TaoSecurity Blog

I love Pascal Meunier's post Virtualization Is Successful Because Operating Systems Are Weak : It occurred to me that virtual machine monitors (VMMs) provide similar functionality to that of operating systems... What it looks like is that we have sinking boats, so we’re putting them inside a bigger, more powerful boat, virtualization... I’m now not convinced that a virtualization solution + guest OS is significantly more secure or functional than just one well-designed OS could be, in theory... I believe that all the special things that a virtualization solution does for functionality and security, as well as the “new” opportunities being researched, could be done as well by a trustworthy, properly designed OS. Please read the whole post to see all of Pascal's points. I had similar thoughts on my mind when I wrote the following in my post NSM vs Encrypted Traffic, Plus Virtualization : [R]eally nothing about virtualization is new. Once upon a time computers could only run one ...

I just read Patching Conundrum by Verizon's Russ Cooper. Wow, keep going guys. As in before, I recommend reading the whole post. Below are my favorite excerpts: Our data shows that in only 18% of cases in the hacking category (see Figure 11) did the attack have anything to do with a “patchable” vulnerability. Further analysis in the study (Figure 12) showed that 90% of those attacks would have been prevented had patches been applied that were six months in age or older! Significantly, patching more frequently than monthly would have mitigated no additional cases. Given average current patching strategies, it would appear that strategies to patch faster are perhaps less important than strategies to apply patches more comprehensively... To summarize the findings in our “Control Effectiveness Study”, companies who did a great job of patching (or AV updates) did not have statistically significant less hacking or malicious code experience than companies who said they did an average ...

I don't need to tell anyone that a lot of interesting command-and-control traffic is sailing through our Web proxies right now. I encourage decent logging for anyone using Web proxies. Below are three example entries from a Squid access.log. This is "squid" format with entries for user-agent and referer tacked to the end. Incidentally here is a diff of my Squid configuration that shows how I set up Squid. r200a# diff /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.orig 632,633c632,633 --- > #acl our_networks src 192.168.1.0/24 192.168.2.0/24 > #http_access allow our_networks 936c936 --- > http_port 3128 1990,1992d1989 a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt "%{Referer}>h" "%{User-Agent}>h" 2022c2019 --- > access_log /usr/local/squid/logs/access.log squid 2216c2213 --- > # strip_query_terms on 3056d3052 If you worry I'm exposing this to the world, don't worry too much. I find the value of having ...

Sourcefire is sponsoring a Best of Open Source Security (BOSS) conference 8-10 February in Las Vegas, NV, with the main activities happening on 9-10 February. Sourcefire is holding the event simultaneously with their annual users conference. I am on the committee evaluating speakers so I look forward to seeing what people want to present.

This morning I attended a call discussing the new Verizon Business 2008 Data Breach Investigations Report . I'd like to quote the linked blog post and a previous article titled I Was an Anti-MSS Zealot , both of which I recommend reading in their entirety. First I cite some background on the study. Verizon Business began an initiative in 2007 to identify a comprehensive set of metrics to record during each data compromise investigation. As a result of this effort, we pursued a post-mortem examination of over 500 security breach and data compromise engagements between 2004 and 2007 which provided us with the vast amount of factual evidence used to compile this study. This data covers 230 million compromised records. Amongst these are roughly one-quarter of all publicly disclosed data breaches in both 2006 and 2007, including three of the five largest data breaches ever reported. The Verizon Business 2008 Data Breach Investigations Report contains first-hand information on actual ...

Thanks to one of my colleagues for pointing out Lawmaker says Chinese hacked Capitol computers : By PETE YOST and LARA JAKES JORDAN – 3 hours ago WASHINGTON (AP) — A congressman said Wednesday the FBI has found that four of his government computers have been hacked by sources working out of China. Rep. Frank Wolf, a Virginia Republican, said that similar incidents — also originating from China — have taken place on computers of other members of the House and at least one House committee. A spokesman for Wolf said the four computers in his office were being used by staff members working on human rights issues and that the hacking began in August 2006. Wolf is a longtime critic of the Chinese government's human rights record. The congressman suggested the problem probably goes further. "If it's been done in the House, don't you think that they're doing the same thing in the Senate?" he asked. For a record of others hacked by China, see my earlier posts .

I was asked to mention the following BSD Associate examinations will take place at the following three events : RMLL: Mont-de-Marsan, France, Jul 02, 2008 OpenKyiv 2008: Kiev, Ukraine, Aug 02, 2008 LinuxWorld: San Francisco, CA, Aug 06-07, 2008 From the BSDA description: The BSDA certification is designed to be an entry-level certification on BSD Unix systems administration. Testing candidates with a general Unix background, but less than six months of work experience as a BSD systems administrator (or who wish to obtain employment as a BSD systems administrator) will benefit most from this certification. Human resource departments should consider the successful BSDA certified applicant to be knowledgeable in the daily maintenance of existing BSD systems under the direction and supervision of a more senior administrator.