Showing posts from January, 2014

Quick Thought on Internet Governance and Edward Snowden

I am neither an Internet governance expert nor am I personally consumed by the issue. However, I wanted to point out a possible rhetorical inconsistency involving the Internet governance debate and another hot topic, theft of secret documents by insiders, namely Edward Snowden. Let me set the stage. First, Internet governance. Too often the Internet governance debate is reduced to the following. One side is characterized as "multi-stakeholder," consisting of various nongovernmental parties with overlapping agendas, like ICANN, IANA, IETF, etc. This side is often referred to as "the West" (thanks to the US, Canada, Europe, etc. being on this side), and is considered a proponent of an "open" Internet. The other side aligns with state governments and made its presence felt at the monumental December 2012 ITU World Conference on International Telecommunications (WCIT) meeting. This side is often referred to as "the East" (thanks to Russia, China, t

Suricata 2.0beta2 as IPS on Ubuntu 12.04

Today I decided to install Suricata , the open source intrusion detection and prevention engine from the Open Information Security Foundation (OISF) , as an IPS. I've been running Suricata in IDS mode through Security Onion on and off for several years, but I never tried Suricata as an IPS. I decided I wanted to run Suricata as a bridging IPS, such that it did not route traffic. In other words, I could place a Suricata IPS between, say, a router and a firewall, or between a router and a host, and neither endpoint would know the IPS was present. Looking at available documentation across the Web, I did not see specific mention of this exact configuration. It's entirely possible I missed something useful, but most people running Linux as a bridge weren't using Suricata. Those running Linux as a bridge sometimes enabled an IP address for the bridge, which is something I didn't want to do. (True bridges should be invisible to endpoints.) Of course, to administer the

What Does "One Hour" Mean for Incident Response?

Yesterday, 8 January 2014, was the 11th birthday of TaoSecurity Blog . Please check out my happy 10th birthday post if you want to know why I don't blog much! In brief: Twitter . I just read a story which I thought required more than 140 characters of attention: OMB revising data breach reporting requirements by Jason Miller. It says in part: GAO found OMB's requirement to submit information about data breaches to the DHS U.S. Computer Emergency Readiness Team (US-CERT) within an hour after discovering the breach is of little value... "Officials at agencies and US-CERT generally agreed that the current requirement that PII-related incidents be reported within one hour may be difficult to meet and may not provide US-CERT with the best information," auditors wrote. "Specifically, officials at the Army, FDIC, FRB, FRTIB, and SEC indicated that it was difficult to prepare a meaningful report on a PII incident to US-CERT within the one-hour time frame requir