Tuesday, October 31, 2006

On Windows Event Logs

This post is devoted to the masters of complexity from Redmond :-)

Basically , "there are 7 events associated with object access auditing in Windows." The blog post by Eric Fitzgerald sheds some light on on Windows object access event logs.

The most curious thing is the part where the complexity of the audit is explained. The quite is:

'You might ask, “Well, Eric, why don’t you just get rid of all that junk and just log an event that says what Word did?”.

Good question. As I mentioned in my post on “Trustworthiness in Audit Records” [which I will blog about soon :-) - AC], the only practical way to do that would be to instrument Word for audit, and then the audit trail would be exactly as reliable as the user using Word, because if Word can write to the audit trail, and Word is running in the user’s context, then the user can write to the audit trail.'

Did you get it?

On Disclosure ... Not

Here is a bizzaredly misguided coverage of this whole Christopher Soghoian boarding pass affair. Guess what he did wrong? He just didn't disclose it right!

Indeed, security industry needs such advice. The message is clear: next time, if you happen to come across (or create) a tool to fake boarding passes, don't post it online. Just use it!

On Intrusion Detection

OK, OK, stop the squealing already :-) I WILL blog about this whole NIDS/NIPS hoopla  (or broo-ha-ha?) started by this exciting (as it often is) dailydave thread.

First, a quick question: do you have 0wned boxes on your network? Puleeease don't say 'no' cause I'd know that you would be lying :-) Now that you accepted that fact that some boxes on your network are 0wned by intruders, do you want to detect it? Yeah? If so, you need intrusion detection. Notice I didn't say IDS or NIDS, I am just saying that it is pretty darn obvious that people need to detect intrusions somehow and thus they need something that does "intrusion detection."

Similarly, it'd be nice (but completely unrealistic ... ) that such intrusions would be prevented from occuring in the first place. If you want to try to attempt to take a crack at that :-), you'd wish you had intrusion prevention, which is obviously a good idea, in principle.

Thus, if somebody tell you that you "do not need to detect intrusions", he is quite likely an idiot.

However, what the above paragraphs has to do with lil black boxes called NIPSes and NIDSes? Absolutely nothing, it pains me to say so. And that is where the "offensive computing experts" (thanks for the offensive term, Richard! :-() are at least partially correct in stating that IDS does not really give you a much needed ability to detect intrusions. Further, as Richard put it, at best it gives you a "hint that something bad might be happening." Thus, you can go buy a STGYAHTSBMHH and not an IDS. And there is always a classic IDS use case called "a system that you can go to after shit hits the fan to see if any pieces stuck to it" (ASTYCGTASHTFTSIAPSTI, yuck...) :-)

Most of the other points made in the ensuing mayhem - errr, discussion - are actually derivaties from the above. Yes, a signature-based "IDS" can sometimes detect intrusion attempts made with old exploits. Yes, anomaly detection works ... when it does. Etc, etc. However, the main point remains the same: you need intrusion detection, you just can't buy it in the store.

Technorati tags: , ,

Thursday, October 26, 2006

On Meeting Me ...

Just a brief note, if some of my esteemed reader would like to meet me in-person, I would be doing a panel at the 451 Group event on Oct 31, 2006 in Boston.

Next: CSI 33rd in Orlando, Nov 5-9, 2006.

BTW, my event schedule is also posted here.

Perimeter Is ...

In this fun blurb "Stiennon sends a love note to Check Point" (the actual love note is here), Mike makes a very, very interesting side point.

"The perimeter is consolidating around secure accelerated access."

As most of you know, I've been picking on the "de-perimeterization" folks (such as Jericho Forum) for promoting the claim that "perimeter is disappearing." I've long argued that perimeter is not going away, it just tightens and moves closer to data. In other words, it changes, but doesn't vanish. And, the above line is one of the best darn summaries of how it changes.

So, if you are in perimeter security, you should be involved in "secure, accelerated access," which, BTW, applies to both outbound access to the web and inbound access to public or extranet sites...

And We Will Fix It Soon, Won't We?

Raffy posted a nice summary of some of the recent discussions we've been involved lately. One interesting point was that when talking about log standards, "people are intermixing a lot of different topics." Specifically:

"a) Log format (syntax)
b) Event transport
c) Event classification (also called taxonomy, categorization, grammar)
d) Logging recommendations (what events specific devices should report AND what fields they should contain as a minimum [which some peple call 'scope of what to log']"

And, there are a few promising efforts underway to address that... fun stuff indeed.

Wednesday, October 25, 2006

And How Do YOU Know?

"There are very few true zero day attacks."

Come, one, Rich? How do YOU know? Given that we know (and you yourself state) that there very few ways to prevent, block or even detect it ... What might be more true is that an average security-sloppy enterprise has more to fear and more to lose from "stale" attacks; however, it is NOT the same as to say that there are few 0days out there.

I am stunned when folks make those claims. BTW, check out this list that Pete Lindstrom maintains on public exposures of 0day attacks. But how many were used and are not on his (or anybody's) list? Ominous silence is the answer :-)

More on Future Virtualization

As you, my esteemed reader, have certainly guessed by now, I am sitting at a meeting and so have a chance to catch up on blogging :-)

Here comes another one! Virtualization has long fascinated me, both as a new technology, a security challenge and just an overall fun thing...

So this blurb from NetApp team has a few other interesting things. "Going forward, VMware offers even more interesting visions: rapid provisioning of new applications, transparent migration, virtual data centers that provide DR protection for multiple physical data centers. But that's not what I see people excited about today. Today's excitement comes entirely from how much you save when you reduce servers by a factor of 5 or 10 or even 20."

To conclude, I am sooo envious about this team of friends that I have that have been busy for a few years (!) spending DHS money trying to find a true "break-out" from VMware... Are they close to the Holy Grail? They might be, but they are not talking :-)

On NW "Top 10 security companies to watch"

While NetworkWorld folks made major contributions to world dumbness in the last, this latest list break away from this alarming trend; it actually looks interesting.

So, NW "Top 10 security companies to watch" has companies in email security, malware protection (no kidding!), data encryption, authentication, mobile device security, intrusion (Mmmmm, exploit) prevention, etc.

So far, I can't quite get my hands around the list and create some meta-knowledge based on it (i.e. say something smart) :-) Make your own conclusions ...

Experts vs "Fresh-Look" Outsiders in Security and Beyond

A very fun article by Rich Mogul touches upon the subject of "entrenched" expert view vs a "fresh" outside view. The outsider view advantage is an intensely tempting, popular and easy-to-acquire-while-hard-to-shake IDIOCY (!). Rich further points out that ...

"In security if you think:
  • You’ve invented a new, unbreakable encryption algorythm
  • You just created a new, unbreakable defense against 0day attacks
  • You perfected any single tool, at any layer, that can stop any attack, of any kind
  • You built something to eliminate the insider threat
  • You can take a couple classes and defend a large enterprise
  • You have designed unbreakable DRM
You’re wrong."

Amen to that! :-)

On Mass Extinction in Security

So, a CEO of a standalone security vendor proclaims that standalone security products (and thus vendors) are dead. I wonder does it make him a zomby or a walking-dead? Ross Brown further states: "I see the same thing [extinction] coming in securityland for the 850 standalone companies out there in the next 3-5 years."

As I mentioned before, this is likely not entirely true. Yes, the current landscape will change and many vendors will fail or get acquired, but I suspect enough of the new ones will be created as new threats as well as other IT and risk needs arise. Read this old piece where I explain why I think that it will be the case.

On "No Harm - No Foul" Insanity

TechDirt reported this a few days ago: "Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it."

So, let's try this for size, folks :-)

a. I borrowed your car when you were away (by picking the lock) and then returned undamaged. I also put the gas in. No car theft here, right?

b. I came to a store and took a TV without paying for it. I just watched a show and returned it. No crime, right?

I did think that the trend is to sync the online world with the offline, but it appears that this ruling goes in the opposite direction...

On Pete's "Top Ten Security Myths"

I loved Pete's "Top Ten Security Myths", even though a few look pretty dumb to me (I suspect they might be explained in the body of the preso. Pete, any chance of seeing it?)

Specifically, "Program x is more secure than program y" sounds pretty silly. Admittedly, the environment and the user/implementer have a more dramatic effect on the overal security than the secure code quality (if that is Pete's spin, that I'd buy it), but surely OpenSSH has more secure (due to more security audits and code review) than say, MS IIS 2.0 code base...

Also, "You can't get ROI from security," come on? When was the last time your firewall paid you some cash? :-) Can you tell me which brand is that so I can get of'em...

So, here is the list, stolen from Pete's blog:

  1. "Security through obscurity is a bad idea.
  2. Strong passwords are strong.
  3. Altruistic bugfinding is beneficial.
  4. You can't quantify risk.
  5. You can't get ROI from security.
  6. Security is about process, not product.
  7. SSNs are secret.
  8. Program x is more secure than program y.
  9. Stand up to your boss and "just say no."
  10. Security is failing."

On Security Analogies

This thought seems pretty much stolen from my brain :-)

Indeed, I can second that "(bad) security analogies are a pet peeve of mine" too. I made fun of them repeatedly on my blog.

And here is a really cool way to short-circuit this, proposed by the Risk Mgt blog:

"Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven’t previously considered and accounted for."

This is soooo cool indeed!

On Jericho Forum, Again

I admit that I used to think (e.g. this or this here) that a Jericho Forum is a scam, but it looks like there are some smart folks there.

This post reveals some of the thinking that goes on in there.

I would like to draw your attention to this conundrum: people like the idea of "self-defending data", but hate DRM. A new cool security company idea? I hope my VC friends are reading this :-) I am thinking of writing a short paper on that very subject ...

Marketing Folks Discover Mr FUD :-)

This blog post from a marketing blog has some interesting thoughts on marketing using fear, using an example of North Korea. Fun quote:

'What is North Korea’s Core Purpose: To keep the current regime in power.

How might its Marketing Department make this happen?

Let's start with a unique value proposition (UVP). What differentiates North Korea from its competitors (Iran, the Taliban, Hezbollah, etc.), each vying for its spot in the world marketplace and doing everything possible to maintain power?

Without products, services, money to invest or a charming personality, if I were offering advice I would recommend fear. North Korea is a scary place and not much else. So, our UVP for North Korea is:

"We guarantee that our promise to change the world is unlike any other. Buy now or pay us later."'

But do read on.

Is That ALL it Went For?

BT Buys Counterpane For £21.3m

Less than the total of VC cash put in? How miserable is that?

Friday, October 20, 2006

More on the "Evils" of ISP Log Data Retention

This is yet another article that predicts legislation on ISP data retention. One fun question covered therein is log data preservation vs log data retention...

And, as I said before, I personally think that there is nothing wrong with that... but then again, I don't run an ISP for a living :-)

Thursday, October 19, 2006

On "Top 10 Security Trends" of Bruce Schneier aka "On Obvious"

So, everybody is talking about Bruce Schneier's HITB talk where he unveiled his "Top 10 Security Trends," but you know what? It is truly underwhelming! Mr Crypto fell into the pit of "re-rambling" on the obvious. Examples are:

"Information is more valuable than ever." Duh.
"Networks are critical infrastructure." Double-duh.
"Complexity is your enemy. " Yeah, and...?
"Regulations will drive security audits. " Triple-duh.

Come on! All those points are deeply obvious to anybody watching the security industry. So, here is the challenge to make it more fun: name ONE item from the list which is not only not painfully obvious, but also likely wrong...

And the winner is: "Worms are more sophisticated than ever." Many observers point to a decline of a good ole worm, not to its "increasing sophistication."

Finally, here is a simple but scientific test :-) to check whether you are stating the obvious and thus wasting peoples' time and unnecessarily increasing entropy in the Universe, thus possibly bringing its decline closer :-). Formulate the opposite statement and check whether it sounds truly idiotic. No? You are safe from "stating the obvious disease." Yes? Sorry, try next time :-)


"Information [today] is LESS valuable than ever." Yep, dumb indeed.

The rest is left as an exercise for the reader...

So, What IS Hot?

Yeah... I know I am late with this, but it is still fun... Knowing that I am following the security market developments religiously, a friend just asked me "what's hot in security now?" He was looking to escape a certain dying SIM vendor (you can easily guess which vendor it was, BTW...) So I thought "Ok, what IS hot now?"

Well, NAC is hot for sure. It is steaming hot, and I suspect will start to cool down a bit next year. But NAC is not "novel-hot" since folks have been talking about it for at least 2 years. It is "deploy-it-hot!." NAC leads to all things "endpoint security" as well.

Believe it or not, but I think that log management is hot. Is that my head or my vendor hat speaking? ;-) The main reason I think it is hot is that people are being forced to log more, but, in general, lack tools to deal with the results. Whoever can creatively solve it (hint-hint) will rule the world (well, maybe :-))

And, BTW, here is what DarkReading folks consider hot. Their list is:

  • Browser Anonymizers
  • Core Security's Impact
  • Voltage Security's Identity-Based Encryption
  • Blue Lane's Virtual Patches
  • Lockdown Networks' NAC Enforcer
  • Secure Code-Scanning Tools

    So, NAC, yeah...Core Impact is certainly cool, but is it hot? I dunno; it is still a bit of an esoteric niche tool, even if useful and cool. Further, I would opine that secure code scanning tools are NOT hot. Many people still ignore them and pretend they don't exist :-) And please someone explain how is "virtual patch" not a regular NIPS? Didn't ISS call their NIPS "virtual patching" a good number of years ago...? Identity-based encryption is way cool, no doubt. But I'd wait for broader deployment of such technologies before I consider it hot. After all, even Gartner has a list of "cool" vendors, which is often different from the list of hot technologies climbing the famous hype curve....

    Here is what Matasano folks consider hot.

  • Static Code Analysis

  • Passive Scanning

  • Identity Based Encryption

  • Assessment Accelerator [for Dynamic Code Assessment]

  • 802.11x VLAN Assignment

  • Black Box Vulnerability Testing

    On a related note, "What is hot?" question invokes the related "what is NOT?" question. Now I realize that by providing such list you can offend people. So? I don't think that a smart person should be offended by such label, since the primary reason why something becomes "not hot" is by entering the mainstream, where you can potentially earn more money (and have fun in the process as well). In light of this, I think that standalone anti-spyware has recently entered the "NOT list;" NIDS is certainly a major "NOT" even though I still think that inventing a "better NIDS" is not futile (and of course that intrusion detection is important!) So I will start tracking the "NOT list" from now on.

  • Wednesday, October 18, 2006

    On "18 mistakes that kill startups"

    Very cool list of startup mistakes; many (painfully many, I'd say) apply to some of the security startups I've seen.

    Some fun examples are:

    #3 Marginal Niche – choosing an obscure niche to avoid competition might be fatal
    #6 Hiring Bad Programmers - most of the e-commerce business in the 90s died because of bad programmers
    #10 Having No Specific User in Mind – sometimes startups assume that somewhere there must be someone interested in their product. Somewhere…
    #18 A Half-Hearted Effort – the lack of commitment towards the startup is not that rare ...

    Tuesday, October 17, 2006

    On Competitive Differentiation

    This paper has some enlightening info on innovation and competitive differentiation. Specifically, it covers three ways one can achieve competitive differentiation

    "1. Operational Excellence aka Cost Leadership
    Provide middle-of-the-market products at the best price and the least hassle.

    2. Product Leadership
    Provide the best product, period. Continue to innovate year after year.

    3. Customer Intimacy
    Provide unique solutions to customers by virtue of intimate knowledge of their needs. "

    So, which one is your company doing? :-)

    Monday, October 16, 2006

    Hot Vendor on Vendor Action :-)

    Bua-ha-ha-ha-haaaa! I am NOT the only one seeing this: TK from nCircle just reported this as well...

    Monday, October 02, 2006

    OMG, I Love this Piece: "19 Year Old Diebold Technician Wins U.S. Presidency"

    This is SO funny.

    Here is a quote: '... President-elect Pustule said he "has always been kind of interested in politics because of my job", a service technician and junior programmer at Diebold, Inc., the primary manufacturer of electronic voting machines in the United States. Tamper-proof Diebold electronic voting machines have figured prominently in recent U.S. elections, particularly those elections in which outsider candidates sharing a political affiliation with Diebold executives have won by bafflingly wide margins.'

    'The fact that the totals exceed 100% has been attributed by a Diebold spokesman to "a special kind of rounding".'

    Dr Anton Chuvakin