Tuesday, January 31, 2006

Paranoia of Wikipedia?

Here is a fun argument that Richard Bejtlich brings to point Wikipedia flaws: "I would personally never use Wikipedia as a resource for any serious research. I might use it as a starting point, but why should I trust what it says? Am I going to go back through the editing history and note that 195.89.26.53 made a change that looks suspicious, but 216.192.4.32 seems more reliable? That is ridiculous."

Do you agree? Are there enough mechanisms in Wikipedia to assure the overall high level of content accuracy?

I see two scenarios for inaccurate content: a) obscure pieces that nobody bothered to check and b) articles where bigots in large numbers beat back the forces of reason (due to their smaller numbers)

How to name a paper - advice from PR folks

Here is fun bit on PR. If you are thinking of writing a paper, but are not quite sure how to name it, check out those suggestions from a PR course:

  1. "New Way to ______________ That Has Never Failed
  2. A Part-timer's Tactics for a Full-Timer’s __________
  3. A Quiz: Test Your _____________ Smarts
  4. Cash in on _______________ Trends
  5. Chasing the Right ______________
  6. Cool Tools for Today’s ______________
  7. Common Errors That Kill ______________
  8. Discover the 7 Essential Elements That Guarantee _____
  9. Finding the ______________ That is Uniquely You
  10. Good News for ______________"

Admittedly, this is partly humorous, but then again I do see papers named like this, and I am guilty of writing security papers on mistakes (for example, this, this and this)

Friday, January 27, 2006

BBC NEWS | Technology | Why Google in China makes sense

Finally somebody is talking sense rather than screeching and howling: BBC NEWS | Technology | Why Google in China makes sense: "Forgive me if I refuse to go along with the knee-jerk consensus on this one."

Google sucks (sorry, can't resist)

This is the first time it happens to me, so I am shocked.

I forgot the URL for this security company called "Elemental Security", so I typed it into Google, expectin it being the first hit, like it always happens.

And - oh horror: the company site is not even on the first page of hits!!!

It was something like #37 and the URL is "http://www.elementalsecurity.com"

Is it the beginning of an end for Google?

Squidoo Lenses

Sometimes you see something online and its kinda fun to play with and you kinda feel that its useful, but you are not quite sure how and for what ... here is the latest example: Squidoo.

So, anybody can go there and create what they call a "lens", a portal or a dashboard with various views, such as RSS, link lists or something else. The resulting concoction will be visible to others and, I guess, serve as a useful resource. They also give you a bookmarklet (similar to the one used by del.icio.us) to drop link to the lens from other papers. So, the result is kind of del.icio.us on steroids.

So, check out mine on the subject of - no surprises here - information security: Squidoo : Lenses : Anton Chuvakin Security Info

IPsec dead by 2008, says who? Gartner, that's who! :-)

Techworld.com - IPsec dead by 2008, says Gartner: "The IPsec protocol that has served remote access so well for the last decade is now in its death throes, Gartner has prophesised."

My #1 question about this is: if true, how it affects IPv6? IPv6, as we all know, includes IPSec as an inherent piece, which simply cannot be removed.

I suspect they mean "IPSec as a way for user remote access over IPv4 networks is dead", which it well might be...

MP3s – The Big Security Risk In 2006

This "MP3s: The Big Security Risk In 2006" is a classic example of reaching for a "high hanging fruit."

As a current stage, it clearly belong in the "security humor" category :-)

"NAC" sales to soar 1,100%

Its no surprise that I predicted that "endpoint security" (check this for a nice and clear definition of what it is) - of which "NAC" is often considered to be the main part nowadays - will grow faster than other areas of the infosec market in 2006. Here is some evidence to back up this prediction:

Security Market Wrap: NAC sales soar 1,100%: "There are three main components in most NAC solutions: clients, enforcement, and backend. Infonetics’ report focuses on the enforcement market, including network integrated NAC enforcement devices, NAC enforcement appliances, and SSL VPNs for NAC enforcement. “By far the largest portion of NAC enforcement revenue between now and 2008 comes from network-integrated enforcement devices, but the biggest change is in NAC enforcement appliances, whose share of the market nearly triples between 2005 and 2008,” "

Why is "Network Access/Admission Control" technologies are set to grow? Until recently, the endpoint security was pretty much equal to an anti-virus software (later bolstered by a personal firewall) and now "NAC" (here used to mean a generic technology, not any vendor's implementation) came into the picture as a way to control who can connect to a network by making - with wildly different intelligence - a decision based on the endpoint security posture as well as other properties. While some folks question the future of "NAC" (and others defend it) it seems like the problem is there, this is a solution that fits and there is industry momentum behind so growth is likely. And, yes, its complexity is one reason why it might not take off as fast as they say ...

Security humor - "bastion" of security

Here is a quote by Gartner that firmly falls into the domain of "security humor": "A new set of critical vulnerabilities shows that Oracle can no longer be considered a bastion of security."

So, again, what was that time when it was considered to be that? Folks at security cons boasted about having dozens of Oracle 0days as far back as last year and likely earlier. I remember seeing one presentation on Oracle security, where the speaker ended the presentation with "Don't ask stupid questions, if you annoy me - remember: I have a stash of Oracle 0days handy" :-)

Use anti-virus - get a virus!

"A staggering 98% of respondents said they used antivirus software of which nearly 84% still suffered a virus attack in the last 12-months period. "

Is anybody surprised about stats like this? Anybody?

Thursday, January 26, 2006

"500000 (?) PCs infected by a porn worm - doomsday near"

Why is that every time people predict such things ...

Half-million PCs infected by porn worm - IT Security News - SC Magazine US: "'If the worm keeps this pace, Friday the 3rd of February might be nasty – that's when the destructive payload is programmed to strike for the first time,'"


... nothing happens?

Wednesday, January 25, 2006

Math Will Rock Your World and Whose Else's?

I got this link from [securitymetrics] mailing list and enjoyed reading the paper, thus it is reposted here.

Math Will Rock Your World: "From fledglings like Inform to tech powerhouses such as IBM (), companies are hitching mathematics to business in ways that would have seemed fanciful even a few years ago... From a business point of view, they're just begging to be analyzed. But even with the most powerful computers and abundant, cheap storage, companies can't sort out their swelling oceans of data, much less build businesses on them, without enlisting skilled mathematicians and computer scientists."

So, how does the above relate to this, pray tell me? :-)

Tuesday, January 24, 2006

X.25 Security Nightmares

I was reading the HITB 2005 conference materials and came across this awesome preso on X.25 security in 2005. Here is the outline from the site:

"x.25 Security - The presentation focuses on X.25 security issues, positioned in present day context and problems. The main intention is to bring personal and professional know-how, background and X.25 penetration testing experiences to the auditorium, with real-life case studies"

My summary: OMG! :-) There is a whole world out there, that many [security] people never even hear about. I did read some materials on that before, but this is by far the most clear, detailed and modern information source.

So, whenever a "con-sultant" does some silly "nmapping around" and then claims to have performed a pentest, think that likely somewhere in the shadows somebody from a remote country is snickering while owning the network thru X.25 ...

As far as other resources are concerned, I also liked this paper from (!) 1988 on X.25 security issues.

Friday, January 20, 2006

How to get a job with a pen-testing team? :-)

For a quality bit of security humor, go to SecuriTeam Blogs - "How to get a job with pen-testing team." ROFL.

Some "security" certification are not hands on. Big news! :-)

Finally somebody said it straight and backed it with numbers: "... the low votes for CompTIA, (ISC)2 and ISACA certifications are compelling proof that these certifications should not be relied upon for people with hands-on security responsibilities"

How's that not obvious? Haven't we all met CISSPs who only used computers to the extent allowed by AOL email? :-)

Thursday, January 19, 2006

Security: as it Was Six Years Ago ...

I totally agree with this insightful conclusion from this year's SANS Top 20 (http://www.sans.org/top20); there is no better way to summarize it than quote line from Alan Paller:

"The bottom line is that security has been set back nearly six years in the past 18 months. Six years ago attackers targeted operating systems and the operating system vendors didn't do automated patching... Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching."

But, it is not only about automated patching, by far! Security mistakes of the early operating system software, such as the venerable Windows NT IIS flaws, Windows MSRPC flaws, lack of authentication in Windows 95/98, Solaris and Linux RPC and FTPD holes and other egregious fauls of the bygone days, are about to come back in force as Oracle, Peoplesoft and other common networked business apps.

And, considering that most every app is networked nowadays, the risks are higher. The only mitigating factor is that there is much more diversity in the application world compared to the OS world. There is a dozen of major OS variants in use today (and we all know which one is by far the most common :-) at least on the desktop), but numbers of actively used applications are in high thousands. Thus, Dan Geer's monoculture argument[PDF] works in our favor.

However, while it will make world a bit more secure, it might make an individual application user a bit less secure due to less attention being paid to secure your particular app. Thus, if you happen to be owned through an obscure "third party" application, you have nowhere else to blame but your software vendor ...

Wednesday, January 18, 2006

It makes you "secure"? From what?

Not that I spent time perusing old mailing list postings :-), but I've been meaning to blog about it for quite some time.

Here is a fun quote on Windows security that I wanted to highlight: "XP SP2 solved the problem with people getting owned every time they connected their computer to the Internet. But it didn't solve the problem of people getting owned every time they used an application on their computer."

Think about it... SP2 made Windows more secure, but you didn't think (I hope!) that you scrapped your anti-virus because of it. At this stage, the "if I can get to you over the network, you are toast" has [somewhat] faded into history (unless you run applications, that is :-)), but "if I can run anything on your box, you are toast" still rings true.

Tuesday, January 17, 2006

PGP Corporation CTO on Insider Threats and CSI "survey"

Here is another curious bit on insider (aka "internal") attacks vs external attacks.

PGP Corporation - Library - CTO Corner - Insider Threats: "For example, the 2005 CSI/FBI Computer Crime and Security Survey tells us that 80% of respondents reported security incidents involving insider abuse in 2004 (up from 64% in 2003). Sounds bad, doesn't it? But if you think about it, this is precisely what you'd see if there were an improvement in perimeter defenses. There would a higher proportion of insider attacks. (I also note that the actual rate of estimated insider problems hasn't changed since the dot-com days.)"

So, we are pretty much assured that the percentage of "insider attacks" will grow in the coming years without really growing in number (and possibly even shrinking, just slower than "external threats"). In addition, limitations in reporting (and even measuring) such attacks will skew the numbers significantly in whatever direction.

On the other hand, I just mailed my copy of CSI 2006 survey. OMG! No wonder this "most quoted survey" produce near-random results with such high reliability :-) Several terms and questions were so poorly defined that giving any semblance of "correct" answer is next to impossible.

Monday, January 16, 2006

Searching for info online is so 20th century...

So I grew to like this Watson tool even more! It often brings up items with truly uncanny accuracy.

I was writing my book chapter on log mining the other day and forgot to
mention some obscure reference on mining system performance logs that I've seen a long time ago. Lo and behold, it shows up in Watson's sidebar like magic!

Their FAQ explains (http://www.intellext.com/watson2_faq.html) "How relevant are Watson’s search results" and I can attest that they are. You can refine them further by adding a keyword to their automated search results. Like I add the word "logs" and all the data on baselines gets filtered with it. Pretty cool!

Cell phone user might be liable for fraudulent charges... pretty horrible!

This Slashdot post definitely sends some shivers down the spine: "When Sarah Drummond got back from Israel, she found a cell phone bill for more than $12,000. She contacted her cell phone provider to let them know that someone had stolen her phone, but they weren't interested in helping her and told her she'd have to pay (!)..."

Obviously, we do not have all the facts, but, if true, it sounds really really horrible. I have a sneaking suspicion that her credit card company won't help her to cancel the charges in this case (if automatic bill paymemt was enabled).

In general, it sure looks like consumers of products enjoy much more protections than consumers of services in this country. You can always bring the gadget back to, say, Walmart (or even a food item back to a supermarket, in many cases), but how do you bring "back" you cell phone usage? A plumber services? Or a wedding photographer services, in the most extreme case?

Any advice? What are the protections available under such circumstances? BBB? Consumer Affairs? Complaints.com? Litigation? I think I am sliding away from the original subject, but let's look at the bigger picture here - how do you protect yourself from fraudulent or incompetent service providers, that either allow fradud to happen or commit fraud themselves?

Windows XP Gets Independent Security Certification

Notice something funny in this one:

MS representative says: "... we've secured our products"

Critics of Common Criteria certification say: Windows XP Gets Independent Security Certification: "... the ratings are not a true reflection of the secure nature of a product in general purpose situations because it does not take every general-purpose situation into account."

Sunday, January 15, 2006

Bruce Schneier on Wikipedia accuracy

An astute observarion on the accuracy of information in Wikipedia:

Wired News quoting Bruce Schneier : "Similarly, Wikipedia's veracity problems are not a result of anonymous authors adding fabrications to entries. They're an inherent property of an information system with distributed accountability. People think of Wikipedia as an encyclopedia, but it's not. We all trust Britannica entries to be correct because we know the reputation of that company, and by extension its editors and writers. On the other hand, we all should know that Wikipedia will contain a small amount of false information because no particular person is accountable for accuracy -- and that would be true even if you could mouse over each sentence and see the name of the person who wrote it."

Security is stupid!

This is based on a quote I've seen on a securitymetrics mailing list, that I belong to.
Somebody reported that "an average Windows box takes about $1K/year in security-related costs including all of the add-on software, maintenance, rebuilds, etc."

Upon hearing this the person asked the obvious question: "why they don't just buy a new one[computer] every 6 months and not bother... selling the used ones of course generates additional income as well."

And he never gets a [sensible] answer! Doesn't seeing stuff like this makes you lose all faith in the humankind? :-) Or at least in the IT part of it?

I've also heard that some folks buy new computers when the old ones becomes too slow from too much spyware (can't find the source right now). Good idea, considering the above? :-)

Wednesday, January 11, 2006

Women of Influence - CSO Magazine - January 2006

When I saw this one (Women of Influence in Security - CSO Magazine - January 2006), I somehow recalled an old discussion that sparked on one of the mailing lists upon seeing some similar past nomination: but can they write exploits? And, further, is there more women CSOs or women who code good overflows?

Yeah, I finally found that old post from 2003, enjoy: http://www.immunitysec.com/pipermail/dailydave/2003-September.txt

Five mistakes of vulnerability management - Computerworld

Here is my fun paper that just got published: Five mistakes of vulnerability management - Computerworld

"Vulnerability management is viewed by some as an esoteric security management activity. Others see it as a simple process that needs to be done with Microsoft Corp.'s monthly patch update. Yet another group considers it a marketing buzzword made up by vendors.

This article will look at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas."

OK, here is a shot at my security predictions for 2006

So, I am finally done reading other people's security predictions. A lot of silly stuff, I must admit! And a lot of truly obvious things, which largely fall into a bin of "threats will still be there" :-)

Here is my own shot at information security predictions for 2006. I decided to stay on the safe side and minimize embarassment next year, so I am keeping the more controversial stuff to myself...

Note the numbers in brackets; these are (probability of happening, ease of making the prediction). The scale is from 1 to 5, which 5 marking the highest probability and the highest ease of prediction. I am stealing this idea from Thomas Ptacek's blog post, but making it more quantitative.

1. Viruses, worms, bots and spyware will remain the main concern; malware commercialization will continue and thus propel more money-making technologies such as spyware (5,5)
2. Data/IP theft and especially ID theft will continue and increase in both severity and occurrence (5,5)
3. At least one major 0-day compromise story will surface, maybe with Oracle software (5,4)
4. Application-level vulnerabilities will grow, service-level ones – shrink (5,4)
5. Client (web, mail, chat, etc) attacks will rise and server attacks will fall somewhat (4,5)
6. Major wireless and mobile threats will not come (4,3)
7. Endpoint security solutions and NAC-like technologies will experience sharper increase in adoption than other security tools (3,4)
8. Finally, I predict that just as one cannot predict the threats of tomorrow today, one still won’t be able to do in 2006 :-) (5,5)

blog.ncircle.com: More proof Microsoft doesn't respect you

blog.ncircle.com: More proof Microsoft doesn't respect you: "What's more important - the rule of law, or human rights? "

Ok, so it does not. What's new here? :-)

And, BTW, in many cases its "the law", thank you very much.

Tuesday, January 10, 2006

Sacred Cow Dung: A Functional View of Social Networking - Highlighting the Challenges Moving Forward

Here is a fun (and somewhat academic) article for those who like LinkedIn (www.linkedin.com), Orkut (www.orkut.com), Ryze and other "social networking" sites. Lots of people signed up and now, as I've read, many feel like they came to a party and now just wait for it to start :-) I can attest to my own LinkedIn experience that it feels like fun, but you are not quite sure why you are there, just like the above description indicates.

Sacred Cow Dung: A Functional View of Social Networking - Highlighting the Challenges Moving Forward: "A Functional View of Social Networking"

My review for "Spies Among Us"

I just posted my review for Ira Winkler "Spies Among Us"; here it is:

"Fun and enlightening read - reviewed January 9, 2006 by Anton Chuvakin (NJ, USA) - See all my reviews

Ira Winkler's "Spies Among Us" finally cleared my head on the subject of ... oooh, so horrible ... " cyberterrorism." Intuitively, when you read about "cyberterrorism" you instantly think "what a load of bull", but the amount of press and "research" that you see coming about it, makes one wonder. As a result, I was somewhat confused about the subject. Until now! Ira's book finally cleared it: at this stage, "cyberterrorism" is positively, absolutely, 100% "bull product." Here is why: computer failures are an accepted thing. "Everybody knows" that computers "are flaky", and might crash at any time, taking your work (or a billion-dollar Martian probe :-)) with them. Thus, computers do a pretty good job damaging themselves and things around them, and, thus, people will not be terrified if it happens due to malicious actions by whatever cyber-terrorists. Now, the above obviously doesn't cancel the use of computers and the Internet by the terrorists, but this is not what is commonly understood as "cyberterror."

So, the book is fun! The book starts from "espionage concepts" and continues on to case studies (the most fun part!) and countermeasures parts. "Spies among us" also highlight some commonly overlooked truths in the security arena, such as that users' errors are more damaging, in aggregate, than all the malevolence of all the spies in the world. Acts of God, not "hackers", run a close second. Also, the section on countermeasures really stresses the point that many a sophisticated attack was ruined by the simplest countermeasures, applied deliberately and consistently.

Among other things, I loved the insider profiling bit, where the profile of the hardest working employee matches that of a "typical industrial spy." I also liked his country by country espionage coverage, such as how are Russian spies different from Chinese spies :-) Overall, while the book clearly aims at a non-technical audience, even seasoned security professionals will benefit (or at least will have fun reading it), if not from the information, but from reliving Ira's experiences ("Can your organization be penetrated THIS way?"). Everybody related to security (and many who are not) should get the book!

Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. In his current role as a Security Strategist with netForensics, a security information management company, he is involved with defining future features and conducting security research. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal at info-secure.org and two blogs."

Monday, January 09, 2006

A roundtrip to Mars in one day?

Even though it sounds like a spoof, its a fun read: A roundtrip to Mars in one day? Emerging Technology Trends ZDNet.com: "According to ideas developed in the 1950s, it should be possible to build an 'hyperspace' engine allowing a spacecraft to reach Mars in 3 hours."

Wednesday, January 04, 2006

Wikipedia on me :-)

So, someone created an article in Wikipedia about me... Here is what it says:

Anton Chuvakin - Wikipedia, the free encyclopedia: "Anton Chuvakin is a computer security specialist, currently a Security Strategist with netForensics, a U.S. Security Information Management company. A physicist by education (M.S. Moscow State University, Ph.D. Stony Brook University), he is an author of many publications and invited talks on computer and network security and a co-author of 'Security Warrior' (ISBN 0596005458) published in 2004 by O'Reilly."

So does it mean I am officially famous now? :-) Wikipedia also has a page that lists notable computer security specialists, with folks like Bruce Schneier, Dan Farmer, Dan Geer and now yours truly.

Dr Anton Chuvakin