What was the most fun security book you've read in the last few years? For me and many others it was the "Hacker's Challenge" and its sequel, "Hacker's Challenge 2."
As my fellow co-author Tony Bradley writes in his blog: "I particularly enjoyed the Hacker's Challenge books though. Rather than just conveying facts and information, the Hacker's Challenge books teach through short story scenarios that provide details about bizarre occurrences and provide evidence to let the reader try to conduct their own incident response or forensic investigation and determine what has been exploited or compromised. The second half of the book then provide solutions for each of the challenges, explaining in detail how the main character of the story was able to piece the clues together to get to the bottom of the mystery. "
I totally agree! And so my excitiment was pretty boundless when I was invited to be part of the "Hacker's Challenge 3" author team. So, the time has come to unleash a sample challenge on the world. Enjoy Hacker's Challenge 3 Challenge: A Cup of Chai!
This is Anton Chuvakin original blog (pre-Gartner) that I will now use to backup my Medium blog content (2023+)
Tuesday, March 28, 2006
On "Windows Security Logging and Other Esoterica"
Here is another useful resource related to logging and system auditing and it comes straight from Microsoft: "Windows Security Logging and Other Esoterica: Thoughts from the Windows auditing team"
Adventures at RSA 2006
Here is a weirdly fun picture; check it and see whether you would "get it" - http://raffy.ch/blog/?p=45
More data, more tools or more answers?
Here is a fun one (don't half of my posts start from this phrase... :-))
This post discusses what do IT people need: more data, better data or what?
BlogicBlog: View from the trenches: Quoted, but misunderstood: What's Missing from Production System Troubleshooting: "I do not ask for more data, I ask that the data format currently being used is reviewed to see whether it is actually useful for troubleshooting/monitoring and that concerned effort is made to change the format where it proves not to be useful.I do not ask for more data, I ask that the data format currently being used is reviewed to see whether it is actually useful for troubleshooting/monitoring and that concerned effort is made to change the format where it proves not to be useful."
Let's do a bit of analysis and thinking on this one. What do they need - just pick one:
1. More data
2. Better formatted data
3. More tools to mangle the data
4. More answers to their issues-of-the-moment
Now, please show me a person that would not pick #4 :-)
Thus, I think the focus should be on more intelligence and giving answers, not tools (or, tools that give answers! :-)) Better formatted data is certainly useful and will facilitate the quest for answers...
This post discusses what do IT people need: more data, better data or what?
BlogicBlog: View from the trenches: Quoted, but misunderstood: What's Missing from Production System Troubleshooting: "I do not ask for more data, I ask that the data format currently being used is reviewed to see whether it is actually useful for troubleshooting/monitoring and that concerned effort is made to change the format where it proves not to be useful.I do not ask for more data, I ask that the data format currently being used is reviewed to see whether it is actually useful for troubleshooting/monitoring and that concerned effort is made to change the format where it proves not to be useful."
Let's do a bit of analysis and thinking on this one. What do they need - just pick one:
1. More data
2. Better formatted data
3. More tools to mangle the data
4. More answers to their issues-of-the-moment
Now, please show me a person that would not pick #4 :-)
Thus, I think the focus should be on more intelligence and giving answers, not tools (or, tools that give answers! :-)) Better formatted data is certainly useful and will facilitate the quest for answers...
Thursday, March 23, 2006
On "Log Management and Analysis" as a market
Here is a fun bit for those interested in log analysis.
James Governor from the analyst firm RedMonk has this fun bit on the log management and analysis markets. He convincingly states that "log Management and Analysis as a market in its own right." Here are the quotes: "Where does compliance meet log management and analysis? In reporting. Its all about reporting. How do you get IT talking to the business? Provide reports in a language they understand - like Sarbanes-Oxley..."
James Governor from the analyst firm RedMonk has this fun bit on the log management and analysis markets. He convincingly states that "log Management and Analysis as a market in its own right." Here are the quotes: "Where does compliance meet log management and analysis? In reporting. Its all about reporting. How do you get IT talking to the business? Provide reports in a language they understand - like Sarbanes-Oxley..."
Wednesday, March 22, 2006
Logblog: Log Guru Joins LogLogic…
Logblog: Log Guru Joins LogLogic…: "We continue to grow our world-class team, today announcing that Anton Chuvakin joins us as director, product management"
It definitely feels nice to be called a "guru," but that is not the whole story :-) LogLogic is an awesome place to work and the team here is truly world-class.
It definitely feels nice to be called a "guru," but that is not the whole story :-) LogLogic is an awesome place to work and the team here is truly world-class.
Thursday, March 16, 2006
An audit logging standard? Well, who knows it might happen this time...
Here is an interesting piece from Computerworld written by Oracle CSO Mary-Ann Davidson. She indicates that NIST is taking the charge in defining a common audit log standard. Can it actually happen? Maybe, if NIST can leverage US government's purchasing power and demand support for such standard from vendors. I would not say that the chance is very high, but - unlike failed even standard projects like IDMEF and CIEL - this one seems to have the right players in place...
"Making the case for an audit standard" : "Having a common logging and auditing standard promotes the public good. "
"Making the case for an audit standard" : "Having a common logging and auditing standard promotes the public good. "
A side note - best travel site ever
I've been booking some travel for myself lately, and thus this bit. Can you imagine an innovative travel site? Yes, a travel site addictive so you just go and search it :-) OK, maybe not that addictive... If you find it hard to believe , go check out www.kayak.com. AJAX interface does wonders to your online travel planning...
Warning: outbursts of "Expedia-hate" are possible as a result :-)
Warning: outbursts of "Expedia-hate" are possible as a result :-)
On latest advanced in phishing
One of the ways to save yourself from falling victim to a phishing attack is to make sure that a)SSL is there and b)the actual organization running the site is the one that owns the SSL cert.
Guess what? This is no longer sufficient - enter SSL phishing with similar cert owner name.
Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com): "The phishing site [...] is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust."
Guess what? This is no longer sufficient - enter SSL phishing with similar cert owner name.
Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com): "The phishing site [...] is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust."
On "vanishing privacy"
How about you? Would you wear a "life-recorder" if there would be studies that it reduces risk of whatever future violent crime? I guess for some the answer will depend on how the data is handled - for purely local data there is not much risk of your privacy violation, but, at the same time, your personal risks will not be mitigated as effectively (if a device is destroyed during the crime).
I suspect, given massive storage requirements, its a task for Google :-) And if they deploy world-wide WiFi (which I still doubt..), they can use it to stream video from "life-recorders" to a central location... ah, the life in 2025 :-)
Bruce Schneier: Your vanishing privacy: "The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A 'life recorder' you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video. It'll be sold as a security device, so that no one can attack you without being recorded. When that happens, will not wearing a life recorder be used as evidence that someone is up to no good, just as prosecutors today use the fact that someone left his cell phone at home as evidence that he didn't want to be tracked?"
I suspect, given massive storage requirements, its a task for Google :-) And if they deploy world-wide WiFi (which I still doubt..), they can use it to stream video from "life-recorders" to a central location... ah, the life in 2025 :-)
Bruce Schneier: Your vanishing privacy: "The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A 'life recorder' you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video. It'll be sold as a security device, so that no one can attack you without being recorded. When that happens, will not wearing a life recorder be used as evidence that someone is up to no good, just as prosecutors today use the fact that someone left his cell phone at home as evidence that he didn't want to be tracked?"
A fun consequence of RFID growth - extreme paranoia
Looks like there would be some correlation between broader RFID adoption and attendance of psychiatric hospitals. Here is fun bit of RFID paranoia on [fake] "RFID chips" in US bills that allow satellite tracking. But it goes further from there:
Urban Legends Reference Pages: Business (Cache Point): "Some students have not picked up their new ID cards through the re-carding project, which ends today, because of a rumor that there is a locator chip inside the IDs so Purdue can track their whereabouts.Some students have not picked up their new ID cards through the re-carding project, which ends today, because of a rumor that there is a locator chip inside the IDs so Purdue can track their whereabouts."
So, how far will this go? Will folks be afraid of having anything (hey, in a few years it might have an RFID chip?) If not, where does it stop? Let's see:
Urban Legends Reference Pages: Business (Cache Point): "Some students have not picked up their new ID cards through the re-carding project, which ends today, because of a rumor that there is a locator chip inside the IDs so Purdue can track their whereabouts.Some students have not picked up their new ID cards through the re-carding project, which ends today, because of a rumor that there is a locator chip inside the IDs so Purdue can track their whereabouts."
So, how far will this go? Will folks be afraid of having anything (hey, in a few years it might have an RFID chip?) If not, where does it stop? Let's see:
- fear of cell-phones
- fear of WiFi access
- fear of WAP/wireless access
- fear of anything small and expensive (it might have a built-in RFID)
- fear of IDs (they will soon have RFIDs)
What else? :-) What is the solution, really?
Wednesday, March 15, 2006
[Warning: Philosophical] Life and change :-)
So, how does it feel to leave something that you were deeply involved with for years and years? OK, I am talking about a job here :-) About one hour ago I left the office of my previous employer of 4 years, 1 month and 3 weeks (sorry, no day count :-)); and left to never come back.
I am a major fan of summaries in the end of everything :-), thus I will be preparing a longer summary blog post. For now, I will just give a heads-up to those in the Bay Area: see you soon :-) And yes, I am positive that my next job will be even more fun than the previous one (and, FYI, the previous was pretty durn fun :-))...
I am a major fan of summaries in the end of everything :-), thus I will be preparing a longer summary blog post. For now, I will just give a heads-up to those in the Bay Area: see you soon :-) And yes, I am positive that my next job will be even more fun than the previous one (and, FYI, the previous was pretty durn fun :-))...
Tuesday, March 14, 2006
What is "IT Dark Matter"?
Here is fun definition of "IT Dark Matter" (i.e. log files and other supporting information generated by compuers, etc) - Erik Swan » Blog Archive » IT dark matter: " IT Dark Matter does exist and it vastly outmasses the visible part of our datacenters."
Monday, March 13, 2006
Poll on "What do you do with system logs?"
I want to "annoy" my readership with another poll, on logs this time. It promises to be a fun one.
What do you do with system logs?: "The poll on 'What do you do with system logs?' aims at establishing 'best practices' for system, network and security log storage and analysis. "
What do you do with system logs?: "The poll on 'What do you do with system logs?' aims at establishing 'best practices' for system, network and security log storage and analysis. "
Friday, March 10, 2006
Some fun notes on logs from my SANS presentation
So, as most of you know, a while ago [March 1] I did this fun presentation on "Baselining Logs and Audit Trails for Security" at SANS 2006. Beside an obvious benefit of going to a warm place (Orlando, FL) from a colder New Jersey, it had some other interesting results.
I got great audience response and a bunch of fun question on how to best create log baselines and draw actionable conclusion automatically (or, at least, semi-automatically), which is what the presentation was largely about.
Also, a lot of people complained that while the step from ignoring logs and letting them rot to storing them diligently is a hard one for many companies, the next step from collecting to automated ['cause most folks don't have time for any other kind!] intelligent analysis is way harder and will probably not be undertaken unless smart analysis tools are provided.
Companies might go and build a syslog server, maybe add Kiwi for Windows logs, but most will stop short of implementing analytics on the logs...
The second thought that resulted from the presentation was that log collection and analysis for security is truly the most universal security problem. You think viruses is what everyone fears? Guess what, those running Linux network do not. Spyware? Same answer. Spam? Those who use IM and internal-only mail are largely immune (or you can call on the phone :-)).
At the same time, everybody is drowing in logs which can tell them a lot about their environment and security posture, if and only if they are analyzed!
I got great audience response and a bunch of fun question on how to best create log baselines and draw actionable conclusion automatically (or, at least, semi-automatically), which is what the presentation was largely about.
Also, a lot of people complained that while the step from ignoring logs and letting them rot to storing them diligently is a hard one for many companies, the next step from collecting to automated ['cause most folks don't have time for any other kind!] intelligent analysis is way harder and will probably not be undertaken unless smart analysis tools are provided.
Companies might go and build a syslog server, maybe add Kiwi for Windows logs, but most will stop short of implementing analytics on the logs...
The second thought that resulted from the presentation was that log collection and analysis for security is truly the most universal security problem. You think viruses is what everyone fears? Guess what, those running Linux network do not. Spyware? Same answer. Spam? Those who use IM and internal-only mail are largely immune (or you can call on the phone :-)).
At the same time, everybody is drowing in logs which can tell them a lot about their environment and security posture, if and only if they are analyzed!
Thursday, March 09, 2006
On "Meta-Yes/No" pattern
For those who are into NLP, here is a fun novel [relatively] pattern to try: Meta Yes/No pattern. The detailed paper on the mechanics of this baby is here. For those needing a techinical definition, this pattern is one of the "belief change" patterns, originating in Michael Hall neurosemantics. For those needing a more emotional description, it rocks :-)
FromGoogle/ Writely to paranoid fantasies...or not?
So, is this guy full of ... paranoia, or is he onto something?
» Write no more? Threat Chaos ZDNet.com: "I would hate to be working on a spy thriller novel with lots of mentions of terrorists on Writely when Google's legal defenses finally break down. "
» Write no more? Threat Chaos ZDNet.com: "I would hate to be working on a spy thriller novel with lots of mentions of terrorists on Writely when Google's legal defenses finally break down. "
Book review of Ed Skoudis "Counter Hack Reloaded"
Now, when I picked Ed Skoudis’s second edition of “Counterhack” – titled “Counterhack Reloaded” – my expectations were set on “high” :) Since I read the first edition, I was happy to find the “what’s new” section.
The book is structured similarly to the previous one with new material on wireless, Windows 2003, “Google hacking”, exploitation frameworks, new rootkits, ADS and a fun data theft scenario, to top it off. Pretty much all the things that came into relevance after the book came out in 2001 are added. In fact, when I was reviewing the first book I asked for “more web attacks, novel application hacking and wireless stuff” and it looks like Ed delivered!
Just like the previous edition, it is a very well written infosec book! It has all the components of a great book: logical presentation style, broad material coverage from concepts to command line switches, Ed’s characteristic humor, and of course, plenty of details on attacks and defenses. Years of teaching a SANS show and even the esoteric subjects are explained with uncanny clarity.
“Counterhack Reloded”, just as its predecessor, starts from networking, Unix/Linux and Windows primers. The book then presents a typical attack sequence (from recon to maintaining access) and goes into details on all its stages. A distinctive feature of the book is that the security tools descriptions are present not as the "man page rephrases" - a senseless stream of options and parameters - but instead woven into the fabric of the attack flow, thus making it much more interesting and fun to read. My favorites are chapters on covering the tracks and maintaining access and the scenarios in the end.
The book is still focused more on the attack side, while containing tips on protecting and blocking various described attacks. Overall, the book is a very useful addition to any security book library, even if you already have the first edition. The only criticism – which is highly likely specific to me – is that book seems more useful for the beginners than for seasoned pros. The latter will still find it useful, but more cutting edge stuff will be better (yeah, I am talking about virtual machines here… hint-hint)
The book is structured similarly to the previous one with new material on wireless, Windows 2003, “Google hacking”, exploitation frameworks, new rootkits, ADS and a fun data theft scenario, to top it off. Pretty much all the things that came into relevance after the book came out in 2001 are added. In fact, when I was reviewing the first book I asked for “more web attacks, novel application hacking and wireless stuff” and it looks like Ed delivered!
Just like the previous edition, it is a very well written infosec book! It has all the components of a great book: logical presentation style, broad material coverage from concepts to command line switches, Ed’s characteristic humor, and of course, plenty of details on attacks and defenses. Years of teaching a SANS show and even the esoteric subjects are explained with uncanny clarity.
“Counterhack Reloded”, just as its predecessor, starts from networking, Unix/Linux and Windows primers. The book then presents a typical attack sequence (from recon to maintaining access) and goes into details on all its stages. A distinctive feature of the book is that the security tools descriptions are present not as the "man page rephrases" - a senseless stream of options and parameters - but instead woven into the fabric of the attack flow, thus making it much more interesting and fun to read. My favorites are chapters on covering the tracks and maintaining access and the scenarios in the end.
The book is still focused more on the attack side, while containing tips on protecting and blocking various described attacks. Overall, the book is a very useful addition to any security book library, even if you already have the first edition. The only criticism – which is highly likely specific to me – is that book seems more useful for the beginners than for seasoned pros. The latter will still find it useful, but more cutting edge stuff will be better (yeah, I am talking about virtual machines here… hint-hint)
My poll on log storage
If you feel like responding to another poll, here is a fun on log file storage: What do you do with your system and network logs?
Again, I will likely summarize and review the results in a later post.
Looks like I have another blog here :-)
It turned out that, as a book author, I am eligible to sign up for "Amazon Connect", which provides a blogging platform. I guess I will have to find time to fill three blogs :-)
Wednesday, March 08, 2006
On ideal jobs
Here is a fun bit from Penelope Trunk newlsetter on jobs, called "Brazen Careerist" (subscribe at brazencareerist-on@penelopetrunk.com)
Does your job satisfy these criteria?
Quote from the newsletter: "Here's what I would ask for in a job, and it's the same thing I looked for in a spouse:
Does your job satisfy these criteria?
Quote from the newsletter: "Here's what I would ask for in a job, and it's the same thing I looked for in a spouse:
- Fair
- Fun
- Mind-expanding
- Interesting
- Consistent with my values
- Leaves space for the other parts of my life "
Tuesday, March 07, 2006
On hacking contests and local vulns
Now, what makes you think that your OS does not have local vulnerabilities (defined here as those that require authenticated access either physically at the keyboard or remotely via whatever remote interactive connection)? No, really?
Modern Linux distros ship with literally thousands of apps and so does OS X (and other BSDs). Do you really think that all those [often third-party] apps were coded following the latest secure coding guidelines and then audited by the secure coding experts. Hah! :-)
Winner mocks OS X hacking contest CNET News.com: "Participants were given local client access to the target computer and invited to try their luck.
Within hours of going live, the 'rm-my-mac' competition was over."
Also: "Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," Gwerdna added. "
And, I totally agree with this post by the Matasano folks: "but this isn't about how talented they [the attackers who got in] are, or a statement on the security of OS X. This is really a testament to how blindly arrogant people can be about touting the security of the an operating system. "
Indeed, we live in the world where perception=reality. So, has security of Mac OS X suffered a serious blow? No, not at all. But has the perception of Mac OS security suffered? Yes, most certainly. Then see the above equation :-)
Modern Linux distros ship with literally thousands of apps and so does OS X (and other BSDs). Do you really think that all those [often third-party] apps were coded following the latest secure coding guidelines and then audited by the secure coding experts. Hah! :-)
Winner mocks OS X hacking contest CNET News.com: "Participants were given local client access to the target computer and invited to try their luck.
Within hours of going live, the 'rm-my-mac' competition was over."
Also: "Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," Gwerdna added. "
And, I totally agree with this post by the Matasano folks: "but this isn't about how talented they [the attackers who got in] are, or a statement on the security of OS X. This is really a testament to how blindly arrogant people can be about touting the security of the an operating system. "
Indeed, we live in the world where perception=reality. So, has security of Mac OS X suffered a serious blow? No, not at all. But has the perception of Mac OS security suffered? Yes, most certainly. Then see the above equation :-)
Monday, March 06, 2006
On security scandals
For those who wish to watch a great fun scandal unfold in a security realm, check out this one: mysterious MARA (http://www.mobileav.org/) vs anti-virus companies.
Here is an excerpt from a pretty exciting ZDnet article summarizing some [real or made-up, who can really tell] "facts" about the case.
Standoff over PC-to-mobile jumping code Tech News on ZDNet: "MARA researchers said that some antivirus companies had attempted to 'bully' the code out of them, while the antivirus companies say they aren't prepared to comply with the conditions that MARA wants to impose on them before they get access to the code for Crossover."
In any case, for open sharing of malware samples head out to "Offensive Computing"
Here is an excerpt from a pretty exciting ZDnet article summarizing some [real or made-up, who can really tell] "facts" about the case.
Standoff over PC-to-mobile jumping code Tech News on ZDNet: "MARA researchers said that some antivirus companies had attempted to 'bully' the code out of them, while the antivirus companies say they aren't prepared to comply with the conditions that MARA wants to impose on them before they get access to the code for Crossover."
In any case, for open sharing of malware samples head out to "Offensive Computing"
On connecting to others' wireless network
Here is a fun bit on wireless connection"theft"; it looks like its becoming more socially acceptable (I guess kinda like music piracy :-) already is). In fact, my shocking moment in that area came when I was having lunch in NYC with a couple of security folks (of non-hacker origins, mind you) and we needed Internet access to check something we discussed. One whipped out his laptop and exclaimed "Well, its the 21st century - you know what to do, just use your neighbor wireless" and proceeded to connect to somebody's wireless network :-)
Hey Neighbor, Stop Piggybacking on My Wireless: "'Piggybacking, the usually unauthorized tapping into someone else's wireless Internet connection, is no longer the exclusive domain of pilfering computer geeks or shady hackers cruising for unguarded networks. Ordinarily upstanding people are tapping in. "
On the other hand, its kinda hard to qualify something as a crime if Windows XP does it by default :-)
Hey Neighbor, Stop Piggybacking on My Wireless: "'Piggybacking, the usually unauthorized tapping into someone else's wireless Internet connection, is no longer the exclusive domain of pilfering computer geeks or shady hackers cruising for unguarded networks. Ordinarily upstanding people are tapping in. "
On the other hand, its kinda hard to qualify something as a crime if Windows XP does it by default :-)
Sunday, March 05, 2006
On "Citibank under fraud attack"
It is indeed amazing why this is not getting more attention.
Boing Boing: Citibank under fraud attack, customers locked out of accounts: "Also, it seems this incident is receiving little media attention, which begs the question: for each massive security breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness? "
And yes, a good question indeed. I suspect the answer will be "many"....
Boing Boing: Citibank under fraud attack, customers locked out of accounts: "Also, it seems this incident is receiving little media attention, which begs the question: for each massive security breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness? "
And yes, a good question indeed. I suspect the answer will be "many"....
More and more on security consolidation
Here are some fun quotes on security consolidation. My recent post kind of explains how these debates fit into a bigger picture of whether security will ever "get done" ...
Infosecurity Magazine in article called "Game Over?": ".'I don't see why security is any different from any other industry. The day will come when we have maybe one or two or three significant players in the space,' says Liberty Mutual CISO Scott Blake. 'That's the nature of capitalism.' "
chargen 19/udp: Self-interested Rambling on Consolidation: "So I'm conflicted: on the one hand, the consolidation meme seems to have legs (it seems like it should be harder to bring an IPS to market now than in 2000 --- though given the margins you can command with one, maybe that's a silly thought). On the other hand, the factoid about the thundering herd of security companies seems artificial too. "
Infosecurity Magazine in article called "Game Over?": ".'I don't see why security is any different from any other industry. The day will come when we have maybe one or two or three significant players in the space,' says Liberty Mutual CISO Scott Blake. 'That's the nature of capitalism.' "
chargen 19/udp: Self-interested Rambling on Consolidation: "So I'm conflicted: on the one hand, the consolidation meme seems to have legs (it seems like it should be harder to bring an IPS to market now than in 2000 --- though given the margins you can command with one, maybe that's a silly thought). On the other hand, the factoid about the thundering herd of security companies seems artificial too. "
Will security ever "get done"?
Here is a fun piece that I wrote recently, based on some stuff I read in the security media. I was planning to publish it elsehwere, but this place is as good as others :-)
Will security ever get done?
by Anton Chuvakin
Here is a fun thing to think about: with security, will we ever really be “done”? Before you, my esteemed security colleague, emphatically scream “NO!” let us consider this – admittedly philosophical – problem in-depth. There is also a related question that we will try to answer en-route to the above more general pursuit: will security become so boring that only boring people will do it (something akin to physical security guards)? In addition, we will touch another “messy question,” the one of “security consolidation”, that generated some attention lately (see, for example, this, this or this where some pundits and pundit wonnabes spout about it…)
Before we hear some pro and con arguments, let’s stop and think for a second: what security are we talking about? Network security? Software security? IT security? Data security? Or, information security in general? I would prefer to have this question answered for the broader information security realm.
So, why some folks think that “security problem” will be solved in the future?
Why others violently disagree?
In addition, some folks aggressively attack the pro arguments instead of coming with their own cons. Specifically they claim:
Certainly, there will be consolidation in the security market and defenses will get embedded in both operating systems and network gear, eliminating some of the standalone network and system defense solutions. It is also likely that some types of bugs will be eliminated, if not by the good will of developers, but by the changes in the commonly used programming languages.
But, on the other hand, the explosive combination of the march of ever-more-critical new connectivity technologies with the presence of dedicated evildoers will, in my opinion, guarantee that information security will remain relevant, vital and fun for years to come! Security technology innovation will not dry out any time soon
Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. A frequent conference speaker, he also participates in various security industry initiatives and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". He also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and two blogs.
Will security ever get done?
by Anton Chuvakin
Here is a fun thing to think about: with security, will we ever really be “done”? Before you, my esteemed security colleague, emphatically scream “NO!” let us consider this – admittedly philosophical – problem in-depth. There is also a related question that we will try to answer en-route to the above more general pursuit: will security become so boring that only boring people will do it (something akin to physical security guards)? In addition, we will touch another “messy question,” the one of “security consolidation”, that generated some attention lately (see, for example, this, this or this where some pundits and pundit wonnabes spout about it…)
Before we hear some pro and con arguments, let’s stop and think for a second: what security are we talking about? Network security? Software security? IT security? Data security? Or, information security in general? I would prefer to have this question answered for the broader information security realm.
So, why some folks think that “security problem” will be solved in the future?
- OS and application vendors will improve the security of their wares and gear so that security problems will not gather as much attention as now
- Network infrastructure vendors will “embed” security in their offerings and thus address a wide range of current “top shelf” security problems, such as worms, overall reducing the importance of security
- Similarly, large security companies will combine all sorts of defenses into largely automated “security bundles” and will “protect everybody” with them
- As new technologies develop, people will learn from the mistakes that plague us now and will start doing things right from scratch (e.g. IPv6 vs IPv4 situation)
- In particular, new software projects will “build security in” and thus will not provide such a huge attack surface as do the current “crapware” products
- IT users, both home and the enterprise kind, will be finally educated and thus will avoid the most costly security mistakes, such as running untrusted code (OK, this one is just a tad too naïve to be mentioned here (, if not for the sake of completeness)
Why others violently disagree?
- New technologies that use the Internet and whatever other future networks will come out, some say at an increasing pace, and thus result in a dramatic increase in a number of “things to steal, break and abuse”
- Overall increased connectivity will also enable new attacks and open new exposures, thus needed novel creative solutions
- In general, new threats will always be there because there is no shortage of people who are both smart, creative and evil
- Increased reliance on IT systems will strengthen the resolve of cyber-criminals and all sorts of other bad guys to “go cyber” instead of committing “normal” crimes (“…since that is where the money is”)
- New uses of old technologies – networked fridge anyone? – will also open holes and exposure in the areas where none mattered before (SCADA security is one fine example)
- Economics always favors fast product delivery and thus lowers the quality of released current and future software; even though it might be devoid of obvious and easily found flaws, it will still be exploitable
- Increased regulatory pressure will sometime create the need for either new uses of security technologies or even motivate people to create entirely new security technologies (scalable log retention for compliance comes to mind)
In addition, some folks aggressively attack the pro arguments instead of coming with their own cons. Specifically they claim:
- OS and other infrastructure vendors will always lag behind, since, by the very nature of being large established companies, they cannot respond to the “fast lane” rate of threat change
- IT users will not learn and in fact will become worse, since the overall population is getting dumber (note that I am not sure I agree with this one…)
- Software developers will also not learn from the mistakes and, in fact, will repeat them, since economics seems to favor bad software quality
Certainly, there will be consolidation in the security market and defenses will get embedded in both operating systems and network gear, eliminating some of the standalone network and system defense solutions. It is also likely that some types of bugs will be eliminated, if not by the good will of developers, but by the changes in the commonly used programming languages.
But, on the other hand, the explosive combination of the march of ever-more-critical new connectivity technologies with the presence of dedicated evildoers will, in my opinion, guarantee that information security will remain relevant, vital and fun for years to come! Security technology innovation will not dry out any time soon
Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. A frequent conference speaker, he also participates in various security industry initiatives and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". He also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and two blogs.
Friday, March 03, 2006
Israeli Software Company Faces U.S. Probe - Forbes.com
OMG, do those guys even know that it is an open-source technology!!!
Israeli Software Company Faces U.S. Probe - Forbes.com: "objected forcefully to permitting any foreign company to acquire some sensitive Sourcefire technology for preventing hacker break-ins [i.e. Snort - this is my comment] and monitoring data traffic"
Israeli Software Company Faces U.S. Probe - Forbes.com: "objected forcefully to permitting any foreign company to acquire some sensitive Sourcefire technology for preventing hacker break-ins [i.e. Snort - this is my comment] and monitoring data traffic"
Duh! Internet Search Still Needs Improvement...
I posted a few times on a couple of pretty bad surprises while using Google. Looks like other folks picked it up too. Here is a fun post from a VC:
A VC: In Search of a Better Algorithm: "Why am I telling you all this? Because as great an experience as searching the Internet is on Yahoo!, Google, Microsoft, or Ask, Internet search is still a very primitive technology. "
And he asks another reeeeeally good question:
"Will Google, Yahoo!, Microsoft, Ask and others continue to invest in improving text search or move their efforts to searching other forms of media?"
A VC: In Search of a Better Algorithm: "Why am I telling you all this? Because as great an experience as searching the Internet is on Yahoo!, Google, Microsoft, or Ask, Internet search is still a very primitive technology. "
And he asks another reeeeeally good question:
"Will Google, Yahoo!, Microsoft, Ask and others continue to invest in improving text search or move their efforts to searching other forms of media?"
On Limitations of Web Content Filtering (BoingBoing banned in UAE, Qatar, elsewhere)
OMG, that is one of the worst things that a security company might do (apart from letting an attack through, of course ...)
BoingBoing banned in UAE, Qatar, elsewhere: "At fault in most of these cases is a US-based censorware company called Secure Computing, which makes a web-rating product called SmartFilter. But SmartFilter isn't very smart. Secure Computing classifies any site with any nudity -- even Michaelangelo's David appearing on a single page out of thousands -- as a 'nudity' site, which means that customers who block 'nudity' can't get through. "
"Why is SmartFilter content to deliver a product with a 99.5 percent false-positive rate? Because it has promised its customers that it will stop their users from seeing nudity (fat chance -- it's a dead certainty that Smart Filter has failed to class innumerable sites containing nudity), and punishing 24,875 nudity-free posts to get at 125 that contain mild or "art" nudity is fine by them."
Technically, that is not exactly a "false-positive rate", but rather a major product design flaw mixed with some management decision stupidity... BoingBoing even started a resource guide on that very subject.
BoingBoing banned in UAE, Qatar, elsewhere: "At fault in most of these cases is a US-based censorware company called Secure Computing, which makes a web-rating product called SmartFilter. But SmartFilter isn't very smart. Secure Computing classifies any site with any nudity -- even Michaelangelo's David appearing on a single page out of thousands -- as a 'nudity' site, which means that customers who block 'nudity' can't get through. "
"Why is SmartFilter content to deliver a product with a 99.5 percent false-positive rate? Because it has promised its customers that it will stop their users from seeing nudity (fat chance -- it's a dead certainty that Smart Filter has failed to class innumerable sites containing nudity), and punishing 24,875 nudity-free posts to get at 125 that contain mild or "art" nudity is fine by them."
Technically, that is not exactly a "false-positive rate", but rather a major product design flaw mixed with some management decision stupidity... BoingBoing even started a resource guide on that very subject.
TaoSecurity on Jericho Forum-inspired Silliness
Richard Bejtlich brought up this funny (well, maybe it even scales up to "not-even-funny" :-)) in his blog post TaoSecurity: Gartner vs Jericho : "Ken Douglas, technology director of BP, told the UK Technology Innovation & Growth Forum in London on Monday that 18,000 of BP's 85,000 laptops now connect straight to the Internet even when they're in the office.
Are they serious? Is this some sort of Darwin-esque test? If your laptop is tough enough to survive on its own, you'll love working for BP. If your laptop isn't tough enough, well... we can't kill your laptop, so you'll just provide more headaches for the help desk. "
Somebody submit them to StupidSecurity.com, please! How can anybody who associates himself with a security profession forget about defense-in-depth?
On a related note, I did blog about their take on "de-perimeterization" before and concluded that the main value of such a forum is a "chance for CXOs to expense trips to exotic locations" where such forums meet... :-)
Are they serious? Is this some sort of Darwin-esque test? If your laptop is tough enough to survive on its own, you'll love working for BP. If your laptop isn't tough enough, well... we can't kill your laptop, so you'll just provide more headaches for the help desk. "
Somebody submit them to StupidSecurity.com, please! How can anybody who associates himself with a security profession forget about defense-in-depth?
On a related note, I did blog about their take on "de-perimeterization" before and concluded that the main value of such a forum is a "chance for CXOs to expense trips to exotic locations" where such forums meet... :-)
On Litigation-quality Log Data
The subject of "court-admissibility" and "litigation-quality" of computer records, such as log data is long known to be controversial and ambiguous. And, it is well-known that only actual court case may be used to reliably establish the admissibility of a specific piece of evidence. Here is some fun discussion on whether only raw (i.e. unprocessed further) logs or also tokenized (parsed or stored in a database) logs may be used.
Raffy’s Computer Security Blog » Log Management Article - My Comments: "On the same topic of litigation quality data, the author suggest that a copy of the logs are save in the original, raw format while analysis is done on the other copy. I don’t agree with this. I know, in this matter my opinion does not really count and nobody is really interested in it, but I will have some proof soon that this is not required. I am not a lawyer, so I will not even try to explain the rational behind allowing the processing of the original logs and still maintaining litigation quality data. "
Here is a pointer that might shed some light on this subject: "Computer Records and the Federal Rules of Evidence". It summarized three challenges to the admissibility of log data. Namely:
"Challenges to the authenticity of computer records often take one of three forms.
First, parties may challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created.
Second, parties may question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records.
Third, parties may challenge the authenticity of computer-stored records by questioning the identity of their author."
To me ("I am not a lawyer, etc") it seems that Raffy is right the database storage should not endange the admisibility, in general. But if your parsing rules for stuffing records into a database are buggy (i.e. invoking the above reliability challenge!) - ah, now we are talking perverse fun and lawyer fees! :-)
Another person chimes in. Cfrln » Blog Archive » fact and fiction about chain of evidence: "The real admissibility problem is if the court can’t be satisfied that the output hasn’t been intentionally altered to hide the truth, or if there’s uncertainty about how the output of a message actually ties to real activity. Any potential for crackers or malicious insiders to intercept messages in their path from original action, through various programs, across the network, via direct filesystem access, etc. is an issue. Any lack of transparency or change control on any of the programs involved in handling log processing is also a problem."
This bit also points at the same direction: database by itself won't seem to be a problem, but fuzzy, unreliable and insecure code to stuff it might...
Raffy’s Computer Security Blog » Log Management Article - My Comments: "On the same topic of litigation quality data, the author suggest that a copy of the logs are save in the original, raw format while analysis is done on the other copy. I don’t agree with this. I know, in this matter my opinion does not really count and nobody is really interested in it, but I will have some proof soon that this is not required. I am not a lawyer, so I will not even try to explain the rational behind allowing the processing of the original logs and still maintaining litigation quality data. "
Here is a pointer that might shed some light on this subject: "Computer Records and the Federal Rules of Evidence". It summarized three challenges to the admissibility of log data. Namely:
"Challenges to the authenticity of computer records often take one of three forms.
First, parties may challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created.
Second, parties may question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records.
Third, parties may challenge the authenticity of computer-stored records by questioning the identity of their author."
To me ("I am not a lawyer, etc") it seems that Raffy is right the database storage should not endange the admisibility, in general. But if your parsing rules for stuffing records into a database are buggy (i.e. invoking the above reliability challenge!) - ah, now we are talking perverse fun and lawyer fees! :-)
Another person chimes in. Cfrln » Blog Archive » fact and fiction about chain of evidence: "The real admissibility problem is if the court can’t be satisfied that the output hasn’t been intentionally altered to hide the truth, or if there’s uncertainty about how the output of a message actually ties to real activity. Any potential for crackers or malicious insiders to intercept messages in their path from original action, through various programs, across the network, via direct filesystem access, etc. is an issue. Any lack of transparency or change control on any of the programs involved in handling log processing is also a problem."
This bit also points at the same direction: database by itself won't seem to be a problem, but fuzzy, unreliable and insecure code to stuff it might...
Thursday, March 02, 2006
Just how fun log analysis is? Yeah, that much fun.
I missed the SANS panel on log analysis this week (I presented the next day, also on logs...), but here is a fun account that anybody involved with logs should read. A quote: "If I’d said you could pull together around 200 people excited about log management to a 9.30pm panel discussion (on a Sunday night), you’d probably have thought I was mad. Well, that’s just what happened at SANS in Orlando this past Sunday."
A Confusion of "IT Search Engine vs. Log Consolidator"
Here is great post that casts some "much needed" :-) confusion onto the space of computer log analysis:
Cfrln » Blog Archive » IT Search Engine vs. Log Consolidator - what’s the difference?: "But they simply do not provide the easy, instantaneous search of everything on your network."
So if some "log consolidator" or a SIEM product starts doing searches really well, than the above argument becomes completely empty...
Cfrln » Blog Archive » IT Search Engine vs. Log Consolidator - what’s the difference?: "But they simply do not provide the easy, instantaneous search of everything on your network."
So if some "log consolidator" or a SIEM product starts doing searches really well, than the above argument becomes completely empty...
Wired News on Space Weapons
Wired News on Space Weapons "'This massively costly program under way today is not really about defense,' he said. 'The true purpose of this arms program is to control and dominate space. And whoever controls space will control the Earth.'"
So, again, how is it a bad thing?
So, again, how is it a bad thing?
Wednesday, March 01, 2006
Guy Kawasaki on GBAT [humor]
No description will do it any justice - just read it - Bona tempora volvantur--by Guy Kawasaki: GBAT: Score High and Cry and cry (eh, I mean, laugh!)
"Information Security" magazine in decline?
As I mentioned some time ago in my other blog post on security magazines and journals, I am trying to read every publication related to information security (no, please don't think that I have too much time :-)), even though some of them provide mostly humorous relief while illustrating that both stupidity and ignorance abound in security indsutry...
However, "Information Security" magazine was always one of my favorites due to its relatively balanced and error-free coverage as well as fun topics. Compared to such assclowns as "SC Magazine" , they were light-years ahead.
When I picked up a Feb 2006 issue at RSA this year, I was shocked. The product reviews are usually the first to go if the publication is sinking. Infosec Mag's used to be OK, if not even good (for example, check out awesome Ed's and Mike's IPS backeoff). What do we find in their Feb issue?
What is the best network IDS for 2006 (from both host- and network-based)? Snort? ISS? NFR? Dragon? Intruvert? Noooo, its CA eTrust! Bua-ha-ha-haaaa :-)
If you want more "information" that is firmly in the domain of "security humor", check out the whole list here.
You guys should bring Andy Briney back! Right now!
However, "Information Security" magazine was always one of my favorites due to its relatively balanced and error-free coverage as well as fun topics. Compared to such assclowns as "SC Magazine" , they were light-years ahead.
When I picked up a Feb 2006 issue at RSA this year, I was shocked. The product reviews are usually the first to go if the publication is sinking. Infosec Mag's used to be OK, if not even good (for example, check out awesome Ed's and Mike's IPS backeoff). What do we find in their Feb issue?
What is the best network IDS for 2006 (from both host- and network-based)? Snort? ISS? NFR? Dragon? Intruvert? Noooo, its CA eTrust! Bua-ha-ha-haaaa :-)
If you want more "information" that is firmly in the domain of "security humor", check out the whole list here.
You guys should bring Andy Briney back! Right now!
On Spire Security Viewpoint - Anti-vuln Research
Ah, Pete Lindstrom goes at it again in his post: Spire Security Viewpoint: So Generic (and Wrong) It Hurts: "And here's the thing: we think we can control the threat environment even when we can't, and we aren't preparing anyone for attacks, even though they are as likely today as they would be if we never disclosed another vulnerability again."
So, is vulnerability research evil? Yes? No? Check out his post...
So, is vulnerability research evil? Yes? No? Check out his post...
On "Cross Platform Security Analysis"
Here is one more of my older security papers, that I wanted to highlight: "Cross Platform Security Analysis"
On CISSP... again.
David Bianco says in his Infosec Potpourri: I'm finally caving in... post: "It seems to me as though I've detected a bit of a pattern, though: the more comfortable a person is working with technical matters, the less likely they are to respect the CISSP."
Apart from CISSP jokes, the perspective I like is that it is a cert for followers, not leaders. Check out what I said in the comments to his post.
Are there certs for leaders? I dunno, but this ain't it :-)
One more reason for anti-CISSP frenzy is that it is billed as a cert for technical people, but it doesn't test any of the tech skills....
Apart from CISSP jokes, the perspective I like is that it is a cert for followers, not leaders. Check out what I said in the comments to his post.
Are there certs for leaders? I dunno, but this ain't it :-)
One more reason for anti-CISSP frenzy is that it is billed as a cert for technical people, but it doesn't test any of the tech skills....
Subscribe to:
Posts (Atom)