I'd like to briefly record a few thoughts on the AusCERT conference.
- Andrea Barisani gave a great talk on the rsync1.it.gentoo.org compromise of December 2003. He emphasized that preventing incidents is nice, but security monitoring and awareness are absolutely critical. I need to try his Tenshi log monitoring tool.
- Greg Castle introduced his Whitetrash whitelisting Web redirector for Squid. I think his approach is very innovative and I plan to try Whitetrash with my lab Squid proxy. Mike showed how Google Mobile could avoid some URL inspectors, with URLs like http://google.com/gwt/n?u=http:%3a%2f%2fslashdot.org.
- Mike Newton from Stanford explained his Argus infrastructure, which collects 35 GB of data per day, which he reduces with bzip2 to 11 GB per day and then 3 GB per day with custom filtering. He keeps 30 days online in raw format then compresses and stores 400 days. He watches 5 class B networks with 45,000 hosts. Based on his analysis Stanford is segmenting itself into 300 zones using virtual firewalls (?). He said that one of the important reasons to monitor with Argus is to avoid having to disclose incident details, because Argus data can show that compromise of sensitive data was unlikely or did not occur.
- John McHugh (formerly of CERT) gave a great talk on network situational awareness using SiLK, right after my talk. I need to try some of the tools at the Network Situational Awareness group at CERT. I had dinner with John and I hope to do a guest lecture at some point at his school.
- Cristine Hoepers from the Brazil CERT spoke on spam research using open proxy honeypots. Her talk reminded me that I should consider honeypots as a way to collect threat information in locations where monitoring production traffic is sensitive. If I monitor the honeypot only I can limit privacy complaints about seeing other people's traffic.