Friday, January 26, 2007

Thoughts on December 2006 USENIX Login

I had the opportunity to "hang in the sky" (to use John Denver's phrase) again this week. While flying I read one of the best issues of USENIX ;login: I've seen. The December 2006 issue featured these noteworthy articles, most of which aren't online for everyone. USENIX members have the printed copy or can access the .pdf now. Nonmembers have to wait a year or attend the next USENIX conference, where free copies are provided.

  • My favorite article was The Underground Economy: Priceless by Team Cymru (.pdf available for free now). The article described the sorts of stolen material one can find circulating in the
    underground. It's a definite wake-up call for anyone who doesn't pay attention to that issue. Choice quotes include:

    Entire IRC networks--networks, not just single servers--are dedicated to the underground economy. There are 35 to 40 particularly active servers, all of which are easy to find. Furthermore, IRC isn't the only Internet vehicle they use. Other conduits include, but are not limited to, HTTP, Instant Messaging, and Peer-to-Peer (P2P)...

    This is the greatest failure of new technology--a rush to market, without consideration of the risks and a cost/benefit analysis. This is at the heart of the security problem. Certainly, that is not to say that industries should not capitalize on technological advances but, rather, that they should consider risk and threat mitigation strategies prior to bringing any product to market...

    The underground economy is fertile ground for the pursuit (and, we hope) prosecution of the miscreants. Most of the underground economy servers are public, advertised widely, and easy to find (standard IRC ports, very descriptive DNS RRs, etc.). There is absolutely no presumption of privacy in the underground economy; the channels aren't hidden, the channels have no keys, and the servers have no passwords. The clients in these channels are widely divergent. Think about what has just been shared:

    1. There is no need for specialized IRC clients.
    2. There is no need to rapidly track ever-changing DNS RRs and IPs.
    3. There is no need to pull apart every new permutation of malware.
    4. There is no need to hide, period.

  • Jan Göbel, Jens Hektor, and Thorsten Holz wrote Advanced Honeypot-Based Intrusion Detection, describing a combination of tools like Nepenthes, CWSandbox and local solutions.

  • In The Security of OpenBSD: Milk or Wine? by Andy Ozment and Stuart E. Schechter demonstrate OpenBSD security has improved over time.

  • In White Worms Don't Work by Nicholas Weaver and Dan Ellis, the pair argue "good" worms don't work.

  • Michael B. Scher shares his legal expertise in On Doing "Being Reasonable".

  • In the New Security Paradigms Workshop (NSPW '06) conference write-up (.pdf, available for free now), I read this interesting summary:

    Panel: Control vs. Patrol: A New Paradigm for Network Monitoring Panelists: John McHugh, Dalhousie University; Fernando Carvalho-Rodrigues, NATO; David Townshed, University of New Brunswick; The panelists debated the idea of an independent network-monitoring authority operating to ensure network integrity. The panelists contrast their concept of patrol versus more traditional discussions of network monitoring, which, in their perspective, are control- or ownership-oriented. The analogy driving the discussion was the role of highway patrols: Where a person drives in public spaces is their own business but that they were present is publicly accessible knowledge.

    Another summary wrote:

    Challenging the Anomaly Detection Paradigm: (.pdf) Carrie Gates, CA Labs; Carol Taylor, University of Idaho; This paper described weaknesses the authors perceived in the anomaly detection paradigm. The authors identified and questioned assumptions in three domains: the rarity and hostility of anomalies, problems in training data, and incorrect assumptions about operational requirements.

    In the first case, the authors argue that the assumptions made about the "normalcy" of data differ both since Denning's original studies and owing to changes in scope: Network data is more complex than system logs, and network data today is far more hostile than at the time of Denning's paper. In the second case, there are implicit assumptions about training data, such as the normalcy of a previous sample and the rarity of attacks that overlap this former case. Finally, the operational constraints were discussed in depth, with several commentators noting that the acceptable false-positive rate among the operational community is close to zero.
    (emphasis added)


Journals like ;login: are another great reason to be a USENIX member.

1 comment:

Adam said...

Thanks for the heads up Richard. I found "The Underground Economy: Priceless" to be an interesting read as well. Just .04 cents for a compromised host is pretty scary. It gives you an idea of just how many owned hosts there must be out there. However, I guess other peoples computer insecurity helps our job security so it's not all bad.