TaoSecurity Blog

I was pleased to hear from Jason Dixon, who told me that he is organizing DC BSDCon 2009 on 4 and 5 February 2009 at the Washington Marriott Wardman Park . This is right before ShmooCon 2009 and has been coordinated with that group. DC BSDCon has a call for papers open until 1 December, with selections announced on 15 December. I will probably submit a presentation. I will not attend ShmooCon this year. I've decided the logistics are too much of a hassle. There's a few talks on Friday evening, a full day on Saturday, and a few talks on Sunday. The commute to DC takes me about 1 3/4 hours each way, using public transportation, so I spend more time travelling than I do in talks Friday or Sunday. Sunday morning's activities conflict with church. Saturday I try to give my wife a break from our two kids. Spending a weekend on what are essentially "work activities" isn't worth it.

Jofny's comment on my post Unify Against Threats asked the following: So, Richard, I'm curious which security people - who are decision makers at a business level - are focusing on vulnerabilities and not threats? If there are people like that, they really need to be fired. This comment was on my mind when I read the story FBI: US Business and Government are Targets of Cyber Theft in the latest SANS NewsBites : Assistant Director in charge of the US FBI's Cyber Division Shawn Henry said that US government and businesses face a "significant threat" of cyber attacks from a number of countries around the world. Henry did not name the countries, but suggested that there are about two dozen that have developed cyber attack capabilities with the intent of using those capabilities against the US. The countries are reportedly interested in stealing data from targets in the US. Henry said businesses and government agencies should focus on shoring up their systems' se...

At my keynote at the 2008 SANS Forensics and IR Summit I emphasized the need for a change in thinking among security practitioners. To often security and IT groups have trouble relating to other stakeholders in an organization because we focus on vulnerabilities. Vulnerabilities are inherently technical, and they mean nothing to others who might also care about security risks, like human resources, physical security, audit staff, legal staff, management, business intelligence, and others. I used the following slide to make my point: My point is that security people should stop framing our problems in terms of vulnerabilities or exploits when speaking with anyone outside our sphere of influence. Rather, we should talk in terms of threats . This focuses on the who and not the what or how . This requires a different mindset and a different data set. The business should create a strategy for dealing with threats, not with vulnerabilities or exploits. Notice I said "busines...

One feature which most Unix systems possess, and that most Windows systems lack, is a native means to manage non-base applications. If I install packages through apt-get or a similar mechanism on Ubuntu, the package manager notifies me when an update is needed and it's easy for me to install them. Windows does not natively offer this function, so third party solutions must be installed. I had heard about Secunia's vulnerability scanning offerings , but I had never tried them. I decided to try the online version (free for anyone) and then the personal version on a home laptop I hadn't booted recently. You can see the results for the online scanner below. All that was needed was a JRE install to get these results. The online scanner noticed I was running an older version of Firefox, and I needed to apply recent Microsoft patches. The fact that it checked Adobe Flash and Acrobat Reader was important, since those are popular exploit vectors. Next I tried the personal ver...

Amazon.com just posted my five star review of OSSEC HIDS Guide . From the review : I'm surprised no one has offered serious commentary on the only book dedicated to OSSEC, an incredible open source host-based intrusion detection system. I first tried OSSEC in early 2007 and wrote in my blog : "OSSEC is really amazing in the sense that you can install it and immediately it starts parsing system logs for interesting activity." Stephen Northcutt of SANS quotes this post in his foreword to the book on p xxv. Once you start using OSSEC, especially with the WebUI, you'll become a log addict. OSSEC HIDS Guide (OHG) is your ticket to taking OSSEC to the next level, even though a basic installation will make you stronger and smarter. I'm not kidding about the log addict part. I find myself obsessively hitting the refresh button on my browser when viewing the OSSEC WebUI, even though it refreshes itself. Sad.

I just happened to notice a change to my Amazon.com reviews page . If you look at the image on the left, you'll see two numbers: "New Reviewer Rank: 481" and "Classic Reviewer Rank: 434". I found the following explanation: You may have noticed that we've recently changed the way top reviewers are ranked. As we've grown our selection at Amazon over the years, more and more customers have come to share their experiences with a wide variety of products. We want our top reviewer rankings to reflect the best of our growing body of customer reviewers, so we've changed the way our rankings work. Here's what's different: Review helpfulness plays a larger part in determining rank. Writing thousands of reviews that customers don't find helpful won't move a reviewer up in the standings. The more recently a review is written, the greater its impact on rank. This way, as new customers share their experiences with Amazon's ever-widening selec...

I'm back with another look at security event correlation . This time it's a June 2008 review of SIEM technology by Greg Shipley titled SIEM tools come up short . The majority of the article talk about non-correlation issues, but I found this section relevant to my ongoing analysis: "Correlation" has long been the buzzword used around event reduction, and all of the products we tested contained a correlation engine of some sort. The engines vary in complexity, but they all allow for basic comparisons: if the engine sees A and also sees B or C, then it will go do X. Otherwise, file the event away in storage and move onto the next. We'd love to see someone attack the event reduction challenge with something creative like Bayesian filtering, but for now correlation-based event reduction appears to be the de facto standard... Ok, that sounds like "correlation" to me. Let's see an example. For example, one of the use cases we tackled was the monitoring...