Wednesday, April 30, 2008

On Travel and Airlines

Inspired by this, of course.

So, I am sitting here in  San Jose Airport even though I am supposed to be flying to Hartford, CT to speak at OWASP. Why am I sitting here? Well, 'cause the NWA plane got a flat tire (literally, I actually noticed the flat while "deplaning") and the nearest replacement tire  is in San Francisco. A three hour delay -> missed connection -> missing my conference presentation (which sucks hard!)

I do travel a lot (especially lately), but I am still amazed when smart people follow the logic of "weather delay + wet luggage  = airline sucks."  Admittedly, I had fun travel stories (here and overall here), but I never bitch about airlines. I guess I am funny that way. To top it off, I like US Airways (gasp!), which definitely makes me a weirdo among the "high-travel cognocenti" :-)

What is the reason for this "phenomenon"? Here it is: I am used to expecting A LOT from an airline and, so far, I have always gotten it. ALWAYS! Specifically, I expect "not dying at the hands of the airline that is transporting me."  That means A LOT to me, it really does :-)  And, so far, it worked marvelously!

So, anything else is an awesome perk! For example, I was flying United  (with which I don't have any Elite status) from JFK to SFO and right after my attempt to stand-by for an earlier flight failed and I was about to stick my wireless card in and do some work, the gate agent called my name.  I approached the gate thinking they bumped me or took away my coveted exit row seat. On the opposite, the gate agent said "Mr Chuvakin, would you mind if we upgrade you?" -  "No, not at all."  So I got my comfy United p.s. business class seat and a good breakfast (as well as some sleep)...

Some would say that I have "lowered my expectations", but I beg to differ: I do expect a lot. And I get it, which is, some say, a key to [travel] happiness :-)

Finally, apologies to my OWASP CT chapter audience: sorry, next time!

Technorati tags: ,

Friday, April 25, 2008

Thursday, April 24, 2008

PCI Is "Made Easy" -> Hilarity Ensues

Note the "humor" tag on this post!

Read in the recommended order:
  1. Mike R lashes out at security marketing message "PCI Made Easy"
  2. "The victim" of said lashing makes good fun of Mike R (especially read the comments, where an idea to rename the webcast into "PCI Compliance Made Easy, But Not Too Easy As To Avoid Becoming Linkbait For Mike Rothman" is floated...)
  3. Mike R responds by professing his love of "baloney" (and salami) and then pans with "No vendor can [make it easy] because security is neither easy, simple or affordable."
All in good fun :-)

Log Haiku #3

Enemies are approaching
Logs can help!
Deleted? Oh, life is pity...

Wednesday, April 23, 2008

Full Presentation "Six Mistakes of Log Management" Released

As you know, I release my presentations on Slideshare when I get tired of them :-)

The time for releasing my famous "Six Mistakes of Log Management" has come:

Dancho on Security Industry and Media

Dancho Danchev makes this astute observation about the coverage of security by the media:
"You know it's a slow news week when you come across :
1. Articles starting that malware increased 450% during the last quarter - of course it's supposed to increase given the automated polymorphism they've achieved thereby having anti virus vendors spend more money on infrastructure to analyze it" + 9 more items.

It would be funny .. if it weren't sad :-)

Log Haiku #2

Here is my Log Haiku #2:

"Something mysterious transpires
Where? How?
Log analysis or bust!"

Some Burning Logging Questions - Answered!

I was wandering down a street and somebody came out and confronted me with these logging questions :-) So I answered them - now I am posting them here since they might be useful for my readers.

Q1: For those companies that have successfully implemented enterprise-wide logging, what were the big nasty surprises that they encountered?

A1: Here are a few:

  • political boundaries within the organization: "these are our logs, and you are not getting them"
  • privacy laws: some logs cannot be collected in some countries; some cannot cross the border, some cannot be seen by some people, etc. This is true mostly in EU, less in US.
  • legal blocks: work with legal before deploying any org-wide log management; legal might try to prevent certain data from ever being created (for fear of being legally discovered later)
  • log volume: underestimating log volume is common and pretty nasty
  • related to the last one: vendors being "optimistic" about their tool scalability
  • time synchronization (of course!), specifically, lack thereof.

Q2: For those companies that have successfully implemented enterprise-wide logging, what was their implementation approach?

A2: Typically, 2-3 vendor PoC or pilot first. Then with the chosen vendor: phased approach based on location + type of log source (e.g. firewalls, then routers, then OS, then proxies, etc) + network topology (e.g. DMZ, then internal) + log source criticality (e.g. critical servers first; the rest next). This might be handy to look at.

Q3: What kind of storage requirements have been experienced by those organizations who have successfully implemented enterprise-wide logging?

A3: Massive? :-)

Here is a simple example: PCI DSS is a bit more aggressive than NERC since it mandates 1 year of log retention vs NERC 90 days, so: 1 year worth of logs is = 365 days x 24 hours x 3600 seconds x 1 (one!!!) busy firewall with 100 log messages each second x 200 bytes per message average (e.g. valid for PIX and ASA devices) = 588 gigabytes / year of raw log data uncompressed (assuming 10x compression you'd get about 60GB of compressed log data per year)

Store it in RDBMS? Multiple it by 2-3. Have an index? Add about 30%.

The bottom line is: terabyte is the unit to measure logs.

Q4: At the organizations that have successfully implemented enterprise-wide logging, how logging impacted network and system performance?

A4: Too broad a question, so here are a few pointers:

  • logging affects performance much more on some types of systems compared to other types: most painful examples are databases where some people (can't find a link...sorry) report performance loss of up to 40% if logging all SELECT statements and other data retrieval commands (you need to log selectively on these); in other cases (e.g. web servers) there is no performance loss and logging is "always on"
  • log collection: agents impact system performance (long post on this subjects): a little when they run (everybody knows this) and A LOT when they crash (few people think about it - agent software memory leaks are not uncommon); unlike agents, remote agentless log collection barely affects system performance (unless you have one of the few esoteric cases)
  • log transfer and network performance: look for compressed (logs compress really well), TCP-based transfers; syslogging over UDP uncompressed has a chance of doing a pipe saturation DoS on your network. Yes, people say "use a dedicated LAN," but this is definitely wishful thinking for many. Also, raw UDP syslog in large quantities over WAN = insanity :-)

Q5: What were some successful strategies for obtaining buy-in from system owners and operators in regards to turning logging on?

A5: OK, also too broad a question, but here are some pointers:

  • provide them a useful service based on their logs (e.g. performance measurement, availability monitoring, compromise detection :-), or other security metrics, etc)
  • help them with their compliance mandates (e.g. create reports that they can show to the auditors that "bug" them)
  • give them tools to better solve their problems (e.g. allow access to a log management tool so that can investigate issues better, search the logs, check on their users, etc)

Q6: How the organizations that have successfully implemented enterprise-wide logging dealt with unusual devices (=log sources) that have no log management vendor support?

A6: They were in massive pain - if they choose a log management vendor wrong. You need to look for vendors that have "universal log source support" with NO requirement for a custom rules or custom collector/connector/agent development. Some vendors have generic text log collectors that can grab and analyze unknown logs. Typically this is done via some form of text indexing that works across all logs, including those from unknown, vertical, esoteric or custom-developed log sources

Hope it was useful!

Tuesday, April 22, 2008

Log Haiku #1

So, I am sitting on a hotel in - seriously! - Nampa, ID preparing for tomorrow's Idaho ISSA conference where I will teach a short class on "Log Forensics" and then present my fave "Six Mistakes of Log Management." And this whole ID thing made me a bit philosophical and so I dug out my old log haikus that were created for a first iteration of my book on logs (every chapter was supposed to start from a weirdly funny haiku on logs...).

I figured since these are not going to be used for the book, I will just post them here, one a day.

But I am warning you!!! These are bad haiku indeed. :-) Here comes #1:

What is a log? A secret

Let’s crack it now!

Resist it will furiously

From Apathy to Enlightenment: On A Log!

So, I was talking to this small log management vendor the other day and he confided to me that his product faces fierce competition in his target market (which is, important to note, small to medium companies with 10-100 systems): and this competition is apathy.

More specifically, his prospects either just blow him off by saying "pah, who needs this logging crap" or they profess their undying love of all things logging - and then still don't buy his product (which is priced, shall we say, "to go" :-))

Admittedly, these are the companies that form the core of today's botnets (thru sheer idiocy - and a generous helping of resource/skill shortage!) and enable RBN to deliver high-quality malicious services to criminal enterprises worldwide, which is no mean feat. Still, if you happen to have thoughts along the line of "who needs logs?" or "ah, logging? it will come later!", you really deserve a nice fat check from RBN and other malicious "hacking" syndicates since it is extremely likely that your overall attitude towards security is just as misguided (Did I just invent a metric called "logging as a litmus test of security program maturity"? :-))

But how to move from such ... what was before the Stone Age? ... Sharpened Stick Age? to modernity? Most companies go thru the following in regards  to their logging:

  1. Deep log ignorance: "Logs? What are those?"
  2. Shallow log ignorance: "Later...later...later... #37 on the TODO list."
  3. Log collection: "We gather and store dead log data...cold."
  4. Log searching: "We will dig into the pile when we have to ... hopefully never!"
  5. Log analysis and reporting: "We know our logs - and what they mean"

(also see my post "Natural Flow of Log Management" for some specifics)

Of course, compliance (PCI DSS and others) help move people from 1. and 2. to 3., but - here comes the punchline! - people often get stuck at 3. or 4. and never progress to Logging Enlightenment of 5.

Yes, PCI DSS and other regulations mandate not just log collection, not just dead cold log storage, but also log review, (daily, in case of PCI DSS Requirement 10) but "review" happens to be the item that gets overlooked  all too often.


I think the reason is that log analysis is still too hard and still not automated enough for an average organization. Yes, I did see some corporations that built their own log analysis systems that - surprise! - exceeded the best available from the vendors [at the time]. However, a typical company IT department would not have Ph.D. poring thru some text mining research papers in order to improve their home-grown log analysis AI. They expect the vendors to  eat the logs, chew on them for a bit - and then spit out the answers.

Are we there yet? No, but we will be!!


Technorati tags: , ,

Hannaford vs TJX

Fun comparison here: "TJMaxx was not PCI compliant, and Hannaford was. Big deal, you say, we all know about compliance! It’s the “Gentleman’s C.” Absolutely. But Hannaford cared enough to make the effort, at least, and get in line with some basic good security practices."

Read on.

Monday, April 21, 2008

Fun Log-reading

Now, some of you are on the verge of saying "Anton! Stop reading (and posting links) - start writing already..."

I will, I will :-)

But for now, here is some fun log-related stuff, in one enjoyable pile:

More on "Enterprise-Class" (or Enterprise-Quality)

Mike R makes what I consider to be an absurd claim here: "... How can Baracuda sell an anti-spam gateway for $3000 and other vendors sell a similar product for $50,000? Is the other product 15 times better? Of course not. But the enteprise customers in an early market can afford $50K per box, so that's what you charge them. "

Honestly, I am not sure about the anti-spam gateways, they might be all the same indeed (and so Mike might actually be right about that specific type of a product...), but I can tell you that in log management the answer "Yes, it is that much better in features that actually make it 'enterprise'" - see this five-part treatise on that very subject by our enlightened System Engineer Dimitri McKay.

You can get Sawmill for $0, you can get whatever other product for $5k - or you can get LogLogic. The difference in what you will get will be about the same as the price factor!

All this debate is BTW inspired by this RSA-related piece.

On Geekonomics

I am sitting in hotel here in San Antonio, TX (I presented at TRISC 2008 today - it sure was fun!) reading "Geekonomics" (can't work - I have a bit of a flu), provided by my friends from Addison-Wesley.

And you know what? The darn thing is turning me into a software liability advocate (like Bruce Schneier) - I really need to resist that ... :-)

Seriously, I just read another 10 pages and I am already thinking "Some say that if we have software liability, we will lose open source... this is kinda bad ... but such is life" :-(

Somebody please save me this train of thought :-)

Friday, April 18, 2008

Fun Reading on Security - 1

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #1, dated April 18, 2008.

  1. Gunnar Peterson has a "must-read" post on security innovation (and lack thereof), where he attributes said "lack" to lack of accountability. Read it and think! If you are tired of people mentioning "RSA", beware, his post does it too... Fun quote: "What is genuinely strange to me is that every other area in computers improves and yet security stagnates. "
  2. Rich Mogull hits us with "Inconvenient Lack of Truth" post which states that "we'll never be able to fix our security problems until we start truthfully sharing breach information" - do read it.
  3. Andy IT Guy falls in love with GRC here ("I think that it does a pretty good job of summing up what a solid program consists of."). Indeed, he brings GRC up as an example of stepping beyond boxes, ports and hexdumps into the great unknown...
  4. Bruce Schneier makes a prediction here: "RSA Conference Will Shrink Like a Punctured Balloon." He also makes a valid but sad observation: "The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them." He then pontificates how people want "secure stuff" and not "security." Do read it! Also check out these comments about his article.
  5. Rebecca Herold continues her fun series on PCI DSS and logging here. Her third part is about using logs to detect attempts to exploit web application vulnerabilities.
  6. Ken Belva disagrees with Bruce about the mindsect of the security professional. He thinks that "criminal vs a good guy" is too limiting a view for security ("Reducing the security mindset to “an attacker, an adversary or a criminal” is to limit the paradigm of security to one general class of security roles: namely, the auditor.") Read it.
  7. InformationWeek quotes a survey that mobile banking will grow 10x in the next 3 years. To me this sound like: finally, mobile malware!
  8. Finally, Alan Shimmel unveils his "Shimel's theory of security company relativity or why there are so damn many security companies" which is an absolute must-read. I mean it (part 1, part 2) Fun quotes: "The overwhelming majority of companies at RSA are stuck at a revenue level of somewhere between 5 and 20 million dollars. " What will happen to all of them? Read his Part 2.

Tuesday, April 15, 2008

More RSA - Video Interview

Here is a set of video interviews from RSA Bloggers Meet-Up. My part starts at 1:24 minutes. Feel free to watch, if you are into that sort of thing :-)

RSA 2008 Summary and Reflections

So, The Show of''em All, RSA has come and gone.  Now that everybody has recovered from hangovers and information overflow, it is time for ... you know ... deep thoughts and stuff :-)

Before we begin, go read my RSA Impressions (Part 1,2,3,4). Next, read what others said about RSA 2008 (via my feed). Then reflect on past RSA shows (2006, 2007).

Ready now?

First, what was the theme? I personally couldn't pick any (unlike in the past). The candidates were GRC (yuck!), DLP (mmmmm), IAM (huh?).

What I saw too much off? Even though their numbers have shrunk, I still saw too many stupid NAC vendors there (Lockdown, here we come!). One of my friends joked that there were more "GRC vendors" than NAC vendors, but both were in low enough numbers to make a trend. As far as loud noises from 2007, "identity-driven this or that for security" was still very visible.

Overblown messages? "Information-centricity." It was cool and new when Hoff said it (hi Chris, it was fun to finally meet you!). But when it trickled to keynotes of some "trailing edge" exec, it became boring and stale. And, no, "information centricity" still leaves people to worry about "A" (availability) first (see this discussion)

What is also bizarre is that people still start log management companies. I saw a couple of new ones - ama

What I didn't see enough of? VOIP security. Somehow this previously hot trend is quite. Also, I saw a lot of web application security vendors, but I think that is still not enough as this is an area with a raging fire, not just "some hotness." Also, I expected to see more vendors messaging (and, actually helping!) with fraud. Dan Geer's Verdasys kinda mentioned that, but pretty much in passing. Is fraud handled outside of security (and thus out of RSA)? I am not sure.

What I didn't see at all? I didn't see much "market consolidation" - no huge deals, no vendors of note "taken out", etc. Still a huge number of security companies around ... One of the speakers said that nowadays "no single security pure-play expected to change the world", but it sure seems like many will try...hard!   Along the same line, Mike R said that such shows are 18-24 months ahead of what "normal" people deploy. This might explain the VOIP and other missing items.

As I said before, "consumerization" of IT - i.e. IT infrastructure, servers, laptops, storage, services, computing resources, applications, etc provisioned outside of IT departments was an elephant in the room. It is not simply "unmanaged IT" or "consumer-grade IT for business", it is the whole "not-IT-department IT" phenomenon. Yes, via mashups it even includes "non-IT application development" (read this fun 451Group report on that). Security implications of this are nothing short of ginormous.

In light of this, I liked how one presenter said this: "we lost the desktop" - meaning "1/3 is managed by users, 1/3 is unmanaged and 1/3 is 0wned."  Sad but true... Dave Aitel used to joke how in the future banks will have to "re-compromise / re-0wn" your PC so some temporary security can be established for you to transact business with them. Are such horrifying times upon us already? :-)

Finally, a parade of fun quotes about this year's RSA from my fellow bloggers.

  • Rich Mogull: "And this year’s theme at RSA is… Nothing. Nada. Zip."
  • Mike Rothman: "RSA show messaging [...] is probably 18-24 months ahead of most practitioners"
  • Mitchell Ashley: "Security Industry Missing Ride On The Cloud"
  • Rob Newby: "In a way I'm glad there was no theme. It means that I was right about the market not going anywhere. Maybe security will have a chance to catch up with the marketing now, and then the compliance will get nicely rounded too, and everyone will stop complaining about it. I doubt it though."
  • Richard "IDS is dead" Stiennon: "Every RSA show is different. Every year there is a buzz. It takes two or three days of walking the show floor, hearing vendor pitches [...] to identify that buzz."
  • Michael Dahn: "This year, everyone is talking about two things at RSA: risk and regulatory compliance. "

See ya at RSA 2009!?

Technorati tags: , , ,

Wow! Stratfor on Cyberwar

Wow! Stratfor publishes this piece which starts with "This is the first in a series of analyses on the emergence of cyberspace as battlespace" and then they even go as far as "in addition to being a revolutionary medium of communication, the Internet also offers a devastating means of waging war."


Thursday, April 10, 2008

RSA Impressions 4: Three Fun Meetings

Now, yesterday was one hectic RSA day - I am only blogging about it now on the train to RSA. I barely managed to attend one session. I had meetings and other fun stuff happening all day. I figured I'd highlight three of them as they might be interesting to my readers.

First, I am proud to say that I was invited to Microsoft lunch for security bloggers. We definitely had some fun discussion on both blogging and security there and all sensed definite interest from the MS side. At times, though, it felt like talking to "spooks": information goes in, happy smile comes out :-) Other bloggers commented on that too.

Second, CEE logging standard work lives on. We had an informal meeting with people from MITRE, Microsoft, OpenGroup (home of OpenXDAS), Burton as well as relevant vendors and others involved (some people were sadly MIA though...). We did discuss - not too violently! - what to do next and what approach to take in regards to taxonomy (the most hotly debated part of CEE).

Finally, last by time but clearly FIRST by importance, 2nd Annual (?) RSA Security Bloggers Meet-up. OMG, this WAS an event of the century (at least until the next one, that is :-)) Not much more to say, I am still recovering :-) But if you are blogging on security - BE THERE next year!

BTW,  what is the overwhelming RSA theme this year? I think Rich is right, it is what he says.

Wednesday, April 09, 2008

RSA Impressions - 3: CTO Panel

First, a desperate call to other security bloggers: is anybody attending this panel (BUS202)? It is FUN, but I have to run for a meeting in, like, 10 minutes.

Most trends discussed so far are kinda well-known (SaaS, in-the-cloud this and that, security of infrastructure-> security of data and now of "interaction", server, desktop and storage virtualization, etc), but "IT consumerization" is a huge f*ing elephant in the room. "Security in the age of 'IT by users', not 'IT by IT'" is indeed darn scary! I guess it would be the "New Wild West" :-)

I am also happy that somebody brought up 'everything that needs to be invented is already invented in security' and then dispelled this ugly and idiotic myth.

Another fun one mentioned is a change from "security of bad/good" to "security of flowing risk scale." It sounds deceptively simply, but it actually pretty profound: as opinions about, say, data criticality for business change, so does the risk/impact of said data loss. Not "loss of router = bad", but "loss of this data today = 3 of 10 'badness'"

I was also darn happy to hear that panelists accepted that our security defenses are not prepared for "unknowns" and that "attackers lead - security follows."   Also, it is neat that somebody also mentioned that "Security is an art!" today.

A lot of fun security implications of  "virtualization in the cloud" (like Amazon service) were mentioned as well: think 'your "own little IT" outside the company for $5 and all the security team will see is web traffic.'

Sorry, I have to  break my "transmission" and run to that meeting ...

Tuesday, April 08, 2008

RSA Impressions - 2: Compliance "Megatrends"

So, one more impression for today: I am sitting at BUS107 panel session titled "Compliance Megatrends: The Future of Information Security" and there is actually some interesting discussion going on. Here is my account of this session:

  • One person said that 'a common theme recently is that "those breached were compliant"' (meaning TJX and Hannaford). I question: is this really so? I think the truth is everybody, compliant or not, is 0wned, not that "those compliant are 0wned"
  • All panelists predicted that governments (US and European) will be influencing security more in the near future: more laws, more regulation, more enforcement (and that governments will do more to secure their own systems)
  • One person proclaimed that 'law enforcement model of security (detect->respond) doesn't work anymore', but said nothing about what comes next, instead, etc. I just hate empty posturing like that ... but wait! There is more from the posturing department: one more panel member said 'we need to not buy software products unless "absolutely secure".'  Hellooooo, is anybody home? :-)
  • ISO27001 is hot. Really? A lot of people in the audience seemed to like ISO27001. So, is it enough to predict its takeoff in the US? Somehow I am still skeptical ...
  • GRC was mentioned... in passing.  Everybody heard about it - and nobody cared. One person said "GRC... hmmm... so, how do you know you have it?'  :-)
  • One more person said that "plausible deniability [about security] is dead" - companies cannot pretend that information security doesn't exist anymore ... Again, no matter how much we want this to be the case, is this really true? I think many smaller companies are kinda still in the same bin?
  • A bizarro opinion on PCI DSS was voiced by one panel member: she said that she dislikes PCI since it is "too prescriptive" and it got turned into a mindless checklist (losing the original intent of improving security). She also disliked that PCI compliance evaluation is bad: based on a "dumb" control checklist, not on measuring effectiveness of "meaningful controls." I think this is true to some extent; but I'd hate to blame it on PCI DSS standard itself.
  • Finally, panels' take on "What will happen in 5 years?" Their predictions: catastrophic events ("Estonia-like" - eeeeh, you mean somebody is fined $1642?), 'integrity of data' attacks which are "exceptionally scary" (data loss -> data change!), growth in data volume (huge!) with total lack  of how to control it, increased dependency on the Internet - without a corresponding increase in security, SaaS and Web 2.0 will change security and so will virtualization (now, that's original :-))

So, it was all good fun!

RSA Impressions - 1

Here is some bizarre observation: many security vendors here at RSA try to sell security by saying "latest survey shows that 67% of companies are missing the control X. Oh horror! - Buy X from us NOOOOOW" and very few sell security as "latest survey shows that 67% of companies have suffered the loss of $X via Y. Oh horror! - Buy Z from us to stop Y NOW"

So what if a control X is missing? Really? Why the f people need to care? Richard said it well here too.

And the reason there is more of the former (add missing control) and less of the later (stop loss), because they themselves don't know whether what they sell will decrease the loss ... It does suck, doesn't!

And then you meet somebody honest who sells incident response tools :-) And it has been proven that good incident response tools and practices decrease incident loss. Easy, huh?

Heading to RSA ... Hurray!

I am writing this sitting on Caltrain from San Jose to San Francisco, heading to RSA, armed with my "hitlist" of people to meet and companies to check. Also wielding my Mogul (and Mike R)-induced pessimism and my evil sense of humor.

While I am here on a train, I also wanted to highlight something interesting about PCI and log management (and log management systems). Rebecca Herold correctly takes me to task (here and here) for missing the difference between "PCI-compliant log management" (which is a concept - and it obviously does exist) and "PCI-compliant log management system" (which is an actual physical box or a set of boxes with software - and it doesn't exit since PCI DSS doesn't "rate" the compliance of logging systems).


If you decided to deploy a log management technologies and tools in order to satisfy PCI DSS requirements, you are doing "PCI log management" and there is no issue with that. If you happen to be in possession of a "PCI compliant log management system", I would like to see that :-)

Rebecca also correctly cringed at my loose usage of the word "certify." I have to disclose that I used it not in the formal "C&A" sense, but just to mean "rate" or "indicate the level of" compliance. Given that I am often the one to fight for the correct usages of terms in our area, I think I need to be more careful in the future. For example, I like to use the word "evidence" only in the context of forensics and legal process, not just as "evidence for making a conclusion." And don't even get me started on "threat" and "vulnerability" :-)

Monday, April 07, 2008

What? You Are Releasing Untested Malware?

... What are you, some kind of amateur? :-)

Dancho Danchev reminds people how modern malware is tested here. A quote: "And when a popular piece of malware known as Shark introduced a built-in VirusTotal submission to verify the low detecting rate of the newly generated server, something really had to change - like it did."

So, imagine a malicious "clone" of VirusTotal that is launched by an enterprising criminal to provide "a valuable service" of malware testing to a cybercrime community? :-) : "A small fee for testing please. What, you are releasing an untested malware? Phooo... What are you, some kind of amateur? :-)"

Dancho then predicts: "One thing's for sure - malware will start getting benchmarked against each and every antivirus solution and firewall before the campaign gets launched, in a much more efficient and Q&A structured approach than it is for the time being."

Please tell me if this happens, it won't be the final nail in the "legacy"/"blacklist-only" AV coffin?

Is This How Security Will Be Improved?

"Davidson Cos. Sued for Negligence in Data Breach: Lawsuit confirms that companies can be held liable for failing to provide adequate security" (source)

"A Billings, Mont., law firm has filed a class-action lawsuit in federal court against Davidson Companies, claiming the company was negligent when it allowed a hacker to penetrate its systems, resulting in a data security breach and the exposure of some 226,000 customer records, according to a report."

This will be immensely fun to watch! So, for those companies that didn't start paying enough attention to security after viruses, then worms, then SOX, then PCI DSS, than bots, then data loss, then data theft, how about a threat of a nice cold lawsuit? Will it be enough to pay attention?

Well, we will see soon :-)

To Those Heading Down to RSA ...

Rich Mogul unleashed the following fun piece on RSA trends and predictions. Go read it! Rich tells us to be on the lookout for the following madly abused trends and concepts:
  • Virtualization security
  • "GRC"
  • Security in the cloud
  • "Data leakage that is not DLP"
I am actually not at RSA today (just finishing some writing here), but I will head up there tomorrow. Watch this blog as I will be ... how do they say it? :-) ... "live-blogging" from the Moscone Center tomorrow and Wednesday. All my RSA posts will be tagged RSA. After all, if I am press this time, I will blog the *ell out of the event! :-)

Friday, April 04, 2008

See Ya at RSA!

A final post for today: RSA 2008 Conference starts on Monday, see you all there.

If anybody wants to meet, drop me an email to anton at (I will get it on my mobile device)

Here is something interesting I would like to propose: let's meet to roam the vendor expo hall and make fun of the vendors there :-) Some people there will make you ROFL or even ROFLMAO: once I had somebody try to explain why logs are important to me (was not too convincing, BTW) , another time I received a speech on what PCI DPS (!) is. There is also a high chance of spotting a hippo there (i.e. a vendor who misspelled HIPAA in their materials), which is always fun too.

Rebecca Herold on PCI and Logging

Rebecca Herold is doing some fun - if a bit lightweight - writing on PCI and logging. She also touches on using logs to deal with insiders. My ego is telling me to be upset since she doesn't mention either a "PCI Compliance" book (free chapter on logging for PCI is here) or any of my other related writing, but I will survive it :-)

However, she makes one snafu that makes me cringe (and also think negative thoughts :-) about this whole thing): she mentioned a "PCI-compliant log management system." This is clearly an absurd concept: PCI DSS does not certify log management system as "PCI -compliant." She also quotes others a bit too much to my taste...

In any case, check it out here.

Thursday, April 03, 2008

TCP Syslog =/= Reliable?

Usually, people associate UDP-based log transfer with being "unreliable" and TCP with being "reliable." Rainier here raises a few interesting issues (not the least of which is TCP buffering) that question the reliability of TCP syslog.

Is there a need for a "more reliable" TCP with application-level ACKs? Maybe ... but not in the world where UDP syslog is still king.

On "Network, Database, and System Log Data Management: The What, Why, and How"

I wrote this fairly basic paper on logs, check it out: "Network, Database, and System Log Data Management: The What, Why, and How"

"This article discusses the importance of implementing a uniform and scalable log management platform for network and storage systems across your organization to address security, compliance and operational issues."

Marcus Ranum on Cybercrime

Fun treatise on cybercrime from MJR.

"... it's an incredibly attractive enterprise. "

"The final point I'd like to make on cybercrime is that the current set of problems show us nothing about how bad it can possibly get."

Campaign to Ban Sharks with Lasers!

"Charities and academics are calling for autonomous killer robots to be banned -- even though they don't exist. What other sci-fi weapons should be proactively eliminated? Vote, or submit your own."

$50 > life. WHYYYYYYY?

If you flipped thru my slides from the CSO Summit, you noticed slide #4 with a picture of a seatbelt. Why is it there?

That is why. This post really tied (for me) everything that happens in security today; and its essence is this quote:

"The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice. I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life."

and even

"I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws."

If you see anything weird in today's "compliance-heavy" security industry, it is probably explained by this phenomenon.

Fun Read: Secuirty + HR = ?

Run read: "Four good reasons for Security to talk to HR" on why security and HR should work together (and what happens if they don't)

Reemergence of "Security as Insurance"

Some fun thoughts on how "security as insurance" model might work. No mention of ROI (which is great!)

Security of "Rogue" or "Shadow" IT?

Here is a fun question: who is in charge of security of the IT products and services sold direct to users (bypassing the IT)?

Now, your first reaction is likely "Nobody, just ban it!" or "Let its users strangle themselves," but I think the reality is more compliance. This post raises some of the alarms with "shadow IT:"

"Both tools [iPhone and Google Apps] were marketed directly to the appeal of the end-user and made every effort to create a tool (or set of tools) which could be brought into the business environment by an end-user with as little effort as possible."

"Corporate IT is left fighting the new battle - unknown/untested/unvalidated technologies being marketed at their user base and making its way into the corporate environment. What can IT do? Nothing, as far as I can tell."

"Let's be honest with outselves. Corporate IT has a big problem. This problem will likely get bigger, and more menacing as more things are marketed to "get around IT bottlenecks". It all goes back to the image IT has of stiffling business and imposing harsh guidelines which don't enable businesses properly."

Just smth to think about...

Upcoming Speaking in Austin, TX

FYI, I will speak about "The 7 Mistakes of Security Log Analysis" at TRISC 2008 in Austin, TX. If you live in the area, do come by. It is on April 21st at 4:15PM

My Presentation from Russian CSO Summit 2008


It is pretty subjective, for sure, but that is what I think.

The Real "Security 2.0"?

Yes! YES! Y-E-S! You guessed right - a blogging frenzy; I am baaack from my vacation/speaking in first cold then warm places and I have a "backblog" of fun items.

First is "Why Hacking Changed" from The Hacker Webzine. Please read it; and see thru all the drama.

Some quotes:

"Old school hacking is dead, network hacking is dead, firewalls are useless and AV software is a mere redundant software package that underlines your frustration and ignorance about contemporary hacking."

"If you can define hacking today, it no longer means telnetting into servers or blowing whistles, but exploiting the application layer. With the application layer, I also mean the scripting language beneath it, since it interacts with the applications that it's running and share memory, and thereby the hardware it's running on."


"We can even prove that we can own your network with only seven characters typed into your query string: 1' OR 1=1 is far more dangerous than any shellcode I've ever seen in my life."

"What works today works also tomorrow. And what will work in two or 5 years from now is software and application hacking."

Wednesday, April 02, 2008

Windows Log Collection Poll Analysis

Now, my latest poll ("What tools do you use for Windows Event Log Collection and Analysis") was pretty popular (157 responses) and controversial as well; let's analyze it. The results are here and below as well.


So, what catches your eye first? Despite the fact that I was trying hard to list most of the tools that collect Windows logs known to humankind (and certainly, I thought I included ALL of the popular ones), response 'Other' is #1 by popularity. Now, the 'Other' option had a write-in field that is not visible online, but accessible to poll owner (i.e. me). What  dark and mysterious tool hides in there under the guise of 'Other'?  Well, this is where the controversy lies: out of 37 people who chose 'Other', 15 wrote in 'sp1unk.' Now, given that the Windows version was released only a couple of days before my poll, I refuse to believe that.

Second, as one can guess, using Snare agent for converting Windows event logs into syslog is the next popular (after 'Other'). This is definitely what I expected. Snare is a safe choice that everybody knows (but it is an agent)

Third, 'voting "no"' (i.e. 'We don't collect windows logs centrally') is next; in fact, it is not statistically different from the previous choice: Snare. This reflects the sad reality of Windows logging: people just do not collect them and then, when needed , they try to desperately reach for the logs stored on each server (and, obviously, often not finding them there). Will Windows 2008 (which does have its own WS-based log centralization system) change that? Probably!

Fourth, despite the fact that everybody hates agents, remote Windows collectors, such as ProjectLASSO, are less popular. In fact, most people who use a remote collector, use a commercial (WMI- or RPC-based) remote collector from their SIEM or log management vendor.

Fifth, OSSEC rises above the crowd of other remaining tools. This is definitely an interesting discovery as well.

Finally, on a somewhat humorous note, if one combines "We don't collect Windows logs centrally", "We ignore Windows logs" and "We are waiting for Windows to support syslog natively", the total count will reach 35% times and will exceed any other option, including 'Other', Snare, etc.

So, this poll reflects a sad state of affairs with Windows logging; let's hope that W2k8 will change that...

Technorati tags: , , ,

Criminal Enterprises, Inc

Wow, this is one of the most fun pieces of spam I received (no, I don't read all my spam :-) - this one just evaded the filter...)

Yes, I know it is in Russian; here is what it says (roughly)

'We offer "abuse-resistant" hosting; [it is clarified that this means: "we ignore ALL complaints about abuse from police, banks, etc"(!)].
Phishing and Child p0rn are NOT OK; the rest (spam, warez, etc) are fine.
Virtual or dedicated servers.
24 hr support via ICQ/email.
Daily backups.
Server location: Estonia (!), Hong Kong.

Free 3 days (for testing).'

Wow! Obviously, I've heard stories about such businesses, but this is my first-hand encounter.

Monthly Blog Round-Up - March 2008

I saw this idea of a monthly blog round-up and I liked it. In general, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

  1. This month my logging polls are super-hot: specifically Logging Poll #6 "Which Logs Do You LOOK At?" Analysis leads the Top5. Do people look at logs? Which ones? Check out the poll analysis.
  2. Somewhat predictably, PCI compliance is still all the rage. So, just like last month, MUST-DO Logging for PCI? post was propelled to a place in my Top5 popular posts list. It discusses the fact that there is no "easy list" of what you MUST do to comply.
  3. Also predictably, next up are again my Top11 logging lists:  Top 11 Reasons to Collect and Preserve Computer Logs and  Top 11 Reasons to Look at Your Logs (the third list, Top 11 Reasons to Secure and Protect Your Logs, was not quite that popular - I long argued that, sadly, few people care about log security yet). A new one was also added to the list: Top 11 Reasons to Analyze Your Logs.
  4. Surprisingly, my little impression from a CSO Summit (where I gave a keynote) made it to Top5: Data Theft "Russian-Style" Is your data stolen?  Bad! Is it sold for $5 by the street vendors in Moscow? Super-bad!
  5. Also surprisingly, one of my comments on a recent breach ("On Hannaford Brothers Breach and PCI") is in Top5. Newer comments are here.

See you in April!

Possibly related posts / past monthly popular blog round-ups:


Technorati tags:

"It Was an Insider!" = "Sorry, We Are Idiots!"

Hannaford breach the work of an insider? I think whoever made this one up was thinking like this:

We are PCI compliant, we pretend to have good security, etc ->
we suffer a huge embarassing data loss ->
how can we still justify our past efforts as worthwhile and "effective" (even though reality just proved they were not) ->
let's invent a factor that is known to bypass many of the existing defenses ->
what this factor? ->
Yes! Insider! It was an insider! ->
We KNOW it :-)

(Mike R doubts it too here)

Some of the stories on this get downright idiotic, like this: "

Tuesday, April 01, 2008

Top 11 Reasons to Hate Logs

You thought I am done with my Top 11 lists? Nah... here is one more, which actually is designed to bite you in the ass on a certain date. So, "Top 11 Reasons to HATE Logs ... With a Passion."

  1. Read any logs lately? Got bored in 5 minutes - or survived for the whopping 10? Congrats, you score a point! But logs are still boooooooooooooooooooooooooooooring.
  2. One log, two logs, 10 logs.... 1,000,000,000 logs: rabbits and hamsters cannot match the speed with which logs multiply. Don't you just hate that?
  3. You keep hearing people refer to "log data." Then  you run 'tail /var/log/messages' and see text in pidgin English. Where is my data? Hate it!
  4. "Real hackers don't get logged": thus logs are seen as useless - and hated by some "hard core" security pros!
  5. If people lie to you, you hate it. Logs do lie too (see 'false positives') - and they are hated too.
  6. 'Transport error 202 message repeated 3456 times.' Niiiiice. Now go fix that! Fix what? Ah, hate the log obscurity!
  7. Why are there 47 different ways to log that "connection from A to B was established OK?" Or 21 way to say "user logged in OK?" No, really? Why? Who can I kill to stop this insanity?
  8. You MUST do XYZ with logs for compliance. Or you are going to jail, buddy! No, sorry, we can't tell you what XYZ is. Maybe in 7 years; for now, just store everything.
  9. 'Critical error: process completed successfully'  and 'Operation successfully failed' engender deep and lasting hatred of logs in most people. They just do ...
  10. The book called "Ugliest Logs Ever!" is a fat tome, covering every log source from a Linux system all the way to databases and CRM. Bad logs are popular! Bad logs are all the rage among the programmers! Bad logs are here to stay. Bad logs that mean nothing power the log hatred.
  11. "Logs: can't live with them, can't live without them" :-) Hate them we might for different reasons, but we still must collect, protectreview, and analyze them ...

Happy September 1st! :-)

Technorati tags: ,

Dr Anton Chuvakin