TaoSecurity Blog

This note is intended for students in my TCP/IP Weapons School class at USENIX Security 2006 . These are the tools that will be discussed. Remember, this is a class on TCP/IP -- tools are not the primary focus. However, I needed something to generate interesting traffic. Nemesis Arping Arpdig Arpwatch Arp-sk Dsniff suite Ettercap Yersinia Fragroute Sing Gnetcat Packit Gont attacks ICMPshell The traces we will analyze are available at www.taosecurity.com/taosecurity_tws_v1_traces.zip . You will need to have Ethereal , Wireshark , or a similar protocol analyzer installed to review the traces. Tcpdump might be somewhat limited for this class but you can at least inspect packets with it.

Thanks to the Information Systems Security Association (ISSA) Los Angeles chapter, TaoSecurity is pleased to present an exclusive two-day class: Network Security Operations: LA Edition . NSO:LA will be held 6-7 September 2006, in Glendale, CA. Topics for this hands-on, technical class include: Network Security Monitoring: Case studies, theory, network access options, statistical data, session data, full content data, and hybrid data Network Incident Response: Theory, preparation for network IR, detecting and investigating intrusions, and first response Network Forensics: Case studies, theory,collecting/preserving/analyzing/presenting network traffic as evidence Students that bring a laptop running the free VMware Server product will receive a custom-built virtual machine to run hands-on labs. Registration fees: By Monday 21 August: Non-ISSA member: $1395; ISSA member: $1255 (10% off) After Monday 21 August: Non-ISSA member: $1595; ISSA member: $1435 (10% off) To register for ...

Ok, this is a little weird. Thanks to SecurityMonkey I just tried the SPI Dynamics JavaScript Scanner . From that page: Imagine visiting a blog on a social site like MySpace.com or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours. This scenario is no longer one of fiction. I recommend reading the white paper (.pdf). I tried out the proof of concept on Windows 2000 as a non-admin user running the latest Firefox. Here's what I got. Now all three hosts exist, but due to known issues none are correctly detected. Still, this is a cool idea. Note that I ran the page while using a Web proxy, s...

Is anyone going to the DoD Cybercrime conference in St. Louis, MO, 21-26 January 2007? I didn't think so. St. Louis, in January? What happened to Palm Harbor, FL? I spoke there in 2005 and 2006. I have friends living near Palm Harbor, but none in St. Louis. They're also one of the few conferences (RSA comes to mind) that pays no expenses for speakers; they even charge for attendance! At least RSA picks up the conference fee. I don't think I'll be going to DoD Cybercrime this year. I think a sign that other people are staying away is the extension of the Call for Papers to 7 Aug 06.

You might want to check out Ron Gula's new Tenable Network Security and Nessus Blog . I just added it to my Bloglines collection, which has increased to over 140 feeds. I love being able to let Bloglines check these sites for news.

I was prepared to release a new FreeBSD 6.1-based Sguil virtual machine today, but I ran into an old problem. The VMware Server Release Notes say "Full support for 32-bit and 64-bit FreeBSD 6.0 as guest operating systems." I expected that meant the timing problems that had forced me to use FreeBSD 5.x were no longer a problem with FreeBSD 6.x. Well, today I built a FreeBSD 6.1 guest VM on a Windows XP SP2 host running VMware Server 1.0.0 build-28343. It turns out the guest OS runs at about half speed. I am apparently not the only person with this problem; a #snort-gui regular mentioned running ntpdate every 3 seconds (!!) to mitigate this problem. I posted this Vmware forum question to see if anyone responds with similar experiences. If you are running FreeBSD 6.x on VMware Server, how are you handling time problems?

Amazon.com 's loss is your gain. I just tried to submit the following for my 200th technical Amazon.com review . I read Counter Hack Reloaded by Ed Skoudis and Tom Liston . I tried to submit the review to Amazon.com, but they refused since I already reviewed Counter Hack . Man, that bugs me. The second edition could have been garbage, and no one who reviewed the first edition could say so! I'm not going to create a fake account simply to review the book again. I was able to review the third edition of Anti-Hacker Toolkit without any trouble. As you might expect, I loved Counter Hack Reloaded . It would get five stars if Amazon.com would let me say so. Still the best single technical introductory volume for security pros I read and reviewed the first edition of Counter Hack (CH) almost five years ago, and I put that book on my list of top 10 books of the last 10 years. Counter Hack Reloaded (CHL) is an excellent update to the original book, and it remains the single be...

Kim Zetter wrote a great piece for Wired called Confessions of a Cybermule . It's the story of a criminal who converted stolen credit card numbers into actual cards, then withdrew money at ATMs. In the words of the article: They are the mules of electronic fraud, filling a vital role at the intersection of the virtual and the real: converting stolen account information into cold, hard cash. That's a central challenge for digital criminals. The criminal, who in the story uses the nick John Dillinger, started out converting credit cards into cash this way: Dillinger got several stolen credit-card numbers and spent two months traveling California with a partner, buying high-end laptops and reselling them. He'd never had disposable income, and got a rush from entering a store with a credit card stamped with someone else's account and walking out with expensive products. Later Dillinger created fake cards for use at ATMs: [A] spammer collected hundreds of account numbers,...

I just read an exceptionally interesting post at the ClearNet Security Blog . It explains the Certification and Accreditation (C&A) process implemented by the US Department of Veteran's Affairs . Yes, those are the same guys who lost that laptop with my Air Force records. Consider this blog excerpt: Right about this time the second bomb shell went off.... The guy up front promptly says that all test results we collect are to be given to the VA. This makes sense as it is their computers and they are entitled to our analyzed results right? Wrong! The guy corrects himself and says that the results are not to be analyzed by the auditors but by VA personnel. Hmm...so at this point I am not touching a computer nor am I analyzing the results for risk or what is wrong. Something seems very broken about this process at this point. Please read the whole post for the entire story. I hope CNS continues to share their experiences.

Adam Glenn from Run Your Own Server interviewed me last week. You can listen to the audio here . I like the very NPR-like conclusion to the show. An interview with another site should be posted shortly, and I have a few more on the way.

At left is the juggernaut of the security book market -- Hacking Exposed . I mention this book because it came up in a discussion I had with someone in the publishing community today. She reported that the state of the security book market is somewhat weak. She worried that Hacking Exposed (published in late 1999) might have created a "bubble" in the security book market, and the bubble is now deflating. I interpreted her comment to mean that publishers have flooded bookshelves with too many security books over the last 7 years. Publishers were chasing readership figures that were inflated by false expectations caused by Hacking Exposed . Over the last 6 or 7 years I've read and reviewed almost exactly 200 technical titles, the majority of which are security books. That's a huge number, with at least half of those books being titles I thought would be good to read. You can begin to imagine the number of titles I've missed when I tell you that I concent...

I own a Shuttle SB81P that has a 32 bit 33 Mhz PCI slot, and a 16x PCI Express slot. Earlier I asked if anyone was using the Intel PRO/1000 PT Dual Port Server Adapter , since I wanted to use that NIC in the PCI Express slot. It turns out that I cannot use that NIC in my Shuttle. I got a sense that it might not work when I noticed the Shuttle documentation called the 16x slot a "PCI Express Graphics (PEG)" slot. I inserted the 4x NIC into the 16x slot, but I could never get the Shuttle to recognize it. I even followed helpful advice from this VMware thread pointing me to Intel's ibautil.exe , which is a DOS utility that probes for Intel cards (among other tasks). It didn't see the PCI Express NIC. I eventually took the NIC to my friend Hank at NetWitness , and we put the NIC into the PCI Express slot of a Dell 850 server. I booted the server with a FreeBSD 6.1 install CD, and then started a shell. Sure enough, FreeBSD detected em0 and em1 -- two new Intel Pr...

Keith Jones was interviewed about our book Real Digital Forensics . The site conducting the interview is Let's Talk Computers . You can reach the audio in Real Audio or Windows Media format here . You can tell this interviewer has been around the block. He actually broadcasts on real AM and FM radio . The whole interview is about 13 minutes long and very informative.

I'm speaking at the USENIX Security conference next week, delivering two days from one of my training classes. I've been teaching at USENIX for two years , beginning with USENIX Security 2004 . When attending USENIX conferences I always get a few free copies of ;login: magazine. I've written about this magazine before . One of the best aspects of it is the conference proceedings section. It's a great way to read summaries of academic papers on security and system administration topics. Because I'm working on submitting an application to pursue a PhD in computer security, I decided I needed to get serious about what's happening in the academic side of security. (Byt the way, I've started a NSM Research blog to capture thoughts and links to papers as I progress. I don't suggest reading it, since it's mainly for me. Anything worthwhile I will publish here. I detest keeping bookmarks, so blogging makes more sense.) One way to get serious ab...

What is that? It can't be a new Amazon.com book review , can it? It's true, I'm working through my reading list before my wish list gets any longer. It's been over two months since my last review , but I plan to posting reviews again throughout 2006. My 199th technical Amazon.com review covers Osborne's Anti-Hacker Toolkit, 3rd Ed. . I'm friends with a few of the people who have worked on the editions of this book over the years, primarily Mike Shema and Keith Jones. Keith is no longer working on the book, but Mike is actively involved. From my four-star review : I reviewed the first edition "Anti-Hacker Tool Kit" (AHT:1E) in August 2002, and the second edition (AHT:2E) in June 2004. AHT:3E was published in February 2006. I continue to like AHT, because it addresses many of the tools an operational security professional should know how to use. I'll point out the differences between AHT:2E and AHT:3E, then offer some suggestions for AHT:4...

This morning I was reading the third edition of Anti-Hacker Toolkit . I realized no one had updated the section "Vnode: Transforming a Regular File into a Device on FreeBSD." Keith Jones wrote that section four years ago when he co-authored the first edition of AHT. That part of AHT shows how to mount a hard drive image as a file, such that the hard drive image can be examined in a forensically safe manner. If you follow the advice in the book and try to vnconfig, you get this error: orr:/home/richard$ vnconfig ERROR: vnconfig(8) has been discontinued Please use mdconfig(8). Fair enough. Let's see what we need to do to use mdconfig. I used the jbr_bank/forensic_duplication/JBRWWW.dd.gz hard drive image from Real Digital Forensics by Keith Jones, Curt Rose, and myself. If you want that image or any other files from the book, you'll need the DVD that ships with it. After gunzipping the archive, I used mdconfig to create a vnode. orr:/nsm/rdf$ sudo mdconfi...

The ISSA-NoVA Summer Social will be held Thursday 17 August 2006 at the American Tap Room, 1811 Library St., Reston Town Center, in Reston, VA. There is no speaker, just a chance for members to chat for a few hours. I will probably be there but I have not yet RSVP 'd. Last year I talked with Transzorp most of the meeting, but he's in CA working for Google now. If you're going, please reply here.

I was asked to participate in an ISSA e-Symposium titled Emerging Threats and Response . Readers of this blog will guess I may have a field day with this one. I'm part of a round table called Migration to IP: Convergence or Collision? . For those of you with extra coin, registration costs £50 / €75 / $90. Wow, I might be in the wrong business! Has anyone heard of these talks before? Update: As pointed out in the comments, it's free for ISSA members to register .

I'm not having any luck with schedules and BSD conferences this year. I missed the third BSDCan and I'm going to miss the second NYCBSDCon on 28-29 October in Davis Auditorium, Columbia University, New York city. This will undoubtedly be a great conference, since NYCBUG is hosting it. Remember, they built the Portrequest.org site based on a suggestion I made. Awesome.

I just realized that Blogger provides native RSS and Atom feeds. Previously only Atom was provided. For consolidation purposes I plan to cancel the 2rss.com and Feedburner RSS feeds soon, so please switch your RSS readers to the Blogger RSS feeds. (I may not be able to cancel the 2rss.com feed since it looks like an automatic set-up.) Thank you.

Do you use Dan Langille 's Freshports site to track FreeBSD ports? Dan is asking for donations to help buy hardware for the site. I just sent $25 USD. Will you help? Thank you.

Last week I paid for and attended the SANS Log Management Summit . I'd like to share a few thoughts about what I saw. First, I think Alan Paller did a great job as host. He kept the presentations moving and unflinchingly kept to his schedule. Talks started at 8 am, period. I thought his "yellow card" system for questions worked very well. (If you wanted to ask a question, you wrote it on a yellow card. SANS staff collected the cards then handed them to the speaker or Alan, who answered the question.) The system prevented the "speeches" one usually sees in large crowds with open microphones. Alan started the conference by presenting his "faces of cybercrime" presentation, based on his testimony ( .pdf ) in late 2005. He reminded the audience of the advice to learn hacking given by soon-to-be-executed Bali bomber Imam Samudra . Alan claimed at least one organized crime group has moved two hackers to Africa and forced them to compromise targets...

Inspired by Matasano 's ChiSec , I decided to start NoVA Sec . Here's the deal. We find a place to meet, we pick a time, and we talk security tech. I do not want to hear the terms CISSP, FISMA, DITSCAP, C&A, or any related subjects. If you are a security type in the northern Virginia area -- and you perform operational security work -- we want to meet you. If you read, write, audit, or enforce regulations, you won't like this group. I am working on finding a location. I would like to hold our first meeting in August. If you have any suggestions, please post them as comments to this post at the NoVA Sec Blog . Thank you.

I am not attending Black Hat or Def Con this year. However, Russ Rogers asked me to spread the word on the following event: Defcon will once again be running the Defcon Dunktank as a fund raiser for the fine folks at the EFF (www.eff.org). This email is a call for volunteers that are willing to sit in the dunktank for 30 minutes and let random attendees attempt to dunk them. The money is for a good cause, the water is nice and cool in the hot desert, and you'll be richer and sexier simply for volunteering your time! Please let me know if you would be willing to sit in the tank. I need to put together a schedule, so if you have a specific time slot you'd like, please let me know that as well. It would be most useful if you can provide multiple slots so I have some room to work. Please pass this email to everyone you can possibly think of. I'd like to get as many speakers, hackers, and others to sit in the tank at some point during Defcon. And the water is likely to be mu...

I received a review copy of Bryan Hong 's new book Building an Internet Server with FreeBSD 6 . This is the first book I've received from Lulu Press . I am surprised by the physical quality of this book. It looks just as good as any softcover book you might find at a store, and you can purchase it through Amazon.com or other sellers. Based on the page count and form factor, I estimate it cost Bryan about $6.45 per copy to publish the book (181 pages, 100 copies). I am not sure what it might cost to get the book listed at Lulu or Amazon, and I am not sure if Bryan ships every book himself. Services like Lulu are a great idea if you don't want to publish with a formal publisher. I personally enjoy working with Addison-Wesley . Why? AW's production team is top-notch. I think every book I publish is formatted and printed in just the right manner. They convert my lousy PowerPoint scribblings into real artwork. They know how to lay out the pages properly. The text...

I read on Richard Stiennon's blog that his new company IT-Harvest has launched its Knowledge Base, with "830 security vendors, 1,600 security products, and 2,200 security people in the data base." The company plans to charge access to the database but offer its research for free. I look forward to seeing the fruits of this work.

I used the latest version of the "andreas01" design by Andreas Viklund to design Bejtlich.net . I used an older version of this CSS design for TaoSecurity.com , so I will probably upgrade when I have time. I have to say I had no real trouble using CSS, unlike Mr. Dvorak . Needless to say my two sites are much simpler than his, and I would dare say far less gaudy! Thanks to Royce for mentioning the HTML Validator Extension -- I plan to use it to fix warnings and any errors.

Keith Jones just emailed me saying Roger Duronio, UBS intruder was convicted of one count of Securities Fraud and one count of Fraud and Related Activity In Connection with Computers. He was found not guilty of two counts of Mail Fraud. Congratulations Keith! Update: Here's the newest Information Week article by Sharon Gaudin.

Incident responders from Beyond Security published an interesting report (.pdf) explaining their involvement in a recent defacement of an Israeli Web site. I read the report but was surprised to not see any mention of shutting down access to the Web site upon discovering the intrusion. There was no question of compromise -- the image above shows what happened to the Web site. Consider the following excerpt from the report. [T]he web site in question was defaced by Team Evil and action had to be taken immediately. There was no time to perform a full forensic investigation. What the attacked organization required was a real-time forensic analysis of the attack in order to contain damage and respond accordingly, with the following operational goals in mind: 1. Stop the continuing damage being inflicted as soon as possible by kicking out the attackers who were damaging the site while analysis was done. 2. Prevent further access from the attackers. 3. Determine what hole the atta...

This Thursday is the next ISSA NoVA meeting. It will be held at the Microsoft Technology Center in Reston, VA. The social hour starts at 1730 and the meeting starts at 1830. A government civilian is the speaker. :) RSVP by noon today.

I was so motivated by my TaoSecurity Blog redesign that I decided to revamp TaoSecurity.com too. I used a template from Open Source Web Design created by Andreas Viklund . Now that the site is up I will spend some time fixing the problems found by the validator . When I have some free time I will work on Bejtlich.net next. Remember, I am a security guy -- not a Webmaster.

I've decided to try a new layout and enable Title and Links explicitly in the posts. Over the past year or more I've received multiple messages about feed issues and so on, so maybe this will help.

What do you get when you combine creativity, deep technical and programming knowledge, and the ability to rapidly execute? The answer is HD Moore . Bamm ( Sguil author) and I had the good fortune to have lunch with HD in 2001 in San Antonio, and he made quite an impression on us. Thanks to this Offensive Computing post, I just learned of HD's new Malware Search Engine . You can read this eWeek interview for motivations behind the project. All of the code will fit into three browser panes. Read this page for examples of how to use it. I wonder if some ignorant policy maker will see this site as a problem and try to shut it down? Browserfun is still operational and July will end soon.

I just posted news on OpenPacket.org at the OpenPacket Blog . I made an initial announcement about OpenPacket last year . In short, this project is going nowhere unless I get some help with development or financing, due to my lack of Web development skill and time. I appreciate any comments you might post on the OpenPacket Blog . Update: Please visit the OpenPacket Blog for fresh updates. I created devel and users mailing lists, and two people have already volunteered development help. Wow!

I've spent some time beefing up my Bloglines feeds. As I look for people with ideas that could be useful, I'm reminded of the vast differences among those who would all presumably claim to be "security professionals." I am acutely aware of these differences when I visit security conferences, and I wrote about this phenomenon after attending USENIX 2003, Black Hat 2003, and SANS NIAL 2003 within a span of 30 days. At the risk of being attacked for promoting stereotypes or hurting feelings, I decided to share a few thoughts on this subject. What group describes you? Academics : This group consists of undergraduates, graduates, PhD candidates, and faculty. They tend to frequent USENIX conferences where they will be talking about the latest security protocol. They have ties to government organizations because that is the source of grant money. They write papers, mostly speak in front of other academics, and take deep looks at improving security technologies in for...

If you're a packet monkey like me, you probably use tools like Argus and Tcpreplay . Carter Bullard is preparing to release Argus 3.0 soon, which includes a lot of community feedback . You can try the latest release candidates here . I helped testing by providing access to a box running FreeBSD 6.1 amd64. Similarly, Aaron Turner just released a new beta version of Tcpreplay. I ran into a problem with Tcpedit on FreeBSD 6.1 i386 when running 'make'. Try downloading and testing these beta versions and provide feedback to the authors. Thank you!

I have absolutely no special knowledge of this event. All I know I've learned from stories like this . The following caught my eye: The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet. Hackers can exploit weaknesses in this technology to break into computers, and they can use the same technology to transmit stolen information covertly off a victim's network. Many diplomats were unable to access their online bank accounts using government computers because most financial institutions require the security technology to be turned on. Cooper said the department has since fixed that problem. So DoS (heh, pun intended) disabled outbound HTTPS? It sounds to me like the intruders used a HTTPS covert channel (not so covert, actually) to communicate with their victims. I think we are getting to the point where encrypted outbound HTTP will have to terminate on a proxy server that permits inspect...

Almost exactly one year after my last appearance , I will be speaking at the next Net Optics Think Tank on 26 September 2006 in Fairfax, VA. I haven't figured out exactly what I will be covering yet. I might talk about some material from my TCP/IP Weapons School class and how it relates to recent incidents like the Freenode event. It looks like I will be speaking during lunch from 1215 to 1315.

I found another page of notes I took at Techno Security 2006 . These were from Marcus Ranum's talk, and I listen to Marcus. He observed that small vendors tend to sell products designed for sophisticated users, because large companies tend to sell products for unsophisticated users. Which market is bigger? The unsophisticates vastly outnumber the sophisticates. Therefore, start-ups usually chase a very small market and tend to be weak. Marcus said "security ROI is dead" and "legislation has made security a cost." He predicted "we will be competing with legal for money (or working for them) in the next five to ten years." To hammer the point Marcus then said "there never was a security ROI." Amen . For a way forward, Marcus offered two paths. Path A sees multi-level security rising from the ashes. Marcus claimed this is not likely, although papers like The Path to Multi-Level Security in Red Hat Enterprise Linux (.pdf) might beg to...

One of the benefits of paying for this week's SANS Log Management Summit was attending a briefing last week on the latest Cyber Defense Exercise conducted by the NSA . SANS organized a panel with a USAFA cadet, a USNA midshipman, a USMA-grad Army 2LT, and several NSA or ex-NSA representatives, along with their boss, Tony Sager. Although I've known of CDX for several years , this was my first real insight to how these exercises are conducted. The NSA organizer, or "white cell leader," is Bruce Rogers. He explained that competitions can be conducted either as capture-the-flag style events or purely defensive affairs. CDX is purely defensive. When I asked Mr. Rogers if he had spoken to any organizers of other cyber competitions, like those of Def Con or ShmooCon, he said no. Mr. Rogers has 20 white controllers overseeing the exercise, which includes 6 targets (the six defending teams -- USAFA, USNA, USMA, USMMA, AFIT, and NPS). The attackers are split into two gr...

Three generous publishers sent me three books to review this week. The first is Apress' Pro Nagios 2.0 by James Turnbull . This is the second book on Nagios on my reading list. I plan to deploy Nagios on my test network to gain a better understanding of how it works. I will use both books and compare and contrast them once I've finished each. The second book is O'Reilly's IPv6 Essentials, 2nd Ed by Silvia Hagen . I did not read the first edition, because by the time I gained interest in IPv6 newer books were published. For example, I really liked Apress' Running IPv6 and O'Reilly's IPv6 Network Administration . I plan to deploy an IPv6 testbed soon, so I will use this new book to help that project. I'll compare the new book to the two older texts. I'm hesitant to mention this last book, because I don't plan to read it. (I only review books that I read.) I don't plan to read Syngress' Dictionary of Information Security by ...

Earlier this week I said Of Course Insiders Cause Fewer Security Incidents . I'm taking heat over at Matasano , but I've got some fresh facts to back me up, after getting a pointer from this Dark Reading story. In short, the 2006 CSI-FBI study is now available , and it confirms my proposition. The study shows there is a new significance for the number "80%". Check out this chart from page 13. If you add up the two left columns, it shows that a clear majority of survey respondents -- 61% -- believe that "none" or 20% or less of their losses come from insiders. In other words, for the clear majority of survey respondents, 80% or more of their losses come from external threats. Why is this? Apparently it's caused by the number one cause of dollar losses -- "virus contamination." "Unauthorized access to information" is a fairly close second, compared to the positions of the other dollar losses. It's interesting that "s...

Are you attending TCP/IP Weapons School at USENIX Security 2006 In Vancouver on 31 July and 1 August 2006? If yes, these are the topics I will cover: Hardware and Network Design Bridges Hubs Switches Routers Duplex and Domains Layer-X Switches Middleboxes Local Area Networks xANs, VPNs, and WLANs VLANs Layer 1 What is Layer 1? Ethernet Raw Ethernet (Nemesis) UTP Ethernet over UTP Fiber Optics Ethernet over Fiber Optics Ethernet Emulation over FireWire IP over FireWire IP over Wireless Layer 1 Attack Rogue Access Point Layer 2 What is Layer 2? Ethernet Revisited Revisiting What is Layer 2? Test Network Layout Packet Delivery on the LAN Ethernet Interfaces ARP Basics ARP Request/Reply ARP Cache Arping Arpdig Arpwatch Dynamic Trunking Protocol Layer 2 Attacks Test LAN Reference Changing MAC Addresses MAC Flooding (Macof) ARP Denial of Service (Arp-sk) Port Stealing (Ettercap) Layer 2 Man-In-The-Middle (Ettercap) Dynamic Trunking Protocol Attack (Yersinia) Layer 3 What is Layer 3? Inter...

Today's SANS NewsBites points to this eWeek article , which in turn summarizes this Computer Associates press release . It claims "more than 84% [of survey respondents] experienced a security incident over the past 12 months and that the number of breaches continues to rise." The SANS editor piqued my interest with this comment: "(Honan): It is interesting to note that this survey highlights the external threat is becoming more prevalent than the internal one." (emphasis added) "Becoming more prevalent?" This is Mr. Honan's answer to this part of the CA story: "Of the organizations which experienced a security breach, 38% suffered an internal breach of security." That means 62% experienced an external breach, or perhaps less if one could not determine the source of the breach. I highlight "becoming more prevalent" because it indicates the speaker (like countless others) fell for the "80% myth," which is a statemen...

Last month's ISSA-NoVA meeting featured Dennis Heretick , CISO of the US Department of Justice . Mr. Heretick seemed like a sincere, devoted government employee, so I hope no one interprets the following remarks as a personal attack. Instead, I'd like to comment on the security mindset prevalent in the US government. Mr. Heretick's talk sharpened my thoughts on this matter. Imagine a football (American-style) team that wants to measure their success during a particular season. Team management decides to measure the height and weight of each player. They time how fast the player runs the 40 yard dash. They note the college from which each player graduated. They collect many other statistics as well, then spend time debating which ones best indicate how successful the football team is. Should the center weigh over 300 pounds? Should the wide receivers have a shoe size of 11 or greater? Should players from the north-west be on the starting line-up? All of this seem...