Monday, April 30, 2007

Think *ACCIDENTAL* Leak Prevention

The other day there was some [as usually] fierce debate on leak prevention products on dailydave (started with this).

Here is a useful bit of insight that emerged from this discussion: if you think of such products as ACCIDENTAL leak prevention defenses, you will likely get over the intense desire to claim that "they are all hopelessly broken by design." This idea was inspired by this post , which said: "There is no doubt that these systems are evadable [...] Inadvertent data leakage is a different story [and can be managed effectively]."

Indeed, insider data theft is a MUCH more complicated problem than packet sniffing can ever be, but - you know what? - much more data "leaves the house" due to incompetence than malice, so these products are actually useful ... At this same time, if you think "buy a box - stop a dedicated insider from stealing your valuable data," you definitely need your head examined by a certified veterinarian :-)

Friday, April 27, 2007

Fun Congress Testimony

I kinda liked this one: "Testifying before the House Committee on Homeland Security, high-profile experts said [...] -Daniel Geer, principal of Geer Risk Services LLC, said Congress should invest in the development of security metrics, training of security professionals, and greater surveillance of data."

Can't agree more! A few months ago, I posted this controversial blurb about access vs access+ audit where I suggested that all access to anything should be if not audited then potentially "auditable." And now it seems like a US Congress-level issue, thanks to esteemed Dr Geer :-)

Protected but Owned: My Little Investigation

Finally, I had a chance to write up my adventures with the owned system, that I mentioned here. Check out my write-up here. It is about my investigation of a desktop protected by various security software, but 0wned nonetheless. And to those paranoids who are dying to ask a question "Was this my own system?" I can give a resounding "NO!" :-)

UPDATE: want to get the goodies I mentioned in the paper? Email me!

A Few Notes on SANS Log Management Summit 2007

I have not posted my full notes from SANS Log Management Summit 2007 yet, but I wanted to highlight this post from David Bianco, which contains some insightful Summit observations.

Monday, April 23, 2007

At SANS Log Management Summit 2007

As most of you probably know :-), I am now at SANS Log Management Summit 2007. So far, it's been fun! I will post more notes later, but so far one thing that struck me as weird: many of the end user speakers list some of the problems with logging as "unresolved" or "challenges" while the vendors have solved them for many years. Why such disconnect?

Wednesday, April 18, 2007

The Original Anti-Virus Test Paper is Here!

The anti-malware saga started in Let's Play a Fun Game Here ... A Scary Game and then continued in Answer to My Antivirus Mystery Question and a "Fun" Story and then was further discussed in More on Anti-virus and Anti-malware; what was then criticized in the myth of meaningful informal anti-malware tests finally comes to an end. I was allowed to publish the actual paper: get the paper [PDF] here this.

Just to top this discussion off, here is a quote from the VirusTotal guys themselves (this): "Generally speaking, even though it may seem obvious, we must state that all anti-malware products have detection problems due to the tremendous proliferation and diversification of malware nowadays." Amen to that!

Finally, Common Event Expression (CEE) is Out!!!

After long months of undercover work, CEE is ready to be presented to the world. Keep in mind, you read it here first!

Below is an excerpt from a brochure, to be published at MITRE's site any day now. I do think that the world is ready for another battle for the establishment of a logging standard, after a long string of miserable failures.

"Common Event Expression (CEE™): A standard log language for event interoperability in electronic systems.

CEE standardizes the way computer events are described, logged, and exchanged. By utilizing a common language and syntax, CEE takes the guesswork out of even the most menial of event- or log-related tasks. Tasks including log correlation and aggregation, enterprise-wide log management, auditing, and incident handling which once required expensive, specialized analysts or equipment can now be performed more efficiently and produce better results.

Why CEE?

If multiple systems observe the same occurrence, it should be expected that their description of that event is identical. When combined with relevant event details (time, source, destination), a computer should be able to immediately determine whether two or more logs, data logs, audit logs, alerts, alarms, or audit trails refer to the same event. In order to make this happen, there needs to be a scalable, well-defined way to express events."

I will post more stuff as well as the link to the brochure, when it is available. Next: four areas of log standardization, recommended by CEE. Stand by!

Tuesday, April 17, 2007

Security by Obscurity vs Security with Obscurity ...

I read this paper here called "Security and Obscurity." It was presented to me as "controversial," I tried really hard to find controversy, but failed to do so :-) I think it states the obvious - security BY obscurity - sucks; security WITH obscurity - works wonders ...

Wednesday, April 11, 2007

Diversity for Security vs Uniformity for Compliance

Remember the old security monoculture paper by Dan Geer? It concluded that "corporations and governments should diversify their computing environments to better ensure survivability in the event of widespread failures in common operating systems and applications."

This fun blog post contrasts such security requirements with compliance requirements (specifically, PCI DSS). It turns out that "there is a direct correlation between platform and application diversity and the cost and effort associated with achieving and maintaining compliance with the PCI Data Security Standard [as well as other regulations]. "

So, it boils down to who is scarier: a worm or an auditor? :-) A tough one indeed!

Are You Compliant?! - With What? - Answer The Question, You Idiot!!!

Looks like compliance frenzy is near the crescendo. Today I saw people ask a question on how to achieve "general" compliance. Not FISMA, HIPAA, PCI DSS, SOX, GLBA, CA1386, Basel, ISO17799, ITIL or COBIT - noooooo. They wanted "general" compliance ... Does it exist? Do pink elephants? :-)

Tuesday, April 10, 2007

Fun Survey on Logs and Log Management

Check out this SANS and LogLogic survey on log management. While a little "marketing-ish", the survey is interesting and you can even win a Wii (if you are into that sort of thing :-))

Sunday, April 08, 2007

Not a Word About Great Minds Thinking :-)

In his ComputerWorld piece Michael Farnum says: "So what is your reasoning behind capturing logs?" I was pretty impressed that he covers pretty much the same issues I listed in my somewhat humorous "Top 11 Reasons to Collect and Preserve Computer Logs." Indeed, he mentions "trying to see what is going on with your network", "captur[ing] the logs for forensic purposes", "get[ting] an auditor off my back", etc.

More on Anti-virus and Anti-malware

So, when I posted this blurb on anti-virus missing malware, I didn't mean to whip people into a frenzy. I really didn't - I just wanted to express my genuine shock about how poorly the tools, built for blasting away the threats of the 90s, fare against the threats of 00's. In fact, I myself naively thought that a typical AV tool will catch 60-80% of serious in-the-wild malware today. Some of my readers were surprised by the numbers and some were not, stating that it matches their experience as well. Many probably choose to stick to "my anti-virus is fine, go away!" illusion.

It is also bizarre how some people chose to interpret my blog post as biased: "i saw where this was going early on (the original question was obviously loaded)." I would like to assure them that while I did state my initial question in a somewhat emotional manner, this was not due to any inherent bias I might have had, but due to my deep surprise.  I myself hate people saying things like "today was a hot day -> obviously global warming is here" :-), but in this case what matters is not "statistical significance", "sample selection bias" or "test-bed integrity", but the fact that if you deploy anti-virus on your systems and run it according to the "directions on the label", your system will soon "change hands" :-) This doesn't point to any global emerging trend, but just to a fact, observed by the author of the study (which, BTW, I just read, not conducted myself...)

I later learned that a major analyst firm, that will remain nameless for now, proclaimed in their recent piece:  "By 2009, anti-virus as we know it will be dead, succeeded by a new generation of protection technologies, and many of today's anti-virus vendors will be extinct."

Some folks have asked me a sensible question: what is the alternative? At this point in time, the alternative for most people is fairly unpleasant: you are going to get 0wned :-) Go update your incident response (IR) plans and sharpen your IR skills. Learn to detect 0wned systems.

Over the long term, I am willing to bet on some fancy "whitelisting" approach (e.g. this) or novel heuristics (e.g. here) or something else (e.g. here), which is still being forged in secret underground labs of some nameless security start-up :-)

Overall, it seems that "classic" (e.g. "blacklisting") anti-virus technology does indeed work as stated by its purveyors. It is just that modern malware no longer does ...

Labels: ,

A Must Read for Security Vendors

Mike says: "That reality says if you don't sell stuff, you can't keep the lights on, and there is only so much rope [that is ROPE, not HOPE, folks :-)] an investor is going to give you." And then also:

" It really is amazing how many [security] companies persist in basically a state of permanent hibernation." Having lived thru this, I can totally relate ...

Indeed, being the last to jump off the "Titanic" is noble (and might save your life, after all), but then again it might make you a mincemeat if you get sucked under the propellers :-(

Closure on Security vs Security: We Like to Break [Stupid?] Rules!

If you remember, I set up this poll on which security measures are most commonly violated by security professionals. Here are the results so far:

Have you, a security professional, ever willingly circumvented a security measure?

Surfed to a blocked site, bypassing a content filter (22%)

Violated whatever physical security measure (18%)

Used a web-based email against the policy (16%)

Sent a document to home address against the policy (16%)

Used IM or IRC against the policy (14%)

Other - please comment on the blog (7%)

I NEVER did anything of that sort (3%)

So, what is here to conclude? Security people are people too. And, I said in the past, security issues are here not because of bad TCP/IP stack or buggy Windows, they are here because people are, well, people.

Think about it (but not for too long - your head might spin ... :-)): if you need to do you job (i.e. security) and a security measure (which you might or might not think of as "stupid" beforehand) stands between you and you doing your job, would you break it? I suspect that my little unscientific survey answers it: "hell yeah!" :-)

Now, can you now blame your users for doing the same? I dunno :-)

More on Encryption Rights and Wrongs

A perfect companion for my paper on "Five mistakes of data encryption"

Wednesday, April 04, 2007

Are You Invited to a Pachyderm Picnic? :-)

It has been a while since a security book have prevented me from having a full night's sleep. "Hackers's Challenge 3" was the last one I remember, but today it happened again. In fact, this book did more than that: it kept me from sleeping on a 6AM flight (!)

I haven't finished reading it yet, but a mystical force :-) compels me to write a pre-review. Here it is: Andrew Jaquith's "Security Metrics" book rulez!

Apart from awesome content (more on this later, of course) and uber-superb :-) style, the book just flows. To top it off, I have tremendous respect for people who can say the words "pachyderm picnic" and not smile :-) I have a sense that I am invited to it ...

I also think that the remnants of the "Evil ROSI Empire" (e.g this) as well as "Heresiarchs of Risk Management" will be finally put to painful and well-deserved death by this book ...

On Packet Logging and ... ehhh... Log Logging

Here is a weird one: what does capturing packets have to do with log management? While some people can spent hours debating whether something like an SNMP trap is, in fact, a log, few would consider PCAP files to be logs.

However, look at this recent PR piece from Sourcefire which introduces daemonlogger - a tool to efficiently capture packets (kind of tcpdump on steroids) - the piece does mention "logs" and "logging" (and even log management) way too many times.

What's up with that? Is logging cool again? :-) Or is somebody at Sourcefire thinking about logs? They do need to diversify, ya know...

Meet Me @ SANS San Diego Tomorrow

If you are at SANS 2007 in San Diego, feel free to show up at one of my two presentations: Lunch - n - Learn on "Build vs Buy vs Outsource Log Management" (at 12:30PM ) or "NIST 800-92 Log Management Guide in the Real World" (at 7PM)

Monday, April 02, 2007

Top 11 Reasons to Collect and Preserve Computer Logs

I've been wanting to create those for a loooooong time and finally - here they are (you can guess I've been on a long flight :-)). Some are admittedly tongue-in-cheek, but useful nonetheless. So, enjoy Anton's "Top 11 Reasons to Collect and Preserve Computer Logs", presented in no particular order:

  1. Before anything else, do you deal with credit cards? Patient info? Are you a government org under FISMA? A financial org? You have to keep'em - stop reading further.
  2. What if there is a law or a regulation that requires you to retain logs - and you don't know about it yet? Does the world "compliance" ring a bell?
  3. An auditor comes and asks for logs. Do you want to respond "Eh, what do you mean?"?
  4. A system starts crashing and keeps doing so. Where is the answer? Oops, it was in the logs - you just didn't retain them ...
  5. Somebody posts a piece of your future quarterly report online. Did John Smith did it? How? If not him, who did? Let's see who touched this document, got logs?
  6. A malware is rampant on your network. Where it came from? Who spreads it? Just check the logs - but only if you have them saved.
  7. Your boss comes and says 'I emailed you this and you ignored it!!' - 'No, you didn't!!!' Who is right? Only email logs can tell!
  8. Network is slow; somebody is hogging the bandwidth. Let's catch the bastard! Is your firewall logging? Keep the info at least until you can investigate.
  9. Somebody added a table to your database. Maybe he did something else too - no change control forms were filed. Got database log management? How else would you know?
  10. Disk space is cheap; tape is cheaper still. Save a log! Got SAN or NAS? Save a few of them!
  11. If you plan to throw away a log record, think - are you 100% sure you won't need it, ever? Exactly! :-) Keep it.

Have more? Feel free to suggest your own reasons below!

Coming soon: "Top 11 Reasons to Look at Your Logs"

Technorati tags: , , , ,

Sunday, April 01, 2007

Answer to My Antivirus Mystery Question and a "Fun" Story

Remember my blog post about testing the captured malware binaries via VirusTotal? What I asked there was this:

"So, let's suppose somebody who is involved with incident response at a typical US public University has collected a few recent malware samples from the compromised machines and then submitted all the samples to VirusTotal for scanning with pretty much ALL current anti-virus and anti-virus-like products.

What do you think the average detection rate (i.e. a malware sample was identified as "something bad") was?"

I wanted to hold off for a bit more but something happened.

First, let me give you the answer: it is 33%. In other words, an average detection rate of malware from these "solutions" was 33% with maximum at 50% and minimum at 2% (!). Keep this number in mind, that shiny anti-virus product you just bought might be protecting you from just 2% of currently active and common malware (not some esoteric and custom uber-haxor stuff)!

So, I have to conclude what many security "punditoids" were blabbing about for years: "mainstream" anti-virus is finally DEAD. Running it can be considered a weak excuse for defense-in-depth, but in about the same sense as wearing an extra shirt provides "another security layer" in a gun fight...

Second, what prompted my post at this time was that I had an ugly and very personal encounter with one of such owned boxes. Here is my account of the story, with some details changed to protect the innocent, who was smart enough to call me for help.

What we have here is a fully patched Windows XP SP2 system (with automatic updates set to daily)

a) freshly updated and functioning Symantec Anti-Virus Corporate Edition version 10.X, configured with all protections, including spyware/adware

b) freshly updated Windows Defender version 1.X (set for daily updates and scans), also configured with all protections, and

c) ZoneAlarm free edition version 6.X with a well-tuned outbound rules and, obviously, nothing allowed inbound.

The system was also hardened by removing a lot of the Microsoft protocols such as NetBIOS (just in case), killing many of the running services and configuring Internet Explorer (which was, I suspect, the weakest link still) to limit most of the "risky" stuff such as ActiveX, etc.

One sad day the user of the above system noticed a series of outbound connection attempts reported by ZoneAlarm. Being somewhat paranoid, the user tried to click "Deny" on a ZoneAlarm pop-up, but this button was grayed out (uh-oh...)The next thing this IT-savvy user did was to Google the name of the executable that tried to connect  ("uvcx.exe") and discovered this (another uh-oh!), at which point he wanked the eth cable right out of the box - whack! :-) - and then shut down the system.

When I arrived to the incident site, the system was still turned off so I booted it to investigate ...

To be continued.

Technorati tags: , , ,

Dr Anton Chuvakin