This is Anton Chuvakin original blog (pre-Gartner) that I will now use to backup my Medium blog content (2023+)
Friday, April 28, 2006
On Pete's "Allow me to Defend Michal Zalewski"
Spire Security Viewpoint: Allow me to Defend Michal Zalewski: "Here's the interesting thing about Zalewski's approach: if it inspires a lot of 'shock and awe' in you, then you are nowhere near able to protect your environment in a reasonable manner."
TaoSecurity on Demonstrating vs Maintaining Compliance
Is it, really? I feel this is an important thing to think about, but I am not sure yet that it is indeed sad. You might think you are "doing OK" compliance-wise, but if you cannot prove it, you are in trouble...
Dumb Security Humor: "Security startup targets 0day problem"
Security startup targets 0day problem InfoWorld News 2006-04-28 By Robert McMillan, IDG News Service: "company developed software that scans network traffic for known exploits, called 0days"
Do Engineers Ever Lie?
Some fave examples are
4. "Our architecture is scalable."
5. "The code supports all the industry standards."
7. "We have an effective bug reporting database and system."
10. "This time we got it right."
Read on.
Do you Work for One of Those? Signs that Your Employer is Sinking!
Six Early Signs That a Company Could Be Headed for Failure - Los Angeles Times: "Here are six early warning signs of potential trouble:
• Not being focused on the core business: Straying from the business' main product or service is a common problem.
• A headstrong CEO: It takes a strong will to start and run a business, but that disposition can make it difficult for advisors to convince an entrepreneur or small-business owner that unwelcome changes are necessary.
• Conversion to a new computer system: Combining computer accounting and operations systems looks like a great idea on paper, and many companies make the change without a serious hitch.
• Lack of a timely cash-flow forecast. [...] Do all businesses understand that? No. The ones who stay in business do.
• Lack of clarity on the profitability of each customer and product. This is one of the first things a turnaround specialist will look at. A successful company will periodically analyze what's driving its cash flow. "
Thursday, April 27, 2006
Good or Evil: Make Your Pick!
a) this man hacked and stole, needs to go to jail now :-)
b) this man revealed a weakness and got persecuted unfairly
Category a) from the assclowns of "SC Mag" - "The U.S. Department of Justice (DOJ) announced yesterday that it charged a San Diego man for hacking into the University of Southern California’s student application system and accessing personal records."
Categiry b) from Emergent Chaos - "The clear message: Next time, don't tell. "
Who is right? We might never know...
Are you owned? Quite likely, actually :-)
- "Hackers Hack!' - Proclaims Famed Security Guru!"
- "Urgent News! Companies are Insecure!"
- "A New Worm Worms Around the Web. Doomsday Near..."
- "We are Not Winning the War Agaist Hackers!"
- "We are Winning the War Against Hackers!"
Here is one of a more subtle kind:
One-third of companies don't know if they've been hacked - IT Security News - SC Magazine US: "Research of 293 senior managers carried out be polling company YouGov, found 33 percent did not have any idea if their network had been breached. "
I remember when I wrote this paper that covered compromise discovery, folks contacted me and reported that most companies they've seen have a few boxes permanently owned by various parties...
Risk Exaggeration Summary from Bruce Schneier
Here is a fun and useful one from Bruce Schneier : "five different tendencies people have to exaggerate risks" i.e. "to believe that something is more risky than it actually is. "
- People exaggerate spectacular but rare risks and downplay common risks.
- People have trouble estimating risks for anything not exactly like their normal situation.
- Personified risks are perceived to be greater than anonymous risks.
- People underestimate risks they willingly take and overestimate risks in situations they can't control.
- People overestimate risks that are being talked about and remain an object of public scrutiny."
"Do dedicated security vendors have a future?"
This paper with the same name discusses just that and has some good points. Check out these quotes:
"McAfee proudly proclaims itself “the largest dedicated [IT] security company in the world”. Based on revenues this is a fair claim—it is some way ahead of closest rivals Check Point and Trend Micro for that crown. But is a dedicated security company really the best thing to be in 2006 and beyond?"
"If a crown was being awarded for “security revenues” then it might well go to Symantec, but it would be a close run thing with Cisco, currently the world largest networking equipment vendor (it will be demoted to number two if the Lucent/Alcatel merger gets approved)."
"With giants like Cisco and Microsoft building security into their infrastructure and Symantec diversifying into storage and building security into its new offerings, will there be any place left for dedicated security vendors in the long term? ... There probably will be, providing they stay ahead of the game, i.e. keeping on top of emerging threats and coming up with innovative new products to counter them. "
"The revenue share of the IT security market going to dedicated vendors will decrease more and more with time."
This reminds me this old blog post.
Great Resource Site: "E-Evidence Information Center"
Tuesday, April 25, 2006
Speaking at USMA, West Point
So, tomorrow I am giving a guest lecture on log analysis and forensics at United States Military Academy at West Point. I'll post a follow-up telling everybody how it went.
I did speak at the FBI Academy back in 2002, during the Honeynet Project tour. It sure was fun!
UPDATE: slides posted.
Where's the real underground these days?
Dancho Danchev - Mind Streams of Information Security Knowledge!: Wild Wild Underground: "Where's the real underground these days, behind the shadows of the ShadowCrew, the revenge of the now, for-profit script kiddies, or in the slowly shaping real Mafia's online ambitions? "
Next for air travelers: Standing room only? - Technology - International Herald Tribune
Next for air travelers: Standing room only? - Technology - International Herald Tribune: "Airbus has been quietly pitching the standing-room-only option to Asian carriers, though none has agreed to it yet. Passengers in the standing section would be propped against a padded backboard, held in place with a harness, according to seating experts who have seen a proposal"
Happy vs Rich?
"NPR had a great segment over the weekend on the secret to happiness about this year’s most popular class at Harvard is Psych 1504, also known as “how to get happy.” Apparently the most popular class – until recently – was an economics class also known as “how to get rich.”"
What's that, a new trend? :-)
Monday, April 24, 2006
SIEM Market is a Failure... Now we Know Why!
"I have always regarded Security Event Management (SEM) as the most dysfunctional segment in the security industry."
"SEM vendors would always preach rapid response and attack prevention, even though they only examine log file entries written long after the attack has come and gone."
"It has just been a brain-dead market segment."
And, on the other hand, what is needed is a "good place to collect, filter, and manage audit logs of corporate activity."
In other words, log management with a brain (intelligence). Because "you wouldn't think of running your business without independent corporate auditing, you shouldn't think of running IT without auditing"!
Winning, Losing - Ah, Come on!
Network Security Blog: We're not winning the war against hackers: "The Register is running an article that called
Wednesday, April 19, 2006
Time to Start 2007 Security Predictions?
"CISSP is a self-perpetuating myth"
Well, to some extent "the self-perpetuating" part is true about any certification, but "a myth" part ... well, that's special for this case :-)
Tuesday, April 18, 2006
CISSP quote of the week or pick your poison
Quote One: "Also, the majority of attacks in the wild are well-known and easily
detected and blocked."
Quote Two: "I'm going to go out on a limb here and say that the majority of real attacks in the wild are probably 0days or difficult to detect or block. The latest IE bug is, of course, both."
Hehe, which camp are you with? :-)
It Ain't Fair, Ya Know! :-)
Metricon 1.0 Call For Papers (CFP)
Emergent Chaos: Metricon 1.0 Call For Papers
Conceived by the SecurityMetrics.org team during RSA 2006 (with yours truly involved a bit as well...)
ISP Log Retention: Evil Incarnate or World Savior? :-)
ISP snooping gaining support CNET News.com: "Internet providers generally offer three reasons why they are skeptical of mandatory data retention:
- first, it is not clear who will be able to access records of someone's online behavior;
- second, it's not clear who will pay for the data warehouses to be constructed; and
- third, it's not clear that police are hindered by current law as long as they move swiftly in investigations. "
InformationWeek Security | 10 Infamous Moments In Security Research | April 17, 2006
InformationWeek Security 10 Infamous Moments In Security Research April 17, 2006: "10 Infamous Moments In Security Research "
Examples are:
1. SQL Slammer
...
6. Oracle PLSQL gateway
etc
On whos is the inventor of the firewall
What was the last time you've seen "Network World" get something right? :-)
Book review "Security Log Management: Identifying Patterns in the Chaos"
Yuck! The book starts from a hodge-podge of examples, which, if entertaining at times, doesn’t lead to any meaningful lessons and thus doesn’t deliver the value it could have produced. The same applies to material selection for the book, which, as a result, suffers from a compete lack of logical structure. Even the Ch 1 “Log Analysis: Overall Issues” barely touched on analyzing logs and clearly didn’t cover any “overall issues.” Also, authors have undoubtedly trademarked the concept of a random irrelevant picture or graph...
In addition, the book reveals many areas where authors are deeply befuddled. ESM chapter (‘Enterprise Security Management’) is one such example, where such confusion reigns supreme. They can talk about ‘ESM process’ and claim that ‘ESM is not a tool’ in one sentence and then describe ‘ESM tools’ in the next one. On top of that, if you are looking for some arcane security humor, try understanding their ROI calculation in the chapter (‘Cost of problem’ + ‘Cost of solution’ …)
One would think that they can get something as (relatively) simple as firewall reporting right (chapter 3). One would think that – and one would be wrong… The reader is still left with no answers to questions such as ‘what summaries, statistics and reports he/she should collect and how to do it.’
As far as style is concerned, the book carries unfortunate signs of being written by a group of authors who didn’t talk to each other much. Furthermore, what adds insult to injury is truly excessive amount of quoted source code, which plainly doesn’t belong in the book, but on the website, CD, etc (were editors asleep at the wheel?)
To conclude, the book does have some relationship to patterns and chaos: the patterns in your brain will immediately turn into chaos after you are done reading it, provided you would even finish it. My suggestion is to avoid this largely useless title and save the money for better books (such as Bejtlich’s or countless others).
Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a
recognized security expert and book author. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects, such as incident response, intrusion detection, honeypots and log analysis. In his spare time he maintains his security portal http://www.info-secure.org and two blogs.
Monday, April 17, 2006
Change or Die!?
Change or Die: "Meanwhile, the leaders of a company need 'a business strategy for continuous mental rejuvenation and new learning,' he says. Posit Science has a 'fifth-day strategy,' meaning that everyone spends one day a week working in a different discipline. Software engineers try their hand at marketing. Designers get involved in business functions. "
On Plasma Shields
Defense Tech: Stealth's Radioactive Secret: "Plasma aerodynamics offers tantalizing promises of improving aircraft performance. By producing a thin layer of charged particles around an aircraft you can change the behavior of the boundary layer, significantly reducing friction. The charged layer also absorbs radar, improving stealth."
and even this:
"The Russians seemed to be years ahead, even marketing a plasma stealth add-on device said to reduce radar returns by a factor of a hundred."
On Plasma Shields
Defense Tech: Stealth's Radioactive Secret: "Plasma aerodynamics offers tantalizing promises of improving aircraft performance. By producing a thin layer of charged particles around an aircraft you can change the behavior of the boundary layer, significantly reducing friction. The charged layer also absorbs radar, improving stealth."
and even this:
"The Russians seemed to be years ahead, even marketing a plasma stealth add-on device said to reduce radar returns by a factor of a hundred."
"Column or data sheet?"
But how do you tell one from the other? Challenge yourself to this "contest", by the Matasano gang:
Matasano Chargen » Our Peabody-Award-Winning Game Show:: "Column or data sheet? You be the judge."
Updated my Wikipedia Page!
On the Utility (Futility?) of HIPS?
Fwd: [Dailydave] RE: We have the enemy, and the enemy is... you: "Verdict [on HIPS]:
Don't buy them! Don't spend the time and the energy to get them to work
for your enterprise. There are several reasons for me to say this but i
would like to first start offering you the alternative.
Instead:
Pay attention to what MSFT is doing!"
Others violently disagree...
Software Engineer - The Best Job Today?
The Standard - China's Business Newspaper: "Software engineers are said to have the best jobs in America, followed by college professors and administrators and then financial advisers.Software engineers are said to have the best jobs in America, followed by college professors and administrators and then financial advisers."
On Security As Insurance
How about "security as insurance"? Just watch Pete Lindstrom flatten this one: Spire Security Viewpoint: Security <> Insurance: "Sure, insurance is useful. But the implication is that it is okay to do less preventive stuff. I think insurance needs to be treated as a last resort."
Saturday, April 15, 2006
On "Microsoft silently fixing security vulnerabilities"
[Dailydave] Microsoft silently fixes security vulnerabilities: "I also would like to point some interesting statistics: by browsing the list of MS security advisories released over the past 2 years, at least 75% of all vulnerabilites credit external security researchers for having discovered them. The remaining 25% are either anonymously reported vulnerabilities, or are discovered internally by
Microsoft itself.
Do you guys believe that MS (a multi-billion dollar software company stating 'security is our priority number one') is only able to detect and publicly report less than 25% of the vulnerabilities in its products ?"
Ideas? Discussion?
Friday, April 14, 2006
On Security Innovation
Things I Like Security Incite: Analysis on Information Security: "Folks that 'think different' either from a technology or business model standpoint are cool."
On "Use a firewall, go to jail, and send Bill Gates too"
Use a firewall, go to jail, and send Bill Gates too The Register: "'If you have a home DSL router, or if you use the 'Internet Connection Sharing' feature of your favorite operating system product, you're in violation because these connection sharing technologies use NAT. Most operating system products (including every version of Windows introduced in the last five years, and virtually all versions of Linux) would also apparently be banned, because they support connection sharing via NAT.'"
Thursday, April 13, 2006
On DDoS and "non-root" attackers
Nowadays, it looks like its becoming more common - check it out:
» Disturbing developments in DDoS attacks Threat Chaos ZDNet.com: "The hacker used a common mis-configuration in PHP scripts to take over Linux machines and use them for his army of zombies. "
Wednesday, April 12, 2006
"When a product is better than the company"
CipherTrust: When a product is better than the company: "But when it comes to buying products, our tests aren't enough. It's important to investigate all those peripheral aspects of the vendor before you sign a purchase order. I was reminded of that the hard way. "
That is why when you hear "you are buying a company, not just a product" you should treat it seriously and not as just marketing spin....
What Makes a Great Entrepreneur?
A VC: VC Cliché of the Week: "Here are the characteristics that I find most commonly in great entrepreneurs"
Compliance Trumps Malware!
InformationWeek IT Security Spending Compliance, Not Malware, Drives IT Budgets: Survey April 6, 2006: "Regulatory compliance and protecting intellectual property (IP) are among the top reasons driving demand for security products – not phishing, worms, spyware and hack attacks,
according to a recent report. "
So, the old one of
#1 Malware
#2 Malware :-)
is replaced by
#1 Compliance
#2 IP protection
Great news!
The paper quotes a bunch of other fun factoids, such as this one: "Respondents expect to increase spending for endpoint security [in line with my 2006 predictions] an average of 32 percent during the next 12 months, with Symantec products garnering the strongest preference in this category. Strong authentication followed with an average expected spending increase of 27 percent, with RSA Security in the lead. "
Authentication growth is an interesting one as well. Is it the IAM/IDM crawling thru the backdoor of strong authentication? Sure looks like it...
Tuesday, April 11, 2006
"If you are soo cool, why aren't you..."
Matasano Chargen » You’re so cool, clarencenetworks.com, you’re so cool…: "What is the analytical process for determining whether or not a company is cool?"
Wednesday, April 05, 2006
BART and switch crashes: an unusual outlook
BAY AREA / BART to investigate computer work at rush hour / Troubleshooting crashed system, stranded 35,000: " technicians risked working on computers that control trains while the transit system was running, work that crashed BART's main computer, stalled 50 to 60 trains, and stranded 35,000 passengers for more than an hour at the peak of the Wednesday evening commute. " and "... the new program overloaded a router..."
On one hand, if computers crash during routine maintainance, one should not fear that someone will do it on purpose (there is no scare factor if you know it will happen anyway one day)
On the other hand, if the system causes damage by itself, giving it a nudge will cause much more disastrous results...?
On legally mandating "adequate encryption"
Consumer data security bill passes out of House committee: "Data encryption is the only technology specified in the bill, and adequate encryption could exempt a company from the need to notify victims. "
I always wonder whether ROT13 is "adequate encryption" based on the letter of the law.
Tuesday, April 04, 2006
Wiping is the Only Choice: "Microsoft Says Recovery from Malware Becoming Impossible"
read more digg story
"How much new information is created each year?"
Executive Summary: "How much new information is created each year?"
E.g. "Print, film, magnetic, and optical storage media produced about 5 exabytes of new information in 2002."
TaoSecurity on "Security Log Management" book
It is a pretty blatant waste of natural resources indeed :-)
My review will go up in a few days.
Cool site - "The Dashboard Spy"
And don't forget the new O'Reilly book on dashboards: "Information Dashboard Design: The Effective Visual Communication of Data" by Stephen Few.
"Drive-By Assessment" on "Skybox Security - Nice-to-have or Must-have?" by Security Incite
Drive-By: Skybox Security - Nice-to-have or Must-have? Security Incite: Analysis on Information Security: "Unfortunately Skybox comes up short here. It's not clear to me what problem is being solved, so I likely move on to the next site. "
"Glitch wiki" or security hole to drive a train thru?
Thus, while I was happy to see such projects as Splunk Base which lets users upload their logs that indicate problems (yes, security problems as well) and tag the logs with descriptive tags that enable other Base users to learn from their experience, described via tagged log samples. Just sharing logs is nowhere near as useful as sharing such experiences. Either way, this is a good initiative to watch.
Specifically, CNet says (http://news.com.com/Start-up+brings+glitch+wiki+to+IT+pros/2100-7346_3-6056530.html): "Instead, Splunk has designed its software and Splunk Base to allow system administrators to submit information themselves and then classify and search the collected information of their peers. "
Well, it brings our the standard question: if you start a community for marketing reasons (this one clearly fits such definition), how do you make sure it actually takes off and starts a life as a real community of dedicated users (sometimes ramping up to "raving fans" :-)). I was reading this book by Guy Kawasaki ("Selling the Dream") and it seems to have some answers... In any case, there is a difference between a real community and just a free platform for sharing which might develop into a community, might get monetized or just might tank. We will see what happens to this one.
Security remains an issue as well. Passwords are not too uncommon in Unix and Apache logs (if users mistype them for a username). Other things to watch for include allowed email addresses, IP addresses of critical servers, access control rule information, types of security software used and maybe a few dozen other possible thingies... An intelligent sanitization algorithm seems very important!
My experience with Honeynet Project data tells me that sanitization is not as easy as some think. So, given you have a serious issue – that you might or might not want others to know about, and that might or might not contain sensitive data, do you want to post that data to an open forum hoping that a) someone would help you and/or b) your experience will help someone else? Just post the comments here.
Another fun thing is the "added intelligence" factor. It has to be better (make it "much better") than simply dumping the logs on the public HTML page and having good ole Google search them...
Monday, April 03, 2006
But Does it Support IPv6? :-)
Current Status of IPv6 Support for Networking Applications: "Syslog"
On "More data, more tools or more answers?"
More data, more tools or more answers?: "More data, more tools or more answers?" @ ITtoolbox
Check out a New CWE List, a Brother of CVE
CWE - CWE List: "The Common Weakness Enumeration (CWE), currently in a very preliminary form, is a list of software weaknesses, idiosyncrasies, faults, and flaws."
"The next steps are to adequately capture the specific effects, behaviors, exploit mechanisms, and implementation details in the CWE dictionary as well as to review and revise the presentation approaches that will best suit this information."