Tuesday, April 04, 2006

"Glitch wiki" or security hole to drive a train thru?

So, it is often reported that since the "bad guys" share technology information (such as exploits, bot access, malware, etc), the "good guys" should ramp up their sharing efforts as well. But companies' unwillingness to share data that might, under the circumstances, be considered sensitive is legendary – and understandable.

Thus, while I was happy to see such projects as Splunk Base which lets users upload their logs that indicate problems (yes, security problems as well) and tag the logs with descriptive tags that enable other Base users to learn from their experience, described via tagged log samples. Just sharing logs is nowhere near as useful as sharing such experiences. Either way, this is a good initiative to watch.

Specifically, CNet says (http://news.com.com/Start-up+brings+glitch+wiki+to+IT+pros/2100-7346_3-6056530.html): "Instead, Splunk has designed its software and Splunk Base to allow system administrators to submit information themselves and then classify and search the collected information of their peers. "

Well, it brings our the standard question: if you start a community for marketing reasons (this one clearly fits such definition), how do you make sure it actually takes off and starts a life as a real community of dedicated users (sometimes ramping up to "raving fans" :-)). I was reading this book by Guy Kawasaki ("Selling the Dream") and it seems to have some answers... In any case, there is a difference between a real community and just a free platform for sharing which might develop into a community, might get monetized or just might tank. We will see what happens to this one.

Security remains an issue as well. Passwords are not too uncommon in Unix and Apache logs (if users mistype them for a username). Other things to watch for include allowed email addresses, IP addresses of critical servers, access control rule information, types of security software used and maybe a few dozen other possible thingies... An intelligent sanitization algorithm seems very important!

My experience with Honeynet Project data tells me that sanitization is not as easy as some think. So, given you have a serious issue – that you might or might not want others to know about, and that might or might not contain sensitive data, do you want to post that data to an open forum hoping that a) someone would help you and/or b) your experience will help someone else? Just post the comments here.

Another fun thing is the "added intelligence" factor. It has to be better (make it "much better") than simply dumping the logs on the public HTML page and having good ole Google search them...

Dr Anton Chuvakin