How does risk fit into this?

B: Let's define risk. Risk is the possibility of suffering harm or loss. It's a measure of danger. The loss of Superman would deal a crushing blow to the Hall of Justice's ability to fight crime.

R: That means we're talking about the risk of loss of Superman's crime fighting abilities, or more generally the loss of Superman. I don't know how to express that formally.

B: Let me help. Risk is the product of multiplying measurements of threat by vulnerability by cost of replacing an asset, also called that asset's value. So, R = T x V x C.

R: You did say risk was a measurement of the probability of loss. I don't know what the numbers should be for any of those factors.

B: It's ok to assign arbitrary values, say 1 to 5 for each factor, as long as you use the same scale when measuring different risks. How would you assess the risk to the Hall of Justice now?

R: I would assign a Kryptonite-equipped Luthor as threat 4, with Superman's vulnerability as 4, and cost as 5, for a total of 80.

B: Why didn't you assign the threat and vulnerability to each be 5? A Kryptonite-equipped Luthor has capabilities and intentions, and Superman's weakness can kill him.

R: I assessed the threat as 4 because I know Luthor has Kryptonite, but I don't know if he has enough to kill Superman.

B: That is prudent. His capability to exploit Superman could be diminished. You're factoring in uncertainty. How about the vulnerability rating?

R: Superman isn't completely vulnerable, since we fellow Super Friends would protect him if Lex appeared.

B: So you mean we Super Friends could be considered countermeasures to Superman's vulnerability?

R: Yes! Is that why the risk equation doesn't explicitly mention countermeasures?

B: You catch on quickly Robin. Although countermeasures could be included in the risk equation, they complicate the issue mathematically. Better to decrease the vulnerability rating if the countermeasure effectively mitigates the asset's weakness.

R: Batman, I'm starting to understand. What is security then?

B: Security is the process of maintaining an acceptable level of perceived risk.

R: That seems awfully specific.

B: Let me explain with another example. You know Fort Knox? And the gold it protects?

R: Of course. Gold is the asset protected by Fort Knox.

B: Let's assess the risk of theft of Fort Knox's gold. Risk is the probability of loss, remember? Assume that Fort Knox is so well protected, it has no vulnerabilities capable of exploitation by any human, Super Friend, or Legion of Doom member. Only a force of nature could damage Fort Knox, like a meteorite from space wiping out Kansas.

R: Holy invincibility, Batman! Let me see... I'd say the threat is low, maybe a 1, since there are evil parties with intentions to steal Fort Knox's gold. Since Fort Knox is invulnerable to anything but a force of nature, no party has the capability to harm it. I'd assess the vulnerability as 1, since Fort Knox could still be wiped out by that meteorite from space. The cost of replacement is immense -- definitely 5. That gives is 1 x 1 x 5 = 5. That means...

B: That's right Robin. The risk to the loss of Fort Knox's gold is 5, a very small number.

R: So Fort Knox's gold is secure?

B: It's almost perfectly secure, especially compared to Superman as a Hall of Justice asset. Let's change the equation. Do you know of the Marvel universe?

R: The what?

B: It's the source of better movies than our own DC universe. Anyway, in the Marvel universe, a creature called the Hulk exists.

R: Tell me about this beast.

B: For the purposes of this argument, believe that the Hulk could smash his way into Fort Knox if he so chose.

R: Is the Hulk evil? Does he covet gold?

B: No, he's a powerful but misunderstood creature. Do you know what you just did?

R: Let me guess -- I performed a threat analysis?

B: Excellent Robin. Your shorts aren't too tight after all. Now, on to the next step -- risk analysis.

R: Given the presence of the Hulk, I would assess the threat as a 4, the vulnerability as a 2, and the cost as a 5.

B: Why did you raise the threat level? I told you the Hulk wouldn't harm Fort Knox.

R: Maybe the Legion of Doom could trick the Hulk into breaching Fort Knox? Then the Hulk would have the capabilities and intentions to exploit the Fort.

B: Very good.

R: And I rated the vulnerability as a 2 and not higher, as even a creature like the Hulk would have a tough time powering his way through all that concrete and steel, surely?

B: True enough. You're getting the hang of this, Robin.

R: Thanks Batman. You're swell. Can I try this sort of analysis using the Hall of Justice computer?

B: You bet. We run OpenBSD on the Hall of Justice machine. Do you know if it has any vulnerabilities?

R: Well, I haven't updated OpenSSH yet, so there is a vulnerability. That's a 5. Let me do a threat analysis next. I would identify the threat as the Legion of Doom. Specifically, I bet Brainiac could code an tool that would exploit the vulnerable OpenSSH daemon.

B: That means the Legion of Doom has the capabilities and intentions to harm the Hall of Justice computer. We call that a "current credible threat."

R: I'd rate the threat a 4, since we aren't 100% sure the Legion of Doom has an exploit. They definitely capable of writing it though. That leaves cost of replacement, which I would assess as a 5. The Hall of Justice computer is a piece of critical infrastructure. The risk of loss of the Hall of Justice Computer is 4 x 5 x 5 = 100. That's immense!

B: Get to patching, Robin.

R: How can we reduce risk, Batman?

B: We can't reduce risk directly. We can only affect each of the factors. For the threat component, we could eliminate the party completely. Alternatively, we could try change their intentions by addressing why they hate us. We could also remove their capability to harm us, such as removing their financing or destroying their weapons.

R: That sounds like a way to deal with terrorists.

B: Perhaps. On the vulnerability side, you could patch the weakness directly. You could implement access control or other counter-measures to limit the ability of intruders to exploit the vulnerability. All of these factors decrease the vulnerability rating.

R: You're so smart Batman.

B: Thank you. On the cost side, we could completely replicate the Hall of Justice computer and host it off-site. While exploitation of the Hall of Justice computer would still be devastating, by implementing redundancy we could lessen the cost of replacing a damaged Hall of Justice computer.

R: Thanks Batman. You've really helped me understand risk!

B: You're welcome Robin. I hear the Bat Phone ringing -- to the Bat Poles!

Note: Multiplying numbers together, without any measurement or rank, isn't exactly the "science" one would like to see in risk assessment. The purpose of this exercise is to discuss definitions and show how breaking out individual components of risk (i.e., threat, vulnerability, and asset cost) helps us think about the problem. This is obviously a naive exercise so I prefer to focus attention on the definitions and their translation into a fictional case study.

Friday, October 24, 2003

What is Extrusion Detection?

Yesterday reading a brief article by Robert Moskowitz, I noticed the term "extrusion detection":

"There's no sure way to track spying data that leaves your network. Perhaps the next big security tool will be outward-bound--extrusion-detection systems."

Searching the Web, I found Mozkowitz mentioned the term four years ago, in this 29 Nov 99 article:

"What you need is a reversed IDT (intrusion-detection tool), and perhaps an EDT (extrusion-detection tool) that will perform automatic searches for your own metatags..."

However, Frank Knobbe has him beat, according to this 5 Nov 99 post, discussing SEC investigations of insider trading:

"...his sounds more like an Extrusion Detection than Intrusion... There are packages available that scan inbound and outbound emails for certain key words/key phrases, and dump these emails in a bucket where analysts (humans) can read, evaluate, and approve or deny them. I guess this raises the question if email scanners should be considered Intrusion Detection tools..."

Although much more recent, Ronald DuFresne wrote a short paper which mentions "EDS" but doesn't say a whole lot. Fidelis sells "Extrusion Prevention Systems" "for organizations with valuable digital assets that are concerned about the theft of proprietary information... Fidelis DataSafe EPS is an extrusion prevention system that detects and prevents the unauthorized network transfer of designated sensitive or valuable information."

Bamm and I used extrusion detection techniques during Code Red. It was easier to watch outbound traffic from our infected boxes than it was to monitor inbound intrusion attempts.

Wednesday, October 22, 2003

Foundstone Publishes White Paper on Integrating Vulnerability Assessment with Incident Response

A few months back I wrote a paper for my employer, Foundstone, on how we used the Foundstone software product (previously called "Foundscan," now known as "Foundstone Enterprise) when doing incident response. We found that after collecting IR data (not before, as some advocate) we could determine if the remediation action we recommended would be worthwhile. It's no use discovering an intruder has gained access via an unpatched IIS vulnerability if the organization also runs unpatched versions of OpenSSH! This whitepaper describes how best to use vulnerability assessment products to assist incident response actions. I apologize for the small font -- Foundstone's marketing people love tiny letters...

Will Companies Let U Penn Collect Monitoring Data?

Thanks to the SANS Newsbites, I just read a fascinating article by Dan Verton at Computerworld. He reports that insurer AIG will "will offer discounted insurance rates to customers that deploy security sensors being developed by the Cyber Incident Detection & Data Analysis Center." CIDDAC, which doesn't have a web site I could find, consists of AdminForce LLC, Air Products and Chemicals, the U.S. Department of Justice, the Electric Power Research Institute, General Motors Acceptance Corp., Harvey & Mortensen Attorneys at Law, Independence Blue Cross, Liberty Bell Bank, Lockheed Martin Corp., NetForensics Inc., the Pennsylvania State Attorney General's Office, Temple University, the University of Pennsylvania's Institute for Strategic Threat Analysis & Response, and the U.S. Attorney for the Eastern District of Pennsylvania. Again, from the article:
"The goal is to deploy what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible—and eventually the world—and feed incident data to a centrally managed operations facility at the University of Pennsylvania in Philadelphia... Although it has maintained a low profile to date, CIDDAC is the result of a volunteer effort by various private-sector IT companies and other firms, along with the Philadelphia InfraGard chapter.
The consortium has developed what it claims is a technical solution to the private sector's primary concern about information sharing: government access to proprietary data. 'We have a way to gather the appropriate information on cyberattacks and security incidents without digging through production data,' said Charles 'Buck' Fleming, acting executive director of CIDDAC and CEO of AdminForce LLC in Boulder, Colo.
CIDDAC is operating a prototype monitoring and operations center at facilities owned by AdminForce."
This will not work. No company is going to let AdminForce or anybody else deploy sensors in exchange for discounted insurance rates. I am flying to Dallas tomorrow on behalf of a client to evaluate the risks of outsourced managed monitoring. Having done managed monitoring in the Air Force and as a civilian, I know that clients require an extreme amount of trust in their managed monitoring vendor. I don't see security-minded organizations letting "CIDDAC" deploy sensors with the ability to see Internet-bound traffic. Does CIDDAC realize they are performing a wiretap?

The security research community's biggest problem is access to suitable data. This is caused by privacy concerns. Here's a paper on the subject. If privacy is such an issue, imagine how much bigger a problem it is to protect corporate secrets. Would a company allow a third party to watch its phone records for patterns of misuses? Of course not, unless the company trusts the vendor implicitly and creates iron-clad contracts protecting its data from disclosure and abuse.

Reliable Software Group Posts New Snort Code

Chris Kruegel wrote in focus-ids of a project called Alert Verification by William Robertson. According to the project description:

"The verification component of the system is currently implemented as a set of NASL scripts mapped to Snort rules by CVE IDs. When a rule is triggered, the suspect packet and associated event data is queued for verification. A separate thread processes queued unverified alerts by running an associated NASL script against the target host to test for the presence or absence of the vulnerability corresponding to the detected attack. If the NASL script determines that the vulnerability does exist on the target host, the alert is marked as having been verified. If the NASL script determines that the vulnerability does not exist, the alert is marked as unverified. Finally, if no NASL script corresponding to the detected attack is found, the alert is marked as unverifiable. The alert is then released back to the Snort engine."

I wonder how fast this works? This is interesting because it is the first free implementation (known to me) of this sort of technique. It's a patch against Snort 2.0.2, so I hope to try it.

Visiting the RSG's site reminded me of the great papers they write. Giovanni Vigna is a publishing machine!

Hacker History and Pictures

I found a site with two cool features. First, it offers a Hacker Pictures section showing famous people from the "scene" with short bios. Now you can see the "faces in front of the monitors." Second, there's a very up-to-date Hacker History page. The site, WBG Links, offers news and links as well.

Rudy Giuliani, White Hat?

Recently former NYC governer Rudy Giuliana announced a partnership with Ernst & Young to offer digital security consulting. This follows last year's alliance with Giuliani's own consulting practice. Here's the best part of the story:

Competitors of the new enterprise greeted Mr. Giuliani into their midst warily.
"What is he really bringing to the table as far as the security business part of it?" asked Chris Wysopal, the director of research and development for @stake, a company that also provides so-called white-hat hacking services.
"I'm not too worried," he said. "When we say, `We talk business,' it isn't like going out to the golf course. It's showing real numbers, and having the data to back it up."
So, Mr. Giuliani, could you comment on the BIND vulnerability that was exploited to threaten the root server system?
"I could make a comment on the Cubs game tonight," he said with a laugh, speaking by phone from Chicago.
And that is as it should be, said Allan Carey, an analyst with IDC, a research company. "He's talking on a different level; he's speaking to executives."

This story on a new report by the Economist Intelligence Unit quotes the foreward Rudy wrote for the report:

"$10m spent on corporate security will hit the bottom line today and may not show its worth for many years. But when a security incident does occur, that investment will pay for itself many times over. As mayor of New York, I remember thinking that the hundreds of millions of dollars we spent preparing for Y2K might have been wasted ... On the morning of 11 September, I realised that it wasn't. Having thought our way through a complete breakdown of the city's systems, we had the backups that allowed us to get a new command centre partly operational within two hours. Similarly, all of the work we did over the previous few years in preparation for a terror attack - including the drills, the tabletop exercises, and the creation of an emergency management centre - proved invaluable."

Tuesday, October 21, 2003

Hit By Credit Card Fraud Again

I just became a victim of credit card fraud for the second time in two years. My bank called to ask if I had made a purchase of approximately $59.97 to Proflowers.com today. I told them I had not, and they replied I was a victim of credit card fraud. I asked how they knew so quickly, since the amount was low and not exactly outside the realm of normal activity. They security rep said that charges to Proflowers.com were getting additional scrutiny. I called Proflowers.com but they would not give me any other details.

I have two pieces of advice:

  1. Watch those credit card statements closely! If you see something odd, report it immediately. Better yet, check your card status weekly or more regularly using your bank's online facilities.

  2. Set aside a single, low ceiling credit card solely for online purchases. Use other cards for "bricks and mortar" purchases. That way, if my "b&m" card receives a fraudulent charge, I know it wasn't a result of online fraud.



NetScreen Announces Deep Packet Inspection Firewalls

Trying to make Gartner's dreams come true, NetScreen announced new "deep inspection firewalls," prompting "Richard Stiennon, vice president of research at Gartner, Inc., [to say] 'because of the new worms, malicious code and cyber attacks that are now targeting application weaknesses and more applications and protocols are tunneling through firewalls, firewalls must provide a wider range of intrusion prevention capabilities along with advanced centralized management functionality.'"

Only The Register reported the cost of running such a system on a real network:

"Robert Ma, a Senior Director of Product Marketing and Management at NetScreen, explained that because Deep Inspection looks deeper into traffic there is a trade off which means users looking to maximise performance should still consider deploying separate IDP and firewall appliances. For example, NetScreen's low-end 5GT firewall runs at 75Mbps normally but at only 18Mbps with Deep Inspection technology activated, according to preliminary figures."

I wonder what speed those inline "separate IDP and firewall appliances" run at?

New Security Organizations One Year After Attacks on Root Name Servers

A couple new security organizations have been created in the last month. First, the US-CERT was announced last month. I see a lot of talk about "information sharing," but I'm not sure how that's different from what the CERT at Carnegie Mellon does. This article mentions how the National Cyber Security Division of the Department of Homeland Security is

"taking the lead on a cybersituation awareness project that can conduct near-real-time analysis of incident data nationwide... The division is currently working with SRI International, Symantec and Computer Associates International Inc. to develop an automated capability that would enable data to be shared immediately with various private-sector-run Information Sharing and Analysis Centers. The research and development effort includes plans to build a nonproprietary system that would allow any organization in the nation, regardless of IT infrastructure, to feed data into the incident analysis system.

'We will be deploying this in the federal sector starting at the US-CERT first so we can see in real time what is happening across the nation,' McDonald said."

Sallie McDonald is "the DHS's senior executive responsible for outreach and awareness efforts."

Not to be outdone, the Internet Software Consortium (ISC) announced today the creation of the Operations, Analysis, and Research Center (OARC), focused on the defense of the Internet's domain name servers. This is a response to last year's attacks on the root name servers. I found a site dedicated to news on the Internet infrastructure, with articles on DNS, ICANN, and other topics.

Speaking of DNS, one year ago today the root name servers were attacked. CAIDA offers good descriptions and graphs of what happened.

Monday, October 20, 2003

Dogs, Street Children and Hackers

Is that the name of the newest pop group? No, it's how Varujan Pambuccian, Romanian lawmaker and former programmer, describes his country in this article on Romanian hackers. I've tangled with these guys before, but it sounds like their country's officials are cracking down. From the story:

"Computer crime flourished in Romania because the country lacked a cybercrime law until earlier this year, when it enacted what may be the world's harshest. The new law punishes convicts with up to 15 years in prison — more than twice the maximum for rape.

Varujan Pambuccian, a lawmaker and former programmer, helped draft the new law after Romania's government realized the nation, which is racing to join the European Union by 2007, was getting a bad online reputation.

'We want a good name for our country,' he said. 'I'm very angry that Romania is so well-known for ugly things — for street dogs, street children and hackers.' Pambuccian said there was a noticeable decline in criminal activity in the first three months since the law took effect.

More than 60 Romanians have been arrested in recent joint operations involving the FBI, Secret Service, Scotland Yard, the U.S. Postal Inspection Service and numerous European police agencies."

PBS Frontline Program on "Cyberwar"

This story summarizes a speech made by John Arquilla, co-director of the Center on Terrorism & Irregular Warfare at the Naval Postgraduate School in Monterey. Arquilla advocates building a "Corp of Hackers," saying "We have to re-examine that punitive approach to the hacking community, and try, instead, to turn it into something that can be useful, and perhaps even to reform some of these people away from their own illegal actions."

I'd never heard of this guy, and was skeptical when the article stated "Arquilla... helped develop the offensive cyber weapons used by the U.S. military in Kosovo, in Afghanistan and in the Gulf War." Google led me to this PBS interview, where we learn Arquilla helped build the Joint Surveillance and Target Acquisition Radar System while working for Central Command during the first Gulf War. JSTARS isn't what I'd call an "offensive cyber weapon," at least as far as computers go.

Still, this article wasn't a waste of time, as I made two discoveries. First, I learned Dorothy Denning now works at the Center on Terrorism & Irregular Warfare. Second, I found this Apr 03 PBS Frontline show called Cyberwar! is available in its entirety online. The title (especially the exclamation point) is derived from this 1993 paper by John Arquilla, Cyberwar Is Coming!. The show looks interesting and I plan to watch it and read the interviews when I have time.

Surveillance Cameras Invade Privacy, Provide Little Security

An article at MSNBC makes excellent points regarding the ineffectiveness of surveillance cameras in the United Kingdom. From the story:

"Very little evidence shows that speed cams reduce road deaths or that CCTV deters crime. It's only on the rare occasion that CCTV helps police catch criminals...

Instead, there's an overwhelming feeling that too often surveillance is used not to make the country safer but to monitor innocent people and, in the case of speed cams, raise much-needed tax revenues. 'There's this notion starting to build in countries around the world that maybe we've been conned -- that these security measures are smoke and mirrors,' says Simon Davies, director of London-based advocacy group Privacy International. 'People here are demanding a proper threat assessment.'"

Did I hear the words "threat assessment"? Someone is thinking properly! So why did these cameras get deployed in the first place?

"The technology came into vogue after two bombs, planted by the Irish Republican Army, exploded in London's financial district in the early '90s. The response: To create a 'ring of steel' -- a network of CCTV cameras on the eight official entry gates to the City of London... Originally, citizens embraced the technology. Being watched at all times made them feel safe.

Ten years later, it's clear CCTV has done little to clean up the streets. Study after study shows that CCTV simply displaces crime to areas where no cameras are present rather than preventing it. According to a June, 2002, report from crime-fighting nonprofit NACRO, CCTV cuts crime only by 5%, vs. 20% reduction achieved by brighter street lighting."

This situation mirrors so many security issues in the United States. I'll defer to recent books by Bruce Schneier and Marcus Ranum, which I hope to review later this month.

Saturday, October 18, 2003

ISS Announces "Proventia" Products

Internet Security Systems launched a new product line this week, called the Proventia "all-in-one protection product." From the press release:

"Today Proventia unifies firewall, virtual private network (VPN), anti-virus, intrusion detection and prevention into one engine, under one management system, to protect at the network and the gateway. In the future, Proventia will add application protection, content filtering and anti-spam functionality to the unified engine to extend protection across servers, desktops and laptops. Proventia’s simplified protection for every layer of business infrastructure eliminates the complexity associated with today’s legacy security products and greatly reduces the total cost of ownership for security – making protection affordable for enterprises."

ISS offers three Proventia products:

I looked at the produce demo site and made a few observations. Site Protector remains the overall management product. The Proventia M series offers "content blades" which can be enabled or disabled in software.

The Proventia A series IDS offers products like the A1204 which can monitor and make sense of redundant or load-balanced links.

ISS offers a newsletter called "Connect," with the October issue (.pdf) devoted to Proventia.

What's the competition for ISS' product? Symantec announced its Symantec Gateway Security 5400 Series last month. Cisco announced "integrated network solutions" in Feb 03, but they're not a "converged solution." You need a product finder to make sense of Enterasys's offerings. While I still believe Sourcefire has the superior detection solution, I can see the allure of these "single box" appliances.

Don't be fooled into thinking a single box can serve all of your security needs. While the ISS demos stress their products can complement firewalls, I don't trust putting prevention and detection functions into a single system. Almost by definition, the detection aspect will not detect some attacks, leaving no record of intrusion. Why? If the product could detect the attack, why didn't it prevent it? (That's what customers say they want, correct?) So, there needs to be an independent, network-audit product to evaulate how well the prevention product performs. That's network security monitoring my friends. NSM recognizes that prevention will always fail, and that when it does defenders need a way to quickly scope the extent and impact of a compromise.

Thursday, October 16, 2003

Review of Intrusion Detection Posted

Amazon.com just posted my five star review of Intrusion Detection. I read this book as background for my forthcoming The Tao of Network Security Monitoring and was pleasantly surprised. This isn't a book for practioners looking to operate intrusion detection systems or interpret event data from systems. However, the book provides a nice historical backdrop on the problems that have existed for decades in computer security. From the review:

"Three years ago, as a captain in the Air Force CERT, I didn't think I had time to read books on theory and definitions like Rebecca Bace's Intrusion Detection. If a book didn't show packet captures, I didn't need it! Fast forward to 2003, as I research intrusion detection history and re-discover Bace's contribution to the field. Now, I consider her book so important that I consider most of it mandatory preparation for my own book. If you've got the time for 'high level' monitoring concerns, check out Intrusion Detection."

I added the book to my Weapons and Tactics Amazon.com Listmania List, along with a few other books reviewed in the last six months. You can access all of my recommended reading lists here.

In related news, I received word from Wiley that Snort: The Complete Guide to Intrusion Detection is listed in the publisher's database as "Publication Suspended Indefinitely." That's too bad, as Sourcefire employees and Snort coders Jeffrey Nathan, Dragos Ruiu, and Jed Haile were the authors.

Microsoft Windows Security Guides

Clients often ask for resources on Windows security, like checklists or guides. The NSA guides are frequently cited, and apply to routers, SQL Server 2000 and Oracle 91 Database Server. The Center for Internet Security offers many free benchmark documents.

After seeing this article I went to the source at microsoft.com. I found these resources:

I'm trying to find a newsgroup which posts customer experiences installing new hotfixes and service packs. microsoft.public.security is one option, but I'm still looking.

Wednesday, October 15, 2003

Review of Incident Response, 2nd Ed Posted

Amazon.com just posted my five star review of Incident Response and Computer Forensics, 2nd Ed. From the review:

"IRCF2E is one of the few books in print where the word 'forensics' deserves to be on the cover. Many prominent 'forensics' titles deliver nothing useful to practitioners. As was the case with the first edition, investigators can use IRCF2E in operational environments to do real work. This book lays much of the groundwork for doing cases. Watch for Real Digital Forensics to be published next year, which walks readers through case-based evidence to teach how to collect, interpret, and analyze host- and network-based evidence."

Marcus Ranum Rants Online and Offline

Marcus Ranum is one of the smartest security guys around. A few weeks ago he redesigned his web site in preparation for publication of his new book The Myth of Homeland Security. I hope to get a review copy. Marcus' comment in the latest edition of SANS Newsbites alerted me to his criticism of the so-called "computing monoculture" problem. He points out that the Computer & Communications Industry Association, which funded the "Cyber Insecurity" report (.pdf) that got Dan Geer fired, consists of "Sun Microsystems, Fujitsu, Nokia, Nortel Networks, Tantivy, Time Domain, Vion, AT&T, Verizon, NTT USA, Oracle, Intuit, Yahoo!, Sabre, and AOL." His insights are useful:

"Computers, unlike biological organisms, can rapidly share immunity without having to actually be exposed to the pathogen in question. This is absolutely crucial to understand - it's quite possible that my machine may fix itself automatically so that a worm doesn't affect it. Computers have several main mechanisms for transmitting 'immunity': firewalls, antivirus software and antivirus software auto-update, Windows auto-update, and security-related knowledge bases or mailing lists."

"There is no 'monoculture' here. My system isn't just Windows. My security is effected (and affected) by a bewildering combination of default settings, software patch levels, default firewall rules (I just plugged it in, honest!), browser settings, and antivirus signature sets. We're not in anything like danger of becoming a "monoculture" unless every system was running the same software load-out, security policy, antivirus product, and patch level. In spite of the dearest wishes of countless system administrators, that simply isn't going to happen! So, as much as I hate to say it, Sun's marketing people may have been right, "The network is the computer" - and the network sure as hell isn't going to become a "monoculture" unless Microsoft builds all the firewalls, all the routers, all the switches, all the web accellerators, all the SQL databases and establishes everyone's security, routing, DNS, and update policies."

I don't agree with everything he says, but on the whole his argument makes sense. Debating via analogy is difficult and probably counter-productive. I'll report on his book after I've read it.

Yen-Ming Chen's Blog

My friend Yen-Ming Chen sent me a link to his blog the other day. He's also a security consultant with Foundstone, and he updates his blog regularly.

Osiris File Integrity Checker

Has anyone tried Osiris, an open source file integrity management system for Windows and UNIX? I like the fact that it runs on Windows and there's a ports tree entry for FreeBSD. At some point I'll try it.

Paper on Windows Memory Forensics

Fellow co-author of Real Digital Forensics Curtis Rose wrote a whitepaper titled Windows Live Incident Response Volatile Data Collection: Non-Disruptive User & System Memory Forensic Acquisition. Curtis used these techniques when we performed analysis for our book, so check out his paper for a preview.


NIST Releases New Security Guidelines

FCW reports NIST has released five new security publications:

  • SP 800-35, Guide to Information Technology Security Services

  • SP 800-36, Guide to Selecting Information Security Products

  • SP 800-42, Guideline on Network Security Testing

  • SP 800-50, Building an Information Technology Security Awareness and Training Program

  • SP 800-64, Security Considerations in the Information System Development Life Cycle


Of these the first two are probably of most interest to security vendors. Customers frequently have no idea what to buy or how to make decisions, so they turn to guides like these.

Gartner Warning Makes Sense

I've given Gartner grief for their "IDS is dead" message, but I just read a short document they produced on security reporting requirements:

"On 9 October 2003, U.S. Homeland Security Secretary Tom Ridge stated that the U.S. government may require publicly traded companies to disclose details of their information security readiness to the Securities and Exchange Commission (SEC). The Department of Homeland Security plans to work with the SEC to develop requirements for the inclusion of security information in financial reporting; the U.S. Congress is preparing draft legislation with the same objective....

Boards of directors, CEOs and CFOs should assume that information security reporting will be required no later than the end of 2005 and assign responsibilities and establish reporting procedures. Chief information officers of public companies should assess their security reporting and metrics programs by the second half of 2004, to ensure their ability to issue IT security readiness reports when the expected legislation is enacted."

This is big news for the security industry, who has gained some new work from HIPAA and GLB regulations. If all publicly traded companies have to provide this reporting, we might all be very busy soon.

IDS Review Addresses Issues That Matter

Too many reviews of intrusion detection systems (IDS) focus on the pretty colors, blinking red lights, and other worthless aspects of popular products. A new reviewJoel Snyder, David Newman and Rodney Thayer of five IDS products is a breath of fresh air. First, they have a clue:

"Gartner's analysis, unfortunately, is based on a profound misunderstanding of what network IDSs are good for and who should use them. Many network managers, and the analysts at Gartner, have put network IDS in the same bucket as firewalls: a technology designed to protect network assets. But it doesn't go there. A network IDS is to the security analyst what a protocol analyzer is to a network manager: a tool to look into a network and understand what is going on, security-wise. Lumping network IDS and firewalls together, or even network IDS and intrusion-prevention systems (IPS) together, is no more appropriate than considering 100M bit/sec switches and protocol analyzers together."

Second, their review focuses on real tasks by presenting scenarios, like "What happened to Paul?", a Windows 2000 system deployed as a sacrificial lamb. Third, they have a sense of what is important when doing monitoring:

"This test also exposed a problem common to all the products (except Barbedwire) - you can't see the offending packets. You never get to check the signatures to see if they are generating false positives."

The major downside is that only five IDS were tested, and Sourcefire wasn't included. The reviewers explain they didn't review Snort as an open source product because "Snort, like many complex open source tools, requires the security analyst to also be a system integrator: pick operating system, hardware, multiple applications, and bring them all together into a high-performance network IDS. Reviewing Snort would require us to play system integrator to start to capture the possibilities surrounding the popular detection engine."

National Security Archive Online

My wife discovered George Washington University's National Security Archive. The Intelligence section is interesting as it contains a declassified copy of United States Signals Intelligence Directives, specifically USSID 18. From the description of the documents:

"The version of USSID 18 currently in force was issued in July 1993 and "'prescribes policies and procedures and assigns responsibilities to ensure that the missions and functions of the United States SIGINT System (USSS) are conducted in a manner that safeguards the constitutional rights of U.S. persons.' Section 4 (Collection, pp.2-6) specifies the circumstances under which U.S. SIGINT activities may intercept communications of or about U.S. persons, as well as the authorities of the Foreign Intelligence Surveillance Court, the Attorney General, and the Director of NSA to approve the collection of such information."

When I was a lieutenant at the Air Intelligence Agency, we used USSIDs to strictly guide our collection efforts.

Tuesday, October 14, 2003

Comcast ISP Troubles

Connectivity to Taosecurity.com is intermittent due to Comcast network issues.

Monday, October 13, 2003

Understanding Legal Issues of Network Monitoring

While reading the recently published second edition of Incident Response and Computer Forensics, I noticed the legal material hadn't been updated. I visited the Electronic Privacy Information Center (EPIC) to get their take on legal restrictions on monitoring. Their USA PATRIOT Act page is extremely useful. To actually read the PATRIOT ACT, I suggest going to a .gov source like the Government Printing Office. Search for "public law 107-56" (PATRIOT was passed by the "107th Congress") and you'll find the law (text or .pdf).

From the EPIC PATRIOT report, I found these extracts applicable to network security monitoring. First, EPIC discusses watching "headers":

"Section 216 of the Act significantly expanded law enforcement authority to use trap and trace and pen register devices. Prior law relating to the use of such devices was written to apply to the telephone industry, therefore the language of the statute referred only to the collection of "numbers dialed" on a "telephone line" and the "originating number" of a telephone call. The new legislation redefined a pen register as "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted." A trap and trace device is now "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source or a wire or electronic communication."

By expanding the nature of the information that can be captured, the new law clearly expanded pen register capacities to the Internet, covering electronic mail, Web surfing, and all other forms of electronic communications.

...The USA PATRIOT does contain a provision requiring law enforcement to file under seal with the court a record of installations of pen register/trap and trace devices. This amendment may provide some measure of judicial oversight of the use of this enhanced surveillance authority."

You may remember stories on wiretaps from 2002. You can read the original evidence here. Next, EPIC discusses full content monitoring:

"Prior law prohibited anyone from intentionally intercepting or disclosing the contents of any intercepted communications without complying with the requirements of the wiretap statute, unless such interception and disclosure fell within one of several statutory exceptions. The USA PATRIOT Act, Section 217, creates a new exception, permitting government interception of the "communications of a computer trespasser" if the owner or operator of a "protected computer" authorizes the interception. The new exception has broad implications, given that a "protected computer" includes any "which is used in interstate or foreign commerce or communication" (which, with the Internet, includes effectively any computer). The "authorization" assistance permits wiretapping of the intruder's communications without any judicial oversight, in contrast to most federal communication-intercept laws that require objective oversight from someone outside the investigative chain.

The new law places the determination solely in the hands of law enforcement and the system owner or operator. In those likely instances in which the interception does not result in prosecution, the target of the interception will never have an opportunity to challenge the activity (through a suppression proceeding). Indeed, such targets would never even have notice of the fact that their communications were subject to warrantless interception. However, the USA PATRIOT Act does include an exception prohibiting surveillance of someone who is known by the owner of the protected computer "to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer."

At this point you may want to know more about PATRIOT by reading applicable laws. Remember that PATRIOT amended existing laws. To see the amended laws, you need to know the title and sections affected. For example, the EPIC article links directly to Cornell's US Code archive, e.g., Pen Register and Trap and Trace Statute or Interception and disclosure of wire, oral, or electronic communications prohibited, aka "The Wiretap Act." Alternatively, visit the Office of the Law Revision Counsel of the House of Representatives and search to find 18USC3121 or 18USC2511. Notice these laws don't just apply to the government -- they affect everyone.

Another resouce is part 3 of Slate's 4 part story on PATRIOT. The Electronic Frontier Foundation offers its views too.

Remember that state laws restrict monitoring. The Reporters Committee for Freedom of the Press offers an excellent guide to taping phone calls, with state-by-state summaries and an article on surreptitious recording. Use the state guide as a pointer to specific laws in each state, since the RCFP's focus is recording voice conversations and not electronic monitoring.

To validate the RCFP results I checked out the Code of Virginia and searched for "pen register" to get my bearings. I found Title 19.2, Criminal Procedure contains Chapter 6, Interception of Wire, Electronic or Oral Communications. 19.2-62, Interception, disclosure, etc., of wire, electronic or oral communications unlawful; penalties; exceptions is very similar to the Federal statute. The section below seems to give the only cover to perform monitoring:

"It shall not be a criminal offense under this chapter for any person... (f) Who is a provider of electronic communication service to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire or electronic communication, or a user of that service, from fraudulent, unlawful or abusive use of such service. "

Finding California's laws was a little more difficult. I visited the state's search page, and after not getting useful hits on "pen register" I tried "interception." That yielded Section 629.50-629.98, INTERCEPTION OF WIRE, ELECTRONIC DIGITAL PAGER, OR ELECTRONIC CELLULAR TELEPHONE COMMUNICATIONS of the Penal Code. Since this pertains to law enforcement actions, I used the information from the RCFP site to check Section 630-637.9, INVASION OF PRIVACY. Here I found that interception and recording is illegal, unless:

"(b) This section shall not apply (1) to any public utility engaged in the business of providing communications services and facilities, or to the officers, employees or agents thereof, where the acts otherwise prohibited herein are for the purpose of construction, maintenance, conduct or operation of the services and facilities of
the public utility..."

Let's conclude this research with a check on Texas' laws. The Texas Penal Code offers CHAPTER 16. CRIMINAL INSTRUMENTS, INTERCEPTION OF WIRE OR ORAL COMMUNICATION, AND INSTALLATION OF TRACKING DEVICE. Looking at Section 16.02 we read:

"A person commits an offense if the person:

(1) intentionally intercepts, endeavors to intercept, or procures another person to intercept or endeavor to intercept a wire, oral, or electronic communication...

c) It is an affirmative defense to prosecution under Subsection (b) that:

(1) an operator of a switchboard or an officer, employee, or agent of a communication common carrier whose facilities are used in the transmission of a wire or electronic communication intercepts a communication or discloses or uses an intercepted communication in the normal course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the carrier of the communication, unless the interception results from the communication common carrier's use of service observing or random monitoring for purposes other than mechanical or service quality control checks..."

Again we see language that mirrors the Federal statutes. Note I have avoided citing statutes which offer consent as a defense for doing monitoring. Consent can be obtained when intruders use "bannerable" services like telnet or FTP to access a victim. If an intruder doesn't access an interactive service, there's no way to obtain the intruder's consent and thereby use consent exceptions to justify monitoring.

For more information, read Dorothy Denning's latest. The Constitution Project released a survey of state wiretap laws last month.

Sunday, October 12, 2003

Information Security Education

After reading this dire Register.co.uk story on outsourcing IT jobs overseas, I checked out the NSA's National INFOSEC Education & Training Program. It lists 50 universities designated as Centers of Academic Excellence in Information Assurance Education. I noticed George Mason University (near my home) is listed, and offers a MS in Information Security and Assurance and a Ph.D. Concentration in Information Security and Assurance. I wonder what it would be like to take a course like STAT 789 - Advanced Topics in Statistics: Computer Intrusion Detection? I'm interested in programs like this in the event I want to teach at the university level in 10 to 20 years.

A Lesson on Indications and Warning

I read a fascinating but scary Economist article titled Peril on the Sea. It presents classic examples of "indicators" that can be used to formulate intelligence "warnings" for decision-makers. (Indications and warning is defined in the DOD Dictionary of Military and Associated Terms. Definitions are taken from the DOD Joint Electronic Library's Joint Publication 1-02 [.pdf].) From the Economist article:

"According to a new study ("Security in Maritime Transport: Risk Factors and Economic Impact" [.pdf, overview]) by Aegis Defence Services, a London defence and security consultancy, these attacks represent something altogether more sinister. The temporary hijacking of the Dewi Madrim was by terrorists learning to drive a ship, and the kidnapping (without any attempt to ransom the officers) was aimed at acquiring expertise to help the terrorists mount a maritime attack. In other words, attacks like that on the Dewi Madrim are the equivalent of the al-Qaeda hijackers who perpetrated the September 11th attacks going to flying school in Florida."

Review of SQL Server Security Posted

Amazon.com just posted my five star review of SQL Server Security. As usual, the review appears first on my reviews page, but it should appear on the book page soon. From the review:

"'SQL Server Security' (SSS) is a great security book, free of the bloat the affects both operating systems and many technical volumes. Weighing in at 322 pages, it's packed with the detail needed to securely deploy Microsoft SQL servers. Although many people contributed to the text, it doesn't suffer from internal redundancy. I highly recommend anyone operating SQL servers devour this book."

Saturday, October 11, 2003

Beware the Beast

Securityfocus.com offers a fascinating story that combines hacking, spamming, identity theft, and financial fraud. According to Kevin Poulsen:

"Dinh was the unhappy owner of $90,000 in "put" options that could have delivered a hefty payoff if Cisco Systems Inc. stock drooped below $15.00 a share-- but instead were close to expiring worthless.

Rather than eat the loss, Dinh allegedly constructed an electronic shell game to offload the contracts on a innocent dupe. Dinh built a list of targets by posting innocuous queries as "Stanley Hirsch" to a public forum on the trading discussion site stockcharts.com, and noting the e-mail addresses of people who responded. The next day, using the alias "Tony T. Riechert," he spammed those addresses with an offer to participate in a beta test of a new stock charting tool.

The "stock charting" tool turned out to be a Trojan horse called the "Beast," according to the government. An unsuspecting Westborough, Massachusetts investor -- unnamed in the complaints -- ran the program, and sometime thereafter accessed his online brokerage account with TD Waterhouse, while the Beast silently logged every keystroke. Dinh allegedly swept in later and downloaded the logs, obtaining the man's username and password. "

Read the rest of the article to learn more. Reuters offers additional coverage.

Working as an Independent Contractor

While reading Network Computing, I found useful advice in the Career Coach column. If you want to be an independent contractor, how do you handle taxes, health insurance, and other services provided by traditional employers? NWC writer Lorna Garey suggests readers check the SOHO Resource Group, which was linked from Techies.com. Lorna writes:

"The SOHO Resource Group, for example, which partners with Techies.com, will redirect your 1099 (self-employed/contractor) income into a personal Profit Center, converting the income to W-2 status.

SOHO offers access to conventional corporate benefits such as medical and dental insurance and a 401(k) plan. The fee--4 percent of the first $60K in annual income--may be well worth the price for the benefits and time and aggravation saved."

Several years ago I found the book From Serf to Surfer: Becoming a Network helpful. It's out of print, even though it's only three years old.

Tuesday, October 07, 2003

Sourcefire Redefines Intrusion Detection

This morning Marty Roesch, CTO and founder of Sourcefire, launched a new road show, sponsored by IBM, to describe his company's Real-time Network Awareness technology. Here are my notes on Marty's talk, which he began by noting that "Sourcefire is a security company," not just an IDS company. What follows are Marty's main points, regardless of whether I agree or not. Any personal commentary is specifically noted.

  • Company

  • As a company, Sourcefire is firing on all cylinders. After being founded in Mar 01, they shipped their first IDS appliance in Nov 01, their 100th in Aug 02, their 1000th in Jun 03, and will ship their 2000th shortly. Projecting forward, they could be the #3 IDS vendor in terms of shipped units by year's end. Marty's estimates 100,000 installations of the open source version of Snort.

  • Sourcefire received about $7.65 million in funding in Feb 02, and another $11 million in Feb 03. $8 million is cash in the bank. They were cash flow positive in Q3 of 03 and will be profitable in late Q1 of 04. During the last year, sales increased from $2.1 million to $23.2 million.

  • In Feb 02 Sourcefire employed 4 people. Within the last year they've grown from 22 to 90 employees, supporting 300 customers.


  • Detection Theory

  • IDS is "an automated system that monitors traffic on a network and based on defined rules/policies alerts administrators to possible intrusions, misuses, or defined malicious behavior."

  • The "fundamentall mission" of IDS is data reduction, which is accomplished via stateful packet inspection and protocol anomaly detection.

  • IDS provides awareness (how is my network/security architecture working, and are policies enforced?) and analysis (when intrusions occur, what happened and how can I prevent future trouble?)

  • "Classic IDS" does not "protect" networks. (Amen!)

  • Other vendors hype "sensing technology," when data management is the real issue. Sourcefire has spent 5-6 man-years of research and development solving this issue.

  • Most IDS' operate in a "contextual vacuum," unaware of network architecture, assets, and their criticality. (My comment: without context, human analysts collect and analyze the data necessary to make decisions manually.)


  • Network Awareness

  • Active vulnerability assessment tools are limited. Their "intermittent picture" missies laptops, multi-OS systems, and assets reconfigured by intruders to be hidden. Scanning for all active services takes too long, so not all protocols, ports, and services are found. Active scanning disrupts availability and consumes bandwidth.

  • Passive discovery sees everything active on the network. It is "persistent" and "real-time," "all the time." It transforms traditional IDS into a "target-based IDS" by eliminating "nontextuals," or alerts without context.

  • Passive discovery also performs vulnerability and protocol/port/service profiling, change detection, and policy compliance monitoring. Using confidence models (percentages based on observed traffic, or decaying half-life models when nothing else is seen), one can answer questions like "What hosts run SSH on ports other than 22 TCP?" or "What hosts run vulnerable SSH services?"

  • Taken further, upon seeing an attack, the IDS can report if it sees a new protocol/port/service in time X, perhaps indicating installation of a back door.

  • An IDS supplemented by RNA technology is "self-tuning." Admins can assign priorities to their assets and tell an RNA-assisted Intrusion Prevention System (IPS) which actions to take against various threats. Response range from simply alerting, to updating a policy on an access control device, to blocking packets or whole sessions.


  • The Next Generation

  • Next generation technology offers control (via firewall and traffic filter integration) and monitoring (via threat detection and policy enforcement).

  • The "Sourcefire Insight System" consists of (1) "IDP" (intrusion detection and prevention -- thanks Yen-Ming!) capable of IDS, threat monitoring, policy enforcement, and intrusion prevention; combined with (2) RNA, offering asset profiling, vulnerability assessment, behavioral analysis, network mapping, and policy enforcement, and (3) a console, doing correlation, policy optimization, and sensor management. An "inline" IDP to provide its own access control (like IPS) is being researched.

  • The Sourcefire console has two models, with the $18,000 box handling 40 million events and the ~$60,000 box handling 200 million events. Both use a proprietary embedded database that could handle 30,000 events per second before keeling over during the MSBlaster attacks.

  • RNA technology is designed to be lightweight so as to facilitate embedding it elsewhere. Upcoming platforms will offer two network ports, and future boxes will have 6 six to seven.


Following the prepared talks, Marty gave a live demo of a beta version of RNA watching traffic from Sourcefire to the Internet. It could profile 40 unique services now. Visibility to hosts behind NAT and proxies is an issue, but research continues to address these issues. The product's visualization features actually looked useful, unlike other more expensive products I've seen. He showed nodes in cone trees, and hinted hyberbolic trees like those of CAIDA's walrus are forthcoming.

Overall, I highly recommend you sign up to see Marty speak. It's the clearest indication that Gartner has no clue regarding the future of IDS! If Gartner had done its homework, it might have read Ron Gula's 1999 paper on "Passive Vulnerability Detection," which explains many of the concepts put to operational use in RNA today. Ron's current implementation is NeVO.

Saturday, October 04, 2003

SRI Patent on "Hierarchical event monitoring and analysis"

I was doing research for my book "The Tao of Network Security Monitoring" and learned SRI was awarded a patent on 19 Nov 02 for "Hierarchical event monitoring and analysis." It's patent 6,484,203 and says:

"A computer-automated method of hierarchical event monitoring and analysis within an enterprise network including deploying network monitors in the enterprise network, detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}, generating, by the monitors, reports of the suspicious activity, and automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors."

I thought this was alarming until I started browsing through the linked patents and found just about everything under the sun has been patented. How can SRI or anyone expect a patent like this to withstand scrutiny, since anyone can point to Marty's 1999 LISA talk on Snort as prior art, or Todd Heberlein's 1990 paper on network security monitoring?

New Wireless Access Point

Shortly I'll report on my experiences with a new 802.11b wireless access point. I bought a ZyAIR B-2000 Wireless LAN Gateway with 4-port Switch, based partly on the good review linked from Practically Networked. I like the product's serial port, support for syslog event reporting, and future support via firmware upgrade for Wi-Fi Protected Access. I use a WAP built by SMC, but I fear it may be failing. The wired LAN side hasn't worked properly for years, and now my wireless signal is degrading abnormally.

A book I'm perusing suggests three vendors for wireless products: HyperLink Technologies, Signull Technologies, and TechnoLab Inc..

CERT Publishes Report on CSIRTs

The CERT just published a new document titled "State of the Practice of Computer Security Incident Response Teams" (.pdf). This is a massive 276 page document which should help define CSIRT roles in the security community. I seem to remember taking part in a study like this when I worked at the AFCERT. I remember doing phone interviews with CERT and having visitors interview me and my crews.

Link Between Viruses and Organized Crime?

This story explores possible links between viruses and organized crime. My buddy Mike Shema is quoted:

"'That is definitely a legitimate concern,' said Michael Shema, a widely recognized expert on Internet security and author of two books on the hacker mentality. Shema said there is considerable evidence to support what otherwise would be romantic conspiracy theories about the connection of viruses to the world of organized crime.

Friday, October 03, 2003

Hacker High School Asks for Help

I received an email recently from Pete Herzog, Managing Director of the Institute for Security and Open Methodologies (ISECOM). I wrote about this group on 25 Aug. Pete is looking for assistance with his Hacker High School project. Pete writes:

"HHS is a non-profit, grassroots program originally designed as an after school computer club however with its 10 lesson workbooks. It can easily stand on its own as a small course, integrated into a course, or as a college study program for interested students. HHS exists as a learning tool for Security Awareness Training and actually has as much in common with hacking as depicted in movies as a man does to a mouse."

Earlier Pete wrote me in response to my earlier story on ISECOM:

"I just wanted to say we are not competing with SANS on any level. Maybe you knew us as Ideahamster- a name we changed because the volunteers requested it. The name is different but the roots are the same. We are a small group proactively trying to better the security profession and security in general. Nobody on the team draws a salary through ISECOM as we are all volunteers. We operate as a non-profit out of Barcelona and provide a certification authority through a university, La Salle of Barcelona, on two 60-hour courses (OPST and OPSA) which are also taught at this and other universities. For these classes ISECOM does not charge for materials and trains the trainers for free. The little bit of money we make off certificates goes to support grassroots projects like Hacker Highschool where we teach Internet security, legalities, and ethics to teens from 13 to 18 in Highschools.

As time goes on, ISECOM will offer more projects, bring on more volunteers, translate our documents into more languages, and hopefully offer more classes at the university level."

Earth Station Five Back Door

On 28 Aug I reported on Earth Station Five. I just read this post claiming a back door of sorts in ES5's peer-to-peer file sharing client. From the post:

"There exists malicious code in ES5.exe's 'Search Service' packet handler. By sending packet 0Ch, sub-function 07h to the 'Search Service''s IP:Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. '..\..\..\WINDOWS\NOTEPAD.EXE'), the remote attacker could also delete files in eg. the windows and windows\system32 folders, or any other folder on the same partition as any of the shared folders.

IMPORTANT: This is not a bug! They intentionally added this code to ES5. . . There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks, buffer overflow bugs, and so on), but these all seem to be unintentional."

If anyone knows more about this, please email me at blog at taosecurity dot com. Thanks to the new ticker at left for this scoop.

Update: I learned of ES5's response by reading this Slashdot thread. ES5 claims the function exists to allow remote upgrades of their client.

Thursday, October 02, 2003

How Best to Keep Operating Systems Current?

I'm surprised at the lack of information on how to keep current patches on large-scale enterprise deployments of operating systems and applications. Most documentation targets single machines. I was happy to find the Infrastructures.org site, which is dedicated to "the standarized tooling needed for mass customization within IT." The site houses cfengine, "an autonomous agent and a middle to high level policy language for building expert systems which administrate and configure large computer networks." This looks promising but complicated to set up.

In the medium term I'm looking at binary patches for my BSD operating systems, inspired by "An Automated Binary Security Update System for FreeBSD" (.pdf), posted at daemonology.net. While rebuilding from source works well, it's slow on older systems. I'm going to try building packages from source on fast systems that I can install elsewhere. Similar projects exist for OpenBSD and NetBSD. The OpenPkg project is another factor. Their goal is "the creation and maintenance of portable and easy to install software packages for use on the major Unix server platforms." It's based on .rpm.

Building a Trusted Apple Operating System

At the IATF conference (see below) a member of the Secure Trusted Operating System Consortium spoke with myself and Keith Jones. This group is trying to build a "trusted" operating system using the underlying Apple Darwin operating system.
Being a BSD fan, I should give the OpenDarwin OS a try. The main obstacle appears to be limited hardware support, although I expect that to improve. Thankfully, on the software side their is a Darwin Ports project to keep the great BSD ports system working for this Apple project. The list of software is fairly small right now though.

IATF Forum Brings Government and Industry Together

Today I attended my first meeting of the Information Assurance Technical Framework (IATF) Forum. The IATF is organized by the National Security Agency (hi guys) to foster discussion among developers and users of digital security products. The Federal government is heavily represented. I attended in a role as a security vendor with Foundstone. Today's meeting focussed on Protection Profiles for intrusion detection systems. According to the Common Criteria, a Protection Profile (PP) is "an implementation independent statement of security requirements that is shown to address threats that exist in a specified environment." According to the NIST Computer Security Resource Center, the Common Criteria for IT Security Evaluation is "a Common Language to Express Common Needs." Unfortunately, many people at the IATF today noted that the IDS PP doesn't require a product to be able to detect intrusions! Products evaluated against the PPs are listed here.

This process seems driven by the National Information Assurance Partnership, (NIAP) a joint NIST-NSA group "designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers." The people who validate products appear to be part of the National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body, a group jointly managed NIST and NSA.

Obviously I haven't figured out how all of this works. For example, I don't know how the Evaluation Assurance Levels like "EAL4" fit in. I do know that companies trying to get a product through this process can spend "half a million dollars" and 15+ months, according to speakers at the IATF Forum. Is this better security? I don't know yet.

Besides the Common Criteria, other groups assess security products.

  • Neohapsis' Open Security Evaluation Criteria (OSEC) seems much more practical and current.

  • ISCA Labs assess a variety of products. They have certifuied some IDS already.

  • The NSS Group describes itself as "Europe's foremost independent network and security testing organization." They tend to like Snort.

  • While Talisker's site doesn't rate products, it is a comprehensive listing to security products and services.


Bob Hillery of the Insitute for Security Technology Studies at Dartmouth described the findings of the 2002 Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Needs Assessment. I'm going to watch the institute's what's new page for publication of their forthcoming nation-state "cyber threat" report.

You can watch for future events at the IAEvents Web site. Many require a clearance.