Friday, June 29, 2007

Anton Security Tip of the Day #11: But These Are OUR Logs!

Following the new "tradition" of posting a security tip of the week (mentioned here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.

So, Anton Security Tip of the Day #11: But These Are OUR Logs!

A common and unfortunate situation that occurs when dealing with logs is not technical, but political: not being able to get the logs you need due to political, cultural, egotistic, or other "corporate" reasons. In this tip we will try to present a few situations and solutions for those trying to wrangle logs from whatever hostile (or ambivalent - sometimes worse!) entity at your organization and thus to break the siloed approach to log management.

So, here is the situation: a desktop system starts "behaving strangely" (as evidenced by network IDS logs, which are controlled by the security team) and security wants to take a peek at the system logs to determine how it was 0wned or infected (no centralized log collection takes place). However, the security team does not have administrator-level (or, sometimes, any) access to all desktops needed to grab security logs from a Windows PC: only the desktop division of IT department does. And they refuse! Why?

  • what if the security team finds that the intrusion happened due to our negligence?
  • what if "they" find something else wrong while looking for logs?
  • what if they crash the system and leave "us" holding the bag?
  • why should they mess with "our" systems? - we are perfectly capable of taking care of it ourselves? (not! -))
  • <fill whatever reasons you've heard!>

What can you - the security analyst or manager - do?

  • leverage your existing relationships and get the logs "informally" (obviously, doesn't scale ...)
  • remind them of the company security policy (hopefully, written by you to support such cases!)
  • [UPDATED] ask your internal auditors for help
  • use whatever desktop logs you can get a hold of (example: client anti-virus logs; other security agent)
  • report them to senior management (yours or theirs; of, if you report to the same boss, both yours and theirs)

As a side note, database administrators (DBAs) are even more famously resistant to providing log data.

Overall, the tips above might help; however, to resolve such control issues once and for all, the smart organization must deploy log management tools across the entire organization and then provide limited access to the logs to all the stakeholders on the "as needed" basis ...

Also, I am tagging all the tips on my feed. Here is the link: All Security Tips of the Day.

Then: Pigs, Now: Sand Beat the Sharks :-)

Then pigs beat sharks as a higher risk, and now sand does it: a quote from Bruce Schneier:

"At the beach, sand is more deadly than sharks: 'Since 1985, at least 20 children and young adults in the United States have died in beach or backyard sand submersions.'"

The article that he quotes is called - not surprisingly - "Sand More Deadly Than Sharks at Beach" ...

And some of us think we understand risk :-)

Some Security Humor to Start Off the Day

"For years, file transfer protocol has been the standard for file transfer security. While FTP still offers the gold standard in security over the Internet [...]"

Thx to Andy, ITGuy for pointing this out. I haven't laughed that hard for days ...

Thursday, June 28, 2007

He-He, Privacy :-)

Dancho Danchev reports:

"POSTACRIME.COM is a free service for anyone to upload photo or video content of burglary, theft, vandalism, or other criminal acts that have been caught on camera for the purpose of identification by the public."

Things like this further strengthen my impression that old definition of privacy ("right to be left alone") is about to die ...

On Travel

I am hereby starting a new Blogger label ("travel") to entertain my readers will all the travel stories that happen to me as I fly around on security business. I think the pool of stories has reached a critical mass and I just have to share them.

Some "bizarro" travel things (mostly air travel) that happened to me recently:

- plane "downgrades" where a few dozen passengers are left out
- a trip where all passengers are moved around in minibuses instead of planes (United)
- food in Economy, but not in First (!) (USAirways)
- airport "security" stories (including a classic - "nearly empty 3.4 oz toothpaste")
- service so bad that it crosses horrible into funny and then info ... I dunno where? :-)
- delay because "the plane needs to be brought from the hangar" (USAirways, 6/2007)
- delay because the plane "is too hot and needs to be cooled" (USAirways, 6/2007)

Feel free to add or link to your own.

UPDATE: a great :-( list of air travel horror stories is here (from here). Basically, the conclusion is "if you landed on or near time, be grateful to the deity of your choice" :-)

Wednesday, June 27, 2007

A Fun Bit on Risk Management from NetApp

Here is a fun bit on risk management (and risk perception) from NetApp. Definitely worth a read.

HIPAA Growing Teeth?

HIPAA Growing Teeth? Or so some say: "An audit of Atlanta's Piedmont Hospital that was initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of more enforcement actions related to the data security requirements of the federal HIPAA legislation.").

Again, another "let's see" response is appropriate.

Google, Privacy and Stuff Like That

I dunno, it took me a while to say something about this whole Google vs Privacy Intl debacle.

First, I actually learned about it from (see this thread), where the author takes a pretty extreme (IMHO) view, siding with Privacy Intl. '

I commented thus: 'This looks to me like an opportunity to SCREAM: “You have no privacy, GET OVER IT.” So they collect and analyze data on us - great. So? :-) Yes, one can create nightmarish “New 1984″ scenarios but then again you are much more likely to get something useful out of it. My conclusion on this: overoveroverblown concerns. It reminds me of the recent blooper by some guy who said “blogs are the evil guys’ tool”'

On the other hand, if "Privacy Intl is bought by Microsoft" is indeed the official position of Google, than I guess we are all screwed, since saying stuff like this without any proof sounds pretty freaking evil ...

Still, I somehow believe (and I am willing to admit that I was somehow brainwashed into doing this), that stuff like this is more "real Google." (a quote: 'should the German federal government failed to drop its controversial draft bill on the monitoring of telecommunications and Internet traffic Google has threatened to shut down its e-mail service Google Mail in Germany. [...] These plans were "a severe blow to privacy," Peter Fleischer, the man globally in charge of protecting Google user data')

Overall, my take on this is "we'll see" - I have a sneaking suspicion that privacy will be redefined in the coming years and what was once private will be freely shared. And this is how this conundrum will be solved ...

UPDATE: and after stuff like this people still think Google sux at privacy. Maybe Privacy Intl is indeed bought by MS folks.... (a quote: "Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.")

Another Vanity Post: A Fun Interview With Me on Log Forensics

Here is an audio interview that I gave while at CONFidence 2007 earlier this year (my presentation).

Another Presentation: Updated Six Mistakes of Log Management

My updated "Six Mistakes of Log Management" TEASER presentation is here. Enjoy!

BTW, I will be giving a similar one tomorrow at GFIRST 2007.

CVSS v2 is Out

By know everyone knows it, but CVSS v2 is out. What is not known by everyone is the sheer volume of debates, discussion, arguments that took place on a CVSS SIG list over the last few months. All this hides behind an innocuous line: "CVSS v2 represents the culmination of CVSS-SIG efforts to test, correct, and improve CVSS." No shit! :-) The SIG went thru countless revisions and discussion which did make the final CVSS v2 a solid vulnerability scoring standard.

Overall, CVSS rocks since it brings much needed "quantitativeness" to vulnerability space and helps kill the fuzzy "low/medium/high" that is indeed different for everyone ...

UPDATE: CVSS SIG team (including yours truly :-)) is listed here, if you are curious.

A Bit More on Database Logging

While I still cannot republish a full database logging paper mentioned here (but I can email it if you ask), I have another related article on database logging published in "IT Defense" magazine (this one is admittedly a bit less technical). Check it out here.

Overall, I was pretty shocked that a huge number of people have requested the original paper. Database log management seems close to taking off and then taking its places alongside with firewall, IDS and server logs.

Discounted Passes for IT Security World 2007 Anyone?

Just as I did with CSI, feel free to use these 50% discount passes for IT Security World 2007
(which I got as a speaker). A link to a conference program is here [PDF].

"If registering by email:
Please email MIS Customer Services ( and include the following information, in addition to the colleague’s full contact information:
Conference name
Discount %
Speaker’s full name and company
Registration code: ITS07/SDIS"

If you need help getting the discount, feel free to contact me.

Monday, June 25, 2007

LogLogic is Hiring

Think "logs are fun"? Come over and talk to us:

"LogLogic is hiring and we'd love to have you in to meet with our Hiring Managers & VPs. Join us on Wednesday, June 27th from 5-8pm; LogLogic, Inc., 110 Rose Orchard Way, Suite 200, San Jose, CA 95134

Refreshments will be served. Bring your resume or paste your resume into an email with “Position – YOUR NAME” in the subject line to:"

The list of positions is here, but come anyway :-)

Funky Security Cartoon

"Reprinted" from "Dancho Danchev - Mind Streams of Information Security Knowledge"

BTW, this is another cartoon from the same source.

Back to Work, Back to Blogging

This is the first time I am apologizing for lack of blogging ... sure feels funny :-)

So, I was away speaking at FIRST 2007 and then having a (yes!) vacation in the same area. FIRST was a great event this year; I liked it much more than the last. I had a huge crowd for my "Logs in Incident Response" tutorial.

Fun blog posts are in the pipeline - stand by.

BTW, isn't Mediterranean supposed to be warm year round? :-)

Monday, June 11, 2007

If a tree falls in the forest and nobody notices ... :-)

One NAC vendor dies, how many to go? :-) Sorry, can't resist....

What sucks about stories like this is that the impact of this "acquisition"/failure is really negligible.

So, my dear security vendor friends and colleagues [including myself :-)], think really-really hard: if YOUR company dies, will anybody notice?!

Friday, June 08, 2007

Finally, Breach Payback Time

"HarborOne Credit Union in Brockton, Mass., has sent The TJX Companies Inc. an invoice for $590,000 for what the financial institution says it incurred in actual costs and reputational damage as a result of the data compromise disclosed by the retailer in January."

Niiiiiice! Now if only PCI DSS would work its magic and slap them on the other cheek :-)


By contrasting CEE with XDAS, Raffy clearly makes the point that CEE is needed.

Yes, SDEE, CEF, IDMEF, XDAS, BEEP, CIDF, CBE exist (some existed). But they have very little impact on the world! CEE will make an impact!

On LASSO and Windows Logging

So, here is the paper that I was involved in on Project LASSO.

"One of the recent open source solutions that enables a critical part of log management is Project LASSO, a Windows-based open source software designed to collect Windows event logs, including custom application logs [AC - that go into Event Log], and provide for the central collection and transport of Windows log data via TCP syslog to any syslog-NG compatible log receivers. Before Project LASSO incorporating Windows server and workstation logs in an overall log management process was extremely onerous."

The main thing that puzzles me about Project LASSO is that many people still don't know that "agentless" /remote Windows event log collection is actually easy and free (with LASSO). I continue to come across folks who are stuck in the 90s and think that "Windows logging = agents." No!!! Nooo!! Noooooo! :-)

On remote log injection attacks

A fun paper on remote log injection attacks from Daniel Cid (of OSSEC fame): "the goal of this document is to show some of the most common problems with log injections that we need to be aware when developing programs that parse log messages."

I am preparing more fun stuff on attacking log analysis ... stand by ... book tickets to Vegas (hint-hint) :-)

OWASP Top10 2007

It's been a few days, but OWASP Top10 2007 is out.

I am still thinking about the logging implications of these. For now, it will suffice to say that web logs do have the info useful for (at least) investigating the incidents which involve exploitation of some Top10 flaws.

Wednesday, June 06, 2007

Recommended Windows Audit Logging Policy

Here is a great post from Randy Smith on preferred Windows logging policy. This is indeed a very common question we face: what logging to enable (my guide on what logging to enable to assist with PCI compliance is coming soon)

So, here is the essence of what Randy says (but do read the whole post):

"System Events - S/F
Policy Change - S/F
Account Management - S/F
Privilege Use - Disabled
Logon/Logoff - S/F"

('S' is a success audit and 'F' is failure audit)

It is indeed true that even though it sounds important, "privilege use" logging will cause a flood of noise which will be pretty darn hard to map to something relevant in the real world ... What can you say, its Windows logging world :-)

What Users Hate About Security Vendor Sales Presos

What Users Hate About Security Vendor Sales Presentations

"They're the things that make you want to get up and walk out of a vendor's security sales presentation. The claims, the cliches, the mindless drivel [AC - my favorite :-)]. They make you want to scream, "Shut UP!""

New Face of Privacy

In her ever-insightful post called "Raunchy old photos will be part of the revolution ", Penelope Trunk says: "The whole idea of our lives being available for public display is actually pretty cool. Think about it. If the world already knows what we do in our spare time and we are all able to be completely open about our interests, thoughts and ideas without fear of retribution or not being hired then we can bring our whole being to work everyday."

While some privacy fans will scream in horror, I think this is the new face of privacy for the times to come. As I mentioned before, I think hiding is overrated :-)

You Sir! Step Away From That RSS Reader!!

"The relentless influx of emails, cellphone calls, [A.C. - RSS feeds] and instant messages received by modern workers can reduce their IQ by more than smoking marijuana, suggests UK research."

"... Alarmingly, the average IQ was reduced by 10 points - double the amount seen in studies involving cannabis users."

No comment really :-) Just remember you read it on the blog :-)

UPDATE: just saw this from Dave Piscitello which is closely related: "This trend [AC - waning attention spans] is very disturbing. We appear to be devolving into a "just tell me what I need to know RIGHT NOW, how to do this RIGHT NOW, keep it brief I'm too busy to care WHY" society. Fewer and fewer IT professionals are learning architectural and other *big picture* networking and security principles, and rely instead on technology to solve the problem. This attitude is not isolated to Internet technology; in fact it's a pandemic. "

Tuesday, June 05, 2007

PCI Might Become Law in CA As Well?

Wow, is this (and this) a trend or what? CA is also looking at "PCI"-like law.

"The legislation would also require merchants to use so-called strong encryption routines and access controls while storing or transmitting other types of data, such as card numbers and the names of account holders."

Well, hopefully they mandate logging and log management as well :-)

So, all this "security as a law" makes some people (MJR?) uneasy. Why? Here are the reasons I've heard:
  • People will fall to the lure of "checkbox security" and only adopt the bare minimum
  • Law will be abused (see DMCA)
  • Legal Depts will determine what security measure are "necessary"
However, I don't think that this stuff is necessary all that bad and the above points are debatable at best. I see the world becoming more secure overall as a result of such regulation (in any case, it seems more compelling than fake ROI studies as a driver for security adoption ...)

UPDATE: this blurb shows some of the reasons folks hate "legalized security." It even equates future security with "lawyer-driven regulatory compliance-centric checkbox." Further in the piece it covers some of the reasons why it is not so bad (which I happen to agree with). This might be premature ("Information security as a whole moves from a poorly defined, immeasurable cost center to a clearly specified, predictable compliance function."), but it seems like an overall progress.

My Presentation: Interop Moscow Keynote on Security Trends

Here is my recent keynote presentation on security trends from Interop Moscow (sorry, teaser version only - I plan to give it again some time)

Overall, it was a fun event to attend and my first ever presentation in Russian :-)

Nobody Is That Dumb ... Oh, Wait! - II

I have not done a post themed "Nobody Is That Dumb ... Oh, Wait!" for a while, but now I found a perfect opportunity (highlighted also here)

The paper starts on this silly note: "When employees fire up their company-issued mobile devices at home or at the airport, they often use the technology [AC - oh, horror! they actually dare to "use the technology"] for both business and personal pursuits like blogging. According to one industry expert, it's a very dangerous trend."

Further, this assclown says: '"Many people blog from work and mobile platforms and that's very bad," he said. "Blogs are one of the bad guys' tools."'

Wow, really!? :-) Yup!

More On PCI DSS Adopted As A Law

"This week Minnesota trumped Texas in being the first state to make PCI compliance a law."

Monday, June 04, 2007

Some Fun Stuff About Windows Event Logs

It also has this neat, but a little confusing distinction:

"Auditing is indispensable for security-related monitoring of any server-based application, from e-mail servers to databases to Web servers. In today's security-conscious environments, a reliable audit trail is a valuable forensic tool and often a legal requirement for certain industries. For example, regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require audit trails for certain systems, applications, and data. The Windows Server™ 2003 operating system provides features that let you enable a wide range of applications to make use of auditing functionality.

Auditing is, in many ways, similar to the well-known Windows® event logs. Despite the apparent similarity, there are important differences between auditing and event logs.

First, the APIs used for generating audits are new for Windows Server 2003 and are entirely separate from the APIs used for event logging.

Second, from a security standpoint, audit logs are uniquely suitable to tasks requiring tight control over who can generate and read the logs."

ROI, FUD, Selling Security and Relevance

This whole thing started with MJR podcast #2 called "Codependence", continued by the squeals here :-) and then culminated by a thoughtful post here followed by just-as-thoughtful comments.

One of them says: "Security may never be a clear vision to mgmt beyond compliance, negligence, and regulations [AC: kinda compliance as well ...]" and further "if there is no benefit to the company other than as an insurance role, there is really not much hope beyond a CYA approach."

Well, so? :-) That is actually a lot! If security is made mandatory, all this ROI hoopla will subside. FUD will be gone. Other good things will happen (and some bad), but I would really not consider that scenario to be that bad at all ...

Pilotless Police Drones?

Future to come?

"Merseyside police are using the "spy drone", fitted with CCTV cameras, mainly for tackling anti-social behaviour and public disorder."

... with a cool picture and all.

Still, to be truly scary and futuristic, this needs an AI flying it, not a remote police officer ...

Fun Log Management Survey

Check out this fun log management survey by SANS and LogLogic. As usual, analysis is proven to be a bigger challenge compared to collection, storage, etc. Hasn't it been like that since 1986?

Dr Anton Chuvakin