Friday, February 24, 2006

Again, on security vs compliance

Folks often argue whether "if you are in compliance [without specifying 'of what regulation'], it means you are secure" or "if are secure, it means you are in compliance" or the first does not mean the second at all ... I am picking up some signs that the perception (and in this case, "perception is reality"...) is shifting towards "security means compliance, compliances does not mean security."

The article below talks about FISMA compliance where it seems that neither means the other one...

'The high grades could mean a lot of compliance, but not a lot of security. The low grades could mean that there's plenty of security in place, but it just wasn't verified on paper properly.' "

Since when is log retention evil?

Here is a funny one: UK government calls for longer log retention by the ISP and is labeled a villain as a result. So now saving logs is evil?

"ISPA said that the UK government had won the award for 'seeking EU wide data retention laws which will force ISPs and telcos to retain more data for longer without proper impact assessment'."

I see a lot of business for SIEM and log management vendors here...

On "Issues Discovering Compromised Machines"

Here is my older paper on discovering compromise systems, I just wanted to highlight it for my newer blog readers:

From "Issues Discovering Compromised Machines" by Anton Chuvakin - "One of the latest security books I read had a fascinating example in the preface. The authors, well-known and trustworthy experts in the field of security, made an outrageous [is it, really?] claim that most of the Fortune 2000 companies have already been penetrated by hackers (and have been in that state for years!). Hackers move in and out at will through the backdoors and other covert channels without the security personnel knowing or even suspecting it. Without being able to verify the validity of this, I decided to look at the problem of reliably discovering the compromised machines on corporate networks..." Read on.

A fun blog on Windows Incident Response

Here is a fun blog to incident response:

Windows Incident Response: "The Windows Incident Response Blog is dedicated to the myriad information surrounding (and inherent to) the topics of incident response and forensics on Windows systems. "

On Debunking Consolidation in Security

Here is a fun bit from infamous Richard "The Death of the IDS" Stiennon. On his blog post on Debunking Consolidation he says "As long as there are new threats there will be no consolidation in the security space. In four years there will be *more* security companies. Although it would not surprise me at all if CA was out of the security market by the end of the decade."

I tend to agree. There will be consolidation of the existing security companies accompanied by a birth of many many new ones. As for CA - well - we'll see, but some indicators do point in this direction... After all, who else was called a seller of "worst of breed" security tools? :-)

Thursday, February 23, 2006

TaoSecurity on Tor

In an unrelated post, Richard Bejtlich stated on his blog that "Tor servers will have to run inline filters to police this sort of activity."

This issue troubled me for a while. Somebody smart :-) told me some time ago that Tor license and legal FAQ actually prohibits such monitoring and (?) filtering. Specifically, it says:

"Q: Should I snoop on the plaintext that exits through my Tor server?
A: No. You are technically capable of monitoring or logging plaintext that exits your node if you modify the Tor source code or install additional software to enable such snooping. However, Tor server operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications, while non-U.S. operators may be subject to similar laws. Do not examine the contents of anyone's communications without first talking to a lawyer."

My response that was that the above goes against common sense, but I was told that law and common sense have nothing to do wich each other...

Ideas? Discussion?

On "Operational Security Current Practices"

Here is an interesting doc, pertaining to summarize current ISP operational security practices. It even has a neat section on logging practices:

"2.7. Logging Considerations

Although logging is part of all the previous sections, it is
important enough to be covered as a separate item. The main issues
revolve around what gets logged, how long are logs kept and what
mechanisms are used to secure the logged information while it is in
transit and while it is stored."

The weird part is that the document advocates "exception logging", rather than a full audit logging of network connections. Is that because those ISP usually have huge network pipes? Or is there some legal requirements to not have discoverable data on connectivity?

Is "Gartner like a mainframe in 1979 | Between the Lines |"?

Here is fun quote on Gartner:

» Gartner is like a mainframe in 1979 Between the Lines "Gartner is like a mainframe in 1979. Ripe for deconstruction.' So says Redmonk analyst James Governor in his post about transparency and the analyst business."

Agreed? Do you still like what they say [sometimes]? Even though it is highly fashionable to slam Gartner as a bunch of 'you-know-whos' :-), I [with some fear] admit that I often like how they organize the information.

Whether you love or hate your position in the famous Magic Quadrant, this information organization and presentation tool is pretty brilliant!

Security innovation vs adult supervision

As a part of my job, I look at many (most?) emerging security companies in various sub-spaces of a broad security market. Recently, I was talking to my friend about some of the newly-hot intellectual property (IP) theft protection vendors (heh, you know who you are). And he mentioned something interesting: "Yes, some might be 'hot', but most operate without 'adult supervision'?" That's a neat metaphor, right here!

What he likely meant is that they are not connected to the real problems people ... :
  1. ... suffer from right now
  2. ... are willing to pay for solving
  3. ... will trust those vendors to solve

So, check your latest security startup for matching the above criteria. If you miss one, congrats - you operate without adult supervision! :-)

Wednesday, February 22, 2006

On reliable vs secure software

Just a blog-worthy thought from the RSA presentation of Crispin Cowan from Novell/Immunix:

"Reliable software does what it is supposed to do. Secure software does what it is supposed to do, and nothing else."

Nicholas Carr's Blog on "Large Software" = "Failed Software"

Here is a fun debate item: does "Large Software" equals "Failed Software"? Here is what this guy, Carr (the father of "IT doesn't matter", for those who don't know) proclaims in his blog: Rough Type - Nicholas Carr's Blog: Down the drain: "... you should always create software to solve the day-to-day problems faced by the actual users, not to meet big abstract organizational challenges. Solve enough little problems, and the big ones take care of themselves. "

On the other hand, many software vendors say: "... but shooting elephants is sooo much more fun than swatting flies and squeezing rodents in their holes."

Discussion anyone?

Tuesday, February 21, 2006

(IN)SECURE Magazine #5 is Out (Some Time Ago)

(IN)SECURE Magazine Issue #5 is out! Here is a brief summary:
  • Web application firewalls primer
  • Threat analysis using log data
  • Looking back at computer security in 2005
  • Writing an enterprise handheld security policy
  • Digital Rights Management
  • Revenge of the Web mob
  • Hardening Windows Server 2003 platforms made easy
  • Filtering spam server-side"

The article by Kevin Schmidt on "Threat analysis using log data" is my favorite!

Megamiles per kiloyear?

Do you measure the speed of your car in miles per hour or megamiles per kiloyear? Which one seems to make more sense (please, don't say 'its the latter' :-))?

Here is a fun bit from Bruce Schneier's latest Crypto-Gram newsletter from February 15, 2006: "Counterpane monitored someting like 100 billion network events, world-wide, in 2005. "

Think about it, "100 billions per year." How HUGE is that? Well, not huge at all. Its just a bit less than 3200 events per second.

Any commercial SIM product, such as netForensics, likely handles the volume like this for each of its large customers ...

Monday, February 20, 2006

Final notes on RSA 2006 show

As I posted before, I just came back from RSA 2006 security conference in San Jose, CA. I read some fun feedback about the show from other security bloggers (and posted some of it already here and here), here is my longer entry on what I saw there.

As many other RSA observers agreed, under each tree you now see a NAC. Many folks who were anti-worm a year ago (Mirage, ForeScout, Nevis, etc) are now NAC solutions. 802.1X, agents, switch blocking, other things are all over the place. It seems that a NAC train is about to leave the station. Adjacent to NAC was supposedly emerging "LAN security" vendors, such as ConSentry. They all claim to be "NAC+" and additionally guard against internal threats and malware.

Application security, in all shapes and forms, is heating up quickly. Even Cisco showed some secure web gateway device; other vendors related to app security, database security (and information leak prevention) were well represented. Gartner preso directly spoke about needing to centralize application logs and events in 2006.

Network anomaly detection is, surprisingly, taking off, after decades (!) of unsuccessful research. ISS OEM of Arbor and other vendors' offerings attest to that. Also, I saw a number of secure messaging players; their space doesn't seem to be very hot, but, still, I would guess they were second only to NAC in numbers.

Invasion of the Computer Snatchers

Here is a very fun paper on bots, botnets, their owners and victims. Three quotes from Invasion of the Computer Snatchers follow:

About one botnet owner: "The young hacker doesn't have much sympathy for his victims. 'All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught up in someone else's net, so it might as well be mine,' 0x80 says. 'I mean, most of these people I infect are so stupid they really ain't got no business being on [the Internet] in the first place.'"

About the victim: "He eventually opted to buy a new PC rather than spend the time and money to repair the infected one. 'It just made more sense for me to get a new $300 Dell that came with a free monitor that was better than the one I had,' he says."

About one botnet fighter: "When Norris called the company with the bad news, its poorly trained network administrator had no idea how to respond. "I call this guy up and say, 'Hey, you've got 10,000 infected computers on your network that are attacking me,' and this guy is basically, like, 'Well, what do you want me to do about it?' ""

UPDATE as of 02/21/2006: thru image metadata leakage, some folks actually identified the small town and a possible place where the "botmaster" lives. Check out this discussion for more details. The lesson? Watch the metadata when posting documents online! It not only applies to DOCs and PDFs, but also pretty much all common image formats!

Microsoft Frowns on iDefense Hacking Challenge - Yahoo! News

Wow, that is pretty funky indeed! It also confirms that wormable holes in MS products are becoming few and far between, just as many predicted.

Microsoft Frowns on iDefense Hacking Challenge - Yahoo! News: "Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsoft's products, but the software maker isn't exactly thrilled by the gambit. Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsoft's products, but the software maker isn't exactly thrilled by the gambit. Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsoft's products, but the software maker isn't exactly thrilled by the gambit. "

From Security Curve Weblog - My mysterious disappearance and RSA aught six

Very nice summary of the RSA 2006 show. Agreed 100%

Security Curve Weblog: My mysterious disappearance and RSA aught six: "So was it worth it? Absolutely. But not because of the keynotes, the workshops, or the expo floor. So was it worth it? Absolutely. But not because of the keynotes, the workshops, or the expo floor. "

Friday, February 17, 2006

The Roaring 20's of security?

Here is a fun paper summarizing this year's RSA conference (The Roaring 20's of security? CNET Despite some pessimistic - but likely truthful - comments, it ends on a positive note: "Security is a constantly changing beast so there will certainly be an entirely new crew next year and lots of Champaign flowing back in good old San Francisco."

Also see this comment after the paper about what DID come after the 20s - "The Great Depression." Specifically, the reader says: "There are many, many companies who are about to be useless, just like the article says. In a decade, security will be a non-issue as big vendors catch up and actually write software in a secure way from the IDEA up. "

I am actually preparing a longer blog post on that very subject... And, as a preview, the answer is "no, security will never be 'done'" even if secure coding practices become more widespread (and they won't).

Wednesday, February 15, 2006

"Security Warrior" book status

I just learned that my book "Security Warrior" sold 14,333 copies so far. Awesome! Second edition will likely be coming in the future (in other words, I do not know when)

Friday, February 10, 2006

On Forrester's spyware evaluation

Forrester's spyware evaluation: "Forrester is of the opinion that the standalone anti-spyware vendors, such as Webroot, Sunbelt, Tenebril and Aluria, must move beyond spyware protection to the larger areas of malicious code, including virus protection, or else they will 'either become acquisition targets or fade into obscurity.' That's Forrester's opinion, not mine. But let me know what you think: Can standalone anti-spyware firms not just survive, but thrive?"

I'd side with Forrester on this one - it might take some time and standalone folks might still better, but the anti-virus vendors will catch up and eat their lunch. Anybody to argue? Anybody wonna bet?

Google Information Security Catastrophe

Good Morning Silicon Valley: New from Google Labs: Google Information Security Catastrophe: "That's a compelling feature for those of us who use multiple computers, but one that works only if you agree to allow Google to store your hard drive index locally on its servers."

You've got to be pretty insane to do that :-) Enough said.

Wednesday, February 08, 2006

A poll on inline network intrusion prevention systems

Here is a fun poll that I want people to answer: Inline Network Intrusion Prevention poll: "What is the worst thing your inline Network Intrusion Prevention system can do? "

Treat this as a puzzle right now, I will explain why I am asking it when I get a semplance of a representative set (maybe 50-100 votes).

Search by SSN anybody?

How can folks still talk about privacy when such sites are out there: Current & Most Comprehensive Background Check and Address Search: "Includes Criminal Report, Lawsuits, Judgments, Liens, Bankruptcies, Property Ownership, 30 Year Address History, Relatives & Associates, Neighbors, Licenses, Marriage records, and more."

I esp liked their "search by SSN" technology :-)

Security Curve Weblog: Apple Dunkin' and 0days

That's a funny one on Mac security:

Security Curve Weblog: Apple Dunkin': "Awesome! So, there's a 0day that's still out there that lets hackers have full control of my Mac? Thanks, Apple - I think I'm starting to 'think differently' now..."

So, how does one think different? I think it is pretty certain that:
  • "here's a 0day that's still out there that lets hackers have full control of my ..." Windows PC
  • "here's a 0day that's still out there that lets hackers have full control of my ..." Linux system
  • "here's a 0day that's still out there that lets hackers have full control of my ..." *BSD system
  • "here's a 0day that's still out there that lets hackers have full control of my ..." Solaris system

A list of "four most common Unix security mistakes"

I love those "security mistakes" papers (I've written a few myself) and here is a fun one specifically on Unix. "The four most common Unix security mistakes" by Paul Murphy covers "four worst security strategies affecting Unix deployment in business and government."

Here they are:

#1: Using Windows to administer Unix
#2: Abandoning minimalism for convenience
#3: Failing to practice preventative management
#4: Focusing where the risk isn't

In the discussion following the article some folks criticize the #1 for being "platform zealotry" and I tend to think that even though Windows workstations and laptops used for Windows can be secured, they rarely are and it makes the mistake valid in the real world.

Monday, February 06, 2006

Presentation Zen - Contrasts in presentation style: Yoda vs. Darth Vader

If you do a lot of PowerPoint presentation, you have to read this one: Presentation Zen: Contrasts in presentation style: Yoda vs. Darth Vader". It pains me to say so, but I did step to the dark side more than once...

I expecially like this one (see full example for details)

> ...
> You can destroy the Emperor ..
- It is your destiny!
> ...

*Everybody* involved with log analysis should read this one!

*Everybody* (and I do mean everybody) involved with log analysis, log management or SIM (SEM, SIEM) should read this thread on firewall-wizards mailing list.

This is yet another message by Marcus Ranum that should be looked at!

Its a bit hard to follow since it started from an unrelated subject of firewall appliance selection, but it got to a rare depth of log analysis discussion, with Marcus Ranum leading the pack.

On "The Art of Schmoozing"

Now that I am preparing to head out for the RSA show, I was scanning thru some resources on networking (the "other" networking, not the packets and headers type, but the human one). I came across this super-fun and useful piece on schmoozing by Guy Kawasaki (the author of a couple of good books on evangelism, vision and projecting them, such as "Selling the Dream").

It is started with this interesting quote: “It's not what you know or who you know, but who knows you” by Susan RoAne. So, enjoy The Art of Schmoozing!

Sunday, February 05, 2006

My Information Security Public Appearances

I just updated the page with my past and future security presentations and conference appearances. In brief, I will be speaking at SANS, CSI and FIRST this year, with other shows likely coming too.

If you want to attend one of my presentations on various security topics, ranging from log analysis to security metrics, check out the schedule.

Saturday, February 04, 2006

On selling security

FUD? ROI? ALE? ROSI? There are many approaches for "selling security" to management that are practiced [with various degree of success!] by security professionals.

This piece summarizes and discusses some of them nicely. Check it out here.

All things being equal, it is sad to know that "having experienced a catastrophic security failure" still facilitates security adoption much better than other things.

CME-24 "Rampage"?

Recent weeks brought one interesting development in security standards. Earlier this year, MITRE announced a Common Malware Enumeration standard(CME). It is somewhat analogous to CVE for vulnerability names.

Despite the painful problems with amazing multitude of virus and worm names, CME initially didn't enjoy wide recognition. However, the recent worm outbreak brought it to light and the name CME-24 was used in some press and advisories instead of Kapser, Nyxem, KillAV, Tearec, W32.Blackmail and other names for the same piece of malware used by the antivirus vendors.

You can get more info on CME at

This is a significant development which will increase the importance of standards in information security. The worm itself will likely end up being a non-event, but the fact that many sources referred to it as"CME-24" sure has long term consequences.

Wednesday, February 01, 2006

Slashdot vs MS Security: A Deathmatch :-)

Here is a very fun and insightful interview that Microsoft's VP of Security Mike Nash gave to Slashdot, from all places. It is somewhat long, but definitely a must-read.

For example, here is one bit that relates to Microsoft views on security in 2006. MS Security VP Mike Nash replies to this question: "given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, what do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole? "

Read the answer at the above link!

2006 Predictions Follow-up - I

So, as most of my readers hopefully still remember :-), I posted my security predictions for 2006 some time ago. How are they doing, so far? :-)

Here is one bit that talks about how much the endpoint security will grow: Enterprise Systems The Shape of Endpoint Security to Come - "Will 2006 be the year of endpoint security? A number of network-access-control approaches are finally coming to fruition."

Are they? The year is still young ...

Dr Anton Chuvakin