TaoSecurity Blog

Looking for a security consulting job in the Washington, DC area? Foundstone is hiring senior consultants. If you're interested, email me at jobs [at] taosecurity [dot] com with your resume. We've got other positions open across the company too. Check them out here -- sales, engineering, public relations, and so on need help. Again, email me your resume.

Microsoft published a new "Threats and Countermeasures Guide" ( .exe , expands to .pdf) last month. Using my digital risk definitions provided by the Dynamic Duo (below), here's my evaluation of how well Microsoft uses the "threat" term in its new guide. A baseball analogy is used. Proper use of the term "threat" is bolded. "Securing your network environment requires that strong passwords be used by all users. This helps avoid the threat of an unauthorized user guessing a weak password through either manual methods or tools to acquire the credentials of a compromised user account." Comment: Bravo. A threat is a party with capabilities and intentions, and an unauthorized user as described fits that model. One man on base. "Because vulnerabilities can exist both when this value is configured, as well as when it is not, two distinct countermeasures are defined. Any organization should weigh the choice between the two based on thei

CNet reports that Orbitz was compromised, stating "Orbitz has notified law enforcement authorities about a recent security breach that has resulted in its customers' e-mail addresses falling into the hands of spammers." Apparently Orbitz is trying to dodge the California notification law by claiming "no indication that credit card information had been compromised." Orbitz uses are reporting receiving spam to email addresses used only at Orbitz. I am an Orbitz user, but the email address I use isn't exclusively for Orbitz. However, I hardly get spam to the account I use for Orbitz. For the first 17 days of October, I received 5 spam emails. Over the last 12 days, I've received 20. That's not scientific, but something clearly changed recently. It's likely that if intruders compromised Orbitz's account list they stole credit cards as well. This is NOT based on any "insider knowledge" of Orbitz or this case. I make this

FreeBSD 4.9 was released today. Because I may use this OS as the platform for all tools in my Tao of Network Security Monitoring book, I bought a four-CD set from FreeBSD Mall that contains packages for the OS. It's also a small way to support the development of this free, open source OS. I'm hoping FreeBSD 5.2 will be released before the end of the year, since I'd prefer to write the book using that as my platform.

No, I'm not talking about a lame class-action lawsuit or an outrageous punitive damages award. $200 billion refers to the "$150 billion spent building unnecessary telecoms networks in America and another $50 billion in other parts of the world," according to a statement by Andrew Odlyzko , quoted in a recent Economist survey (subscription required). Mr. Odlyyzko wrote many papers debunking the myth of explosive Internet growth. My favorite professor at the JFK School of Government , Phil Zelikow , counseled his students that "words matter." In this case, the words that mattered were those in a 1998 Department of Commerce report The Emerging Digital Economy ( .pdf ): "Traffic on the Internet has been doubling every 100 days." Looking at the citation for this statement we read it the source as a "December 1997 phone interview with John Osborn, JD Power and Associates." Most people blame WorldCom, including former CEO Bernie Ebbers. The

Here's an email I received today. It reports I've been signed up for a mailing list and asks me to unsubscribe if I didn't sign up for the mailing list. Legitimate mailing lists tell you to ignore the message and do nothing if you didn't sign up. It looks like the mailing agent belongs to h24-71-223-11 , who I guessed was 24.71.223.11. That IP resolves to h24-71-223-11.cg.shawcable.net. That machine is offering a mail server on port 25: 220 pd2mi3so.prod.shaw.ca -- Server ESMTP (iPlanet Messaging Server 5.2 HotFix1.18 (built Jul 28 2003)) However, that mail server doesn't allow mail relay. I think the system which originated the email is (h0000864f50cd.ne.client2.attbi.com [ 24.62.13.114 ]). A message from Yahoo! Groups wouldn't originate from a home AT&T user. The mailer agent is interesting too -- "Synapse, which is a synchronous TCP/IP library for Delphi, Kylix, FreePascal, and C++ Builder," according to my friend John Ward. He also

Kevin Poulsen wrote another excellent article at SecurityFocus. He describes how no one has reported compromise of consumer credit card data in the four months since California's SB 1386 , now enshrined in the state's civil code as 1798.29 and 1798.82-1798.84 , was enacted. The is not unexpected. How can the authorities know who was compromised? It takes months to years for companies to make such discoveries on their own. The most interesting aspect of the article is the mention of CardCops.com , which "offers consumers a paid notification service, in which he'll [CardCops] warn his customers if he spots their information in the chat rooms and websites frequented by credit card thieves." I was skeptical but the article claims "this month alone he [CardCops] traced stolen credit card information to breaches at five different online merchants, ranging from mid-sized businesses to modest mom-and-pop operations. When he contacted a sample of the exposed co

I've been reading books and looking at product literature which discuss "security," "risk," "threat," and "vulnerability," each with a different definition. I don't think these terms are difficult to understand. I wrote the hopefully amusing vignette below to communicate my understanding of these terms. At least it won't bore you! Meanwhile, at the Hall of Justice... BATMAN: Robin, why the puzzled look? ROBIN: Sorry, Batman. B: Are my Bat Ears crooked again? R: No Batman. I've been reading some books and vendor marketing literature on security, and I'm confused by their definitions of risk, vulnerability, and threat. B: Oh, you've been researching to protect the Hall of Justice computer? Good for you. Tell me why you're confused. R: I see so many people calling "vulnerabilities" and "threats" the same thing. B: That's certainly not right. A vulnerability is a weakness in an asset w

Yesterday reading a brief article by Robert Moskowitz, I noticed the term "extrusion detection": "There's no sure way to track spying data that leaves your network. Perhaps the next big security tool will be outward-bound--extrusion-detection systems." Searching the Web, I found Mozkowitz mentioned the term four years ago, in this 29 Nov 99 article : "What you need is a reversed IDT (intrusion-detection tool), and perhaps an EDT (extrusion-detection tool) that will perform automatic searches for your own metatags..." However, Frank Knobbe has him beat, according to this 5 Nov 99 post , discussing SEC investigations of insider trading: "...his sounds more like an Extrusion Detection than Intrusion... There are packages available that scan inbound and outbound emails for certain key words/key phrases, and dump these emails in a bucket where analysts (humans) can read, evaluate, and approve or deny them. I guess this raises the question if email sc

A few months back I wrote a paper for my employer, Foundstone , on how we used the Foundstone software product (previously called "Foundscan," now known as " Foundstone Enterprise ) when doing incident response. We found that after collecting IR data (not before, as some advocate) we could determine if the remediation action we recommended would be worthwhile. It's no use discovering an intruder has gained access via an unpatched IIS vulnerability if the organization also runs unpatched versions of OpenSSH! This whitepaper describes how best to use vulnerability assessment products to assist incident response actions. I apologize for the small font -- Foundstone's marketing people love tiny letters...

Thanks to the SANS Newsbites , I just read a fascinating article by Dan Verton at Computerworld . He reports that insurer AIG will "will offer discounted insurance rates to customers that deploy security sensors being developed by the Cyber Incident Detection & Data Analysis Center." CIDDAC, which doesn't have a web site I could find, consists of AdminForce LLC , Air Products and Chemicals, the U.S. Department of Justice, the Electric Power Research Institute, General Motors Acceptance Corp., Harvey & Mortensen Attorneys at Law, Independence Blue Cross, Liberty Bell Bank, Lockheed Martin Corp., NetForensics Inc. , the Pennsylvania State Attorney General's Office, Temple University, the University of Pennsylvania's Institute for Strategic Threat Analysis & Response , and the U.S. Attorney for the Eastern District of Pennsylvania. Again, from the article: "The goal is to deploy what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCAD

Chris Kruegel wrote in focus-ids of a project called Alert Verification by William Robertson . According to the project description: "The verification component of the system is currently implemented as a set of NASL scripts mapped to Snort rules by CVE IDs. When a rule is triggered, the suspect packet and associated event data is queued for verification. A separate thread processes queued unverified alerts by running an associated NASL script against the target host to test for the presence or absence of the vulnerability corresponding to the detected attack. If the NASL script determines that the vulnerability does exist on the target host, the alert is marked as having been verified. If the NASL script determines that the vulnerability does not exist, the alert is marked as unverified. Finally, if no NASL script corresponding to the detected attack is found, the alert is marked as unverifiable. The alert is then released back to the Snort engine." I wonder how fast t

I found a site with two cool features. First, it offers a Hacker Pictures section showing famous people from the "scene" with short bios. Now you can see the "faces in front of the monitors." Second, there's a very up-to-date Hacker History page. The site, WBG Links , offers news and links as well.

Recently former NYC governer Rudy Giuliana announced a partnership with Ernst & Young to offer digital security consulting. This follows last year's alliance with Giuliani's own consulting practice . Here's the best part of the story: Competitors of the new enterprise greeted Mr. Giuliani into their midst warily. "What is he really bringing to the table as far as the security business part of it?" asked Chris Wysopal, the director of research and development for @stake, a company that also provides so-called white-hat hacking services. "I'm not too worried," he said. "When we say, `We talk business,' it isn't like going out to the golf course. It's showing real numbers, and having the data to back it up." So, Mr. Giuliani, could you comment on the BIND vulnerability that was exploited to threaten the root server system? "I could make a comment on the Cubs game tonight," he said with a laugh, speaking by p

I just became a victim of credit card fraud for the second time in two years. My bank called to ask if I had made a purchase of approximately $59.97 to Proflowers.com today. I told them I had not, and they replied I was a victim of credit card fraud. I asked how they knew so quickly, since the amount was low and not exactly outside the realm of normal activity. They security rep said that charges to Proflowers.com were getting additional scrutiny. I called Proflowers.com but they would not give me any other details. I have two pieces of advice: Watch those credit card statements closely! If you see something odd, report it immediately. Better yet, check your card status weekly or more regularly using your bank's online facilities. Set aside a single, low ceiling credit card solely for online purchases. Use other cards for "bricks and mortar" purchases. That way, if my "b&m" card receives a fraudulent charge, I know it wasn't a result of on

Trying to make Gartner's dreams come true, NetScreen announced new "deep inspection firewalls," prompting "Richard Stiennon, vice president of research at Gartner, Inc., [to say] 'because of the new worms, malicious code and cyber attacks that are now targeting application weaknesses and more applications and protocols are tunneling through firewalls, firewalls must provide a wider range of intrusion prevention capabilities along with advanced centralized management functionality.'" Only The Register reported the cost of running such a system on a real network: "Robert Ma, a Senior Director of Product Marketing and Management at NetScreen, explained that because Deep Inspection looks deeper into traffic there is a trade off which means users looking to maximise performance should still consider deploying separate IDP and firewall appliances. For example, NetScreen's low-end 5GT firewall runs at 75Mbps normally but at only 18Mbps with Deep

A couple new security organizations have been created in the last month. First, the US-CERT was announced last month. I see a lot of talk about "information sharing," but I'm not sure how that's different from what the CERT at Carnegie Mellon does. This article mentions how the National Cyber Security Division of the Department of Homeland Security is "taking the lead on a cybersituation awareness project that can conduct near-real-time analysis of incident data nationwide... The division is currently working with SRI International, Symantec and Computer Associates International Inc. to develop an automated capability that would enable data to be shared immediately with various private-sector-run Information Sharing and Analysis Centers. The research and development effort includes plans to build a nonproprietary system that would allow any organization in the nation, regardless of IT infrastructure, to feed data into the incident analysis system. 'We

Is that the name of the newest pop group? No, it's how Varujan Pambuccian, Romanian lawmaker and former programmer, describes his country in this article on Romanian hackers. I've tangled with these guys before, but it sounds like their country's officials are cracking down. From the story: "Computer crime flourished in Romania because the country lacked a cybercrime law until earlier this year, when it enacted what may be the world's harshest. The new law punishes convicts with up to 15 years in prison — more than twice the maximum for rape. Varujan Pambuccian, a lawmaker and former programmer, helped draft the new law after Romania's government realized the nation, which is racing to join the European Union by 2007, was getting a bad online reputation. 'We want a good name for our country,' he said. 'I'm very angry that Romania is so well-known for ugly things — for street dogs, street children and hackers.' Pambuccian said there

This story summarizes a speech made by John Arquilla , co-director of the Center on Terrorism & Irregular Warfare at the Naval Postgraduate School in Monterey. Arquilla advocates building a "Corp of Hackers," saying "We have to re-examine that punitive approach to the hacking community, and try, instead, to turn it into something that can be useful, and perhaps even to reform some of these people away from their own illegal actions." I'd never heard of this guy, and was skeptical when the article stated "Arquilla... helped develop the offensive cyber weapons used by the U.S. military in Kosovo, in Afghanistan and in the Gulf War." Google led me to this PBS interview , where we learn Arquilla helped build the Joint Surveillance and Target Acquisition Radar System while working for Central Command during the first Gulf War. JSTARS isn't what I'd call an "offensive cyber weapon," at least as far as computers go. Still, this art

An article at MSNBC makes excellent points regarding the ineffectiveness of surveillance cameras in the United Kingdom. From the story: "Very little evidence shows that speed cams reduce road deaths or that CCTV deters crime. It's only on the rare occasion that CCTV helps police catch criminals... Instead, there's an overwhelming feeling that too often surveillance is used not to make the country safer but to monitor innocent people and, in the case of speed cams, raise much-needed tax revenues. 'There's this notion starting to build in countries around the world that maybe we've been conned -- that these security measures are smoke and mirrors,' says Simon Davies, director of London-based advocacy group Privacy International. 'People here are demanding a proper threat assessment.'" Did I hear the words "threat assessment"? Someone is thinking properly! So why did these cameras get deployed in the first place? "The techn

Internet Security Systems launched a new product line this week, called the Proventia "all-in-one protection product." From the press release : "Today Proventia unifies firewall, virtual private network (VPN), anti-virus, intrusion detection and prevention into one engine, under one management system, to protect at the network and the gateway. In the future, Proventia will add application protection, content filtering and anti-spam functionality to the unified engine to extend protection across servers, desktops and laptops. Proventia’s simplified protection for every layer of business infrastructure eliminates the complexity associated with today’s legacy security products and greatly reduces the total cost of ownership for security – making protection affordable for enterprises." ISS offers three Proventia products: Proventia A , an IDS appliance Proventia G , an IPS appliance Proventia M , a "multi-function" appliance I looked at the produce demo si

Amazon.com just posted my five star review of Intrusion Detection . I read this book as background for my forthcoming The Tao of Network Security Monitoring and was pleasantly surprised. This isn't a book for practioners looking to operate intrusion detection systems or interpret event data from systems. However, the book provides a nice historical backdrop on the problems that have existed for decades in computer security. From the review: "Three years ago, as a captain in the Air Force CERT, I didn't think I had time to read books on theory and definitions like Rebecca Bace's Intrusion Detection . If a book didn't show packet captures, I didn't need it! Fast forward to 2003, as I research intrusion detection history and re-discover Bace's contribution to the field. Now, I consider her book so important that I consider most of it mandatory preparation for my own book. If you've got the time for 'high level' monitoring concerns, check out

Clients often ask for resources on Windows security, like checklists or guides. The NSA guides are frequently cited, and apply to routers , SQL Server 2000 and Oracle 91 Database Server . The Center for Internet Security offers many free benchmark documents. After seeing this article I went to the source at microsoft.com. I found these resources: NT 4 Server Security Resources Maintain Security with Windows 2000 Maintain Security with Windows Server 2003 I'm trying to find a newsgroup which posts customer experiences installing new hotfixes and service packs. microsoft.public.security is one option, but I'm still looking.

Amazon.com just posted my five star review of Incident Response and Computer Forensics, 2nd Ed . From the review: "IRCF2E is one of the few books in print where the word 'forensics' deserves to be on the cover. Many prominent 'forensics' titles deliver nothing useful to practitioners. As was the case with the first edition, investigators can use IRCF2E in operational environments to do real work. This book lays much of the groundwork for doing cases. Watch for Real Digital Forensics to be published next year, which walks readers through case-based evidence to teach how to collect, interpret, and analyze host- and network-based evidence."

Marcus Ranum is one of the smartest security guys around. A few weeks ago he redesigned his web site in preparation for publication of his new book The Myth of Homeland Security . I hope to get a review copy. Marcus' comment in the latest edition of SANS Newsbites alerted me to his criticism of the so-called "computing monoculture" problem. He points out that the Computer & Communications Industry Association , which funded the "Cyber Insecurity" report ( .pdf ) that got Dan Geer fired, consists of "Sun Microsystems, Fujitsu, Nokia, Nortel Networks, Tantivy, Time Domain, Vion, AT&T, Verizon, NTT USA, Oracle, Intuit, Yahoo!, Sabre, and AOL." His insights are useful: "Computers, unlike biological organisms, can rapidly share immunity without having to actually be exposed to the pathogen in question. This is absolutely crucial to understand - it's quite possible that my machine may fix itself automatically so that a worm doesn&#

My friend Yen-Ming Chen sent me a link to his blog the other day. He's also a security consultant with Foundstone, and he updates his blog regularly.

Has anyone tried Osiris , an open source file integrity management system for Windows and UNIX? I like the fact that it runs on Windows and there's a ports tree entry for FreeBSD. At some point I'll try it.

Fellow co-author of Real Digital Forensics Curtis Rose wrote a whitepaper titled Windows Live Incident Response Volatile Data Collection: Non-Disruptive User & System Memory Forensic Acquisition . Curtis used these techniques when we performed analysis for our book, so check out his paper for a preview.

FCW reports NIST has released five new security publications: SP 800-35, Guide to Information Technology Security Services SP 800-36, Guide to Selecting Information Security Products SP 800-42, Guideline on Network Security Testing SP 800-50, Building an Information Technology Security Awareness and Training Program SP 800-64, Security Considerations in the Information System Development Life Cycle Of these the first two are probably of most interest to security vendors. Customers frequently have no idea what to buy or how to make decisions, so they turn to guides like these.

I've given Gartner grief for their "IDS is dead" message, but I just read a short document they produced on security reporting requirements: "On 9 October 2003, U.S. Homeland Security Secretary Tom Ridge stated that the U.S. government may require publicly traded companies to disclose details of their information security readiness to the Securities and Exchange Commission (SEC). The Department of Homeland Security plans to work with the SEC to develop requirements for the inclusion of security information in financial reporting; the U.S. Congress is preparing draft legislation with the same objective.... Boards of directors, CEOs and CFOs should assume that information security reporting will be required no later than the end of 2005 and assign responsibilities and establish reporting procedures. Chief information officers of public companies should assess their security reporting and metrics programs by the second half of 2004, to ensure their ability to is

Too many reviews of intrusion detection systems (IDS) focus on the pretty colors, blinking red lights, and other worthless aspects of popular products. A new review Joel Snyder, David Newman and Rodney Thayer of five IDS products is a breath of fresh air. First, they have a clue : "Gartner's analysis, unfortunately, is based on a profound misunderstanding of what network IDSs are good for and who should use them. Many network managers, and the analysts at Gartner, have put network IDS in the same bucket as firewalls: a technology designed to protect network assets. But it doesn't go there. A network IDS is to the security analyst what a protocol analyzer is to a network manager: a tool to look into a network and understand what is going on, security-wise. Lumping network IDS and firewalls together, or even network IDS and intrusion-prevention systems (IPS) together, is no more appropriate than considering 100M bit/sec switches and protocol analyzers together." Se

My wife discovered George Washington University's National Security Archive . The Intelligence section is interesting as it contains a declassified copy of United States Signals Intelligence Directives , specifically USSID 18. From the description of the documents: "The version of USSID 18 currently in force was issued in July 1993 and "'prescribes policies and procedures and assigns responsibilities to ensure that the missions and functions of the United States SIGINT System (USSS) are conducted in a manner that safeguards the constitutional rights of U.S. persons.' Section 4 ( Collection, pp.2-6 ) specifies the circumstances under which U.S. SIGINT activities may intercept communications of or about U.S. persons, as well as the authorities of the Foreign Intelligence Surveillance Court, the Attorney General, and the Director of NSA to approve the collection of such information." When I was a lieutenant at the Air Intelligence Agency , we used USSIDs to s

Connectivity to Taosecurity.com is intermittent due to Comcast network issues.

While reading the recently published second edition of Incident Response and Computer Forensics , I noticed the legal material hadn't been updated. I visited the Electronic Privacy Information Center (EPIC) to get their take on legal restrictions on monitoring. Their USA PATRIOT Act page is extremely useful. To actually read the PATRIOT ACT, I suggest going to a .gov source like the Government Printing Office . Search for "public law 107-56" (PATRIOT was passed by the "107th Congress") and you'll find the law ( text or .pdf ). From the EPIC PATRIOT report , I found these extracts applicable to network security monitoring. First, EPIC discusses watching "headers": "Section 216 of the Act significantly expanded law enforcement authority to use trap and trace and pen register devices. Prior law relating to the use of such devices was written to apply to the telephone industry, therefore the language of the statute referred only to the col

After reading this dire Register.co.uk story on outsourcing IT jobs overseas, I checked out the NSA's National INFOSEC Education & Training Program . It lists 50 universities designated as Centers of Academic Excellence in Information Assurance Education. I noticed George Mason University (near my home) is listed, and offers a MS in Information Security and Assurance and a Ph.D. Concentration in Information Security and Assurance . I wonder what it would be like to take a course like STAT 789 - Advanced Topics in Statistics: Computer Intrusion Detection ? I'm interested in programs like this in the event I want to teach at the university level in 10 to 20 years.

I read a fascinating but scary Economist article titled Peril on the Sea . It presents classic examples of "indicators" that can be used to formulate intelligence "warnings" for decision-makers. ( Indications and warning is defined in the DOD Dictionary of Military and Associated Terms . Definitions are taken from the DOD Joint Electronic Library 's Joint Publication 1-02 [ .pdf ].) From the Economist article: "According to a new study ("Security in Maritime Transport: Risk Factors and Economic Impact" [ .pdf , overview ]) by Aegis Defence Services , a London defence and security consultancy, these attacks represent something altogether more sinister. The temporary hijacking of the Dewi Madrim was by terrorists learning to drive a ship, and the kidnapping (without any attempt to ransom the officers) was aimed at acquiring expertise to help the terrorists mount a maritime attack. In other words, attacks like that on the Dewi Madrim are the e

Amazon.com just posted my five star review of SQL Server Security . As usual, the review appears first on my reviews page, but it should appear on the book page soon. From the review: "'SQL Server Security' (SSS) is a great security book, free of the bloat the affects both operating systems and many technical volumes. Weighing in at 322 pages, it's packed with the detail needed to securely deploy Microsoft SQL servers. Although many people contributed to the text, it doesn't suffer from internal redundancy. I highly recommend anyone operating SQL servers devour this book."

Securityfocus.com offers a fascinating story that combines hacking, spamming, identity theft, and financial fraud. According to Kevin Poulsen : "Dinh was the unhappy owner of $90,000 in "put" options that could have delivered a hefty payoff if Cisco Systems Inc. stock drooped below $15.00 a share-- but instead were close to expiring worthless. Rather than eat the loss, Dinh allegedly constructed an electronic shell game to offload the contracts on a innocent dupe. Dinh built a list of targets by posting innocuous queries as "Stanley Hirsch" to a public forum on the trading discussion site stockcharts.com, and noting the e-mail addresses of people who responded. The next day, using the alias "Tony T. Riechert," he spammed those addresses with an offer to participate in a beta test of a new stock charting tool. The "stock charting" tool turned out to be a Trojan horse called the "Beast," according to the government. An unsuspecting

While reading Network Computing , I found useful advice in the Career Coach column. If you want to be an independent contractor, how do you handle taxes, health insurance, and other services provided by traditional employers? NWC writer Lorna Garey suggests readers check the SOHO Resource Group , which was linked from Techies.com . Lorna writes: "The SOHO Resource Group, for example, which partners with Techies.com, will redirect your 1099 (self-employed/contractor) income into a personal Profit Center, converting the income to W-2 status. SOHO offers access to conventional corporate benefits such as medical and dental insurance and a 401(k) plan. The fee--4 percent of the first $60K in annual income--may be well worth the price for the benefits and time and aggravation saved." Several years ago I found the book From Serf to Surfer: Becoming a Network helpful. It's out of print, even though it's only three years old.

This morning Marty Roesch, CTO and founder of Sourcefire , launched a new road show , sponsored by IBM, to describe his company's Real-time Network Awareness technology. Here are my notes on Marty's talk, which he began by noting that "Sourcefire is a security company," not just an IDS company. What follows are Marty's main points, regardless of whether I agree or not. Any personal commentary is specifically noted. Company As a company, Sourcefire is firing on all cylinders. After being founded in Mar 01, they shipped their first IDS appliance in Nov 01, their 100th in Aug 02, their 1000th in Jun 03, and will ship their 2000th shortly. Projecting forward, they could be the #3 IDS vendor in terms of shipped units by year's end. Marty's estimates 100,000 installations of the open source version of Snort. Sourcefire received about $7.65 million in funding in Feb 02, and another $11 million in Feb 03. $8 million is cash in the bank. They were cash flo

I was doing research for my book "The Tao of Network Security Monitoring" and learned SRI was awarded a patent on 19 Nov 02 for "Hierarchical event monitoring and analysis." It's patent 6,484,203 and says: "A computer-automated method of hierarchical event monitoring and analysis within an enterprise network including deploying network monitors in the enterprise network, detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}, generating, by the monitors, reports of the suspicious activity, and automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors." I thought this was alarming until I started browsing

Shortly I'll report on my experiences with a new 802.11b wireless access point. I bought a ZyAIR B-2000 Wireless LAN Gateway with 4-port Switch , based partly on the good review linked from Practically Networked . I like the product's serial port, support for syslog event reporting, and future support via firmware upgrade for Wi-Fi Protected Access . I use a WAP built by SMC, but I fear it may be failing. The wired LAN side hasn't worked properly for years, and now my wireless signal is degrading abnormally. A book I'm perusing suggests three vendors for wireless products: HyperLink Technologies , Signull Technologies , and TechnoLab Inc. .

The CERT just published a new document titled "State of the Practice of Computer Security Incident Response Teams" ( .pdf ). This is a massive 276 page document which should help define CSIRT roles in the security community. I seem to remember taking part in a study like this when I worked at the AFCERT. I remember doing phone interviews with CERT and having visitors interview me and my crews.

This story explores possible links between viruses and organized crime. My buddy Mike Shema is quoted: "'That is definitely a legitimate concern,' said Michael Shema, a widely recognized expert on Internet security and author of two books on the hacker mentality. Shema said there is considerable evidence to support what otherwise would be romantic conspiracy theories about the connection of viruses to the world of organized crime.

I received an email recently from Pete Herzog, Managing Director of the Institute for Security and Open Methodologies (ISECOM). I wrote about this group on 25 Aug . Pete is looking for assistance with his Hacker High School project. Pete writes: "HHS is a non-profit, grassroots program originally designed as an after school computer club however with its 10 lesson workbooks. It can easily stand on its own as a small course, integrated into a course, or as a college study program for interested students. HHS exists as a learning tool for Security Awareness Training and actually has as much in common with hacking as depicted in movies as a man does to a mouse." Earlier Pete wrote me in response to my earlier story on ISECOM: "I just wanted to say we are not competing with SANS on any level. Maybe you knew us as Ideahamster- a name we changed because the volunteers requested it. The name is different but the roots are the same. We are a small group proactivel

On 28 Aug I reported on Earth Station Five . I just read this post claiming a back door of sorts in ES5's peer-to-peer file sharing client. From the post: "There exists malicious code in ES5.exe's 'Search Service' packet handler. By sending packet 0Ch, sub-function 07h to the 'Search Service''s IP:Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. '..\..\..\WINDOWS\NOTEPAD.EXE'), the remote attacker could also delete files in eg. the windows and windows\system32 folders, or any other folder on the same partition as any of the shared folders. IMPORTANT: This is not a bug! They intentionally added this code to ES5. . . There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks, buffer overflow bugs, and so on), but these all seem to be unintentional." If anyone knows more about this, please email me at blog at taosecurity do

I'm surprised at the lack of information on how to keep current patches on large-scale enterprise deployments of operating systems and applications. Most documentation targets single machines. I was happy to find the Infrastructures.org site, which is dedicated to "the standarized tooling needed for mass customization within IT." The site houses cfengine , "an autonomous agent and a middle to high level policy language for building expert systems which administrate and configure large computer networks." This looks promising but complicated to set up. In the medium term I'm looking at binary patches for my BSD operating systems, inspired by "An Automated Binary Security Update System for FreeBSD" ( .pdf ), posted at daemonology.net . While rebuilding from source works well, it's slow on older systems. I'm going to try building packages from source on fast systems that I can install elsewhere. Similar projects exist for OpenBSD an

At the IATF conference (see below) a member of the Secure Trusted Operating System Consortium spoke with myself and Keith Jones. This group is trying to build a "trusted" operating system using the underlying Apple Darwin operating system. Being a BSD fan, I should give the OpenDarwin OS a try. The main obstacle appears to be limited hardware support , although I expect that to improve. Thankfully, on the software side their is a Darwin Ports project to keep the great BSD ports system working for this Apple project. The list of software is fairly small right now though.

Today I attended my first meeting of the Information Assurance Technical Framework (IATF) Forum. The IATF is organized by the National Security Agency (hi guys) to foster discussion among developers and users of digital security products. The Federal government is heavily represented. I attended in a role as a security vendor with Foundstone. Today's meeting focussed on Protection Profiles for intrusion detection systems . According to the Common Criteria , a Protection Profile (PP) is "an implementation independent statement of security requirements that is shown to address threats that exist in a specified environment." According to the NIST Computer Security Resource Center , the Common Criteria for IT Security Evaluation is "a Common Language to Express Common Needs." Unfortunately, many people at the IATF today noted that the IDS PP doesn't require a product to be able to detect intrusions! Products evaluated against the PPs are listed her