Saturday, September 27, 2003

Review of Investigative Data Mining for Security and Criminal Detection Posted

Amazon.com just posted my four star review of Investigative Data Mining for Security and Criminal Detection. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"I read 'Investigative Data Mining for Security and Criminal Detection' (IDM) after attending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2003 Recent Advances in Intrusion Detection (RAID) conference. Researchers at RAID mentioned "self-organizing maps," "neural networks," "machine learning," and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r unfamiliar topics. Mena's book helped me understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se subjects in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 context of performing data mining. If you steer clear of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author's discussion of intrusion detection in chapter 10, you'll find IDM enlightening and a little scary."

Data mining is a hot topic. Slashdot discussed neural networks recently, which can be used for data mining.

Tuesday, September 23, 2003

Five Years Ago Today...

Five years ago today I left cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information warfare planning directorate at Air Intelligency Agency and joined cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Computer Emergency Response Team at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n-Kelly Air Force Base in San Antonio, Texas. Back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n we were part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Information Warfare Center, tasked with monitoring all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion detection systems deployed inside border routers at Air Force's installations. I was a new captain and had voluntarily attended some UNIX training after work hours while deployed to RAF Molesworth in late 1997.

Just yesterday I was asked how to get into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer security field. Here's how I did it. I looked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT's manning roster for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network security monitoring teams and put myself on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 schedule. Wherever I saw an opening -- usually between 2 and 10 pm or 10 pm and 6 am -- I added my name. I sat next to people who seemed to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alerts cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were analyzing and asked a lot of questions. Six months later I was in charge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real-time NSM team, and a year later I was in charge of all NSM operations. I wrote my first white paper in late 1999 and spoke at my first SANS conference on 25 Mar 00. Currently I'm writing Real Digital Forensics and The Tao of Network Security Monitoring, both to be published in 2004.

What is BitTorrent?

Whenever new software appears, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest Knoppix (3.3 appeared yesterday), I read at Slashdot that "BitTorrent" links are available. I decided to investigate this and found myself at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BitTorrent web site. Like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pages of most developers, it's cryptic and not immediately apparent how to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software.

This Wiki page was more helpful, clueing me in to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that BitTorrent is a peer-to-peer file-sharing system. O'Reilly wrote about this too. I installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BitTorrent client at degreez and tried it out with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files listed at BitTorrent Files for Slashdot Effect Victims.

I clicked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Red Hat 9 Binary ISOs link, which points to http://f.scarywater.net/redhat9.torrent. This brought my BitTorrent client up. It prompted me for a location to save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file I would download via BitTorrent, so I selected a directory. Next, I could see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BitTorrent client work its magic.
I plan to experiment with this. I initially tried to retrieve Knoppix 3.3 via BitTorrent, but eventually downloaded it via a fast overseas mirror over HTTP. Update: Here's anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r example of using BitTorrent -- Slackware 9.1. Linuxtorrents provides several links. Here's a script to run bittorrent in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 background on UNIX. There's a great FAQ.

Try Tenable Security's NeVO before 30 Sep 03!

I downloaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 demo version of Tenable Security's NeVO today. I was unable to get it to work on Red Hat Linux 7.3 but I did install it successfully on FreeBSD 4.8 RELEASE. NeVO is a passive vulnerability scanner. It sits and watches your network for services and protocols which could be exploited by an intruder. It doesn't actively check for vulnerabilities like an assessment product might do. This is similar to Sourcefire's RNA or "Real-time Network Awareness" concept.

Below is an example of NeVO's output. It's in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .nsr format produced by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 active vulnerability assessment tool Nessus, written by Tenable employee Renaud Deraison. For example:

10.1.1.1|27201/tcp|8518|INFO|The remote host is using a version of Portable OpenSSH which may allow an attacker to determine if an account exists or not by a timing analysis.;Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer;CVE : CAN-2003-0190
10.1.1.1|27201/tcp|8501|INFO|The remote host is running a SSH server :;SSH-2.0-OpenSSH_3.5p1
10.1.1.1|27201/tcp|8528|REPORT|The remote host is running a version of OpenSSH which is vulnerable to a flaw in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 buffer handling functions which may possibly leading to command execution.;Solution : Upgrade to OpenSSH 3.7 or newer
10.1.1.2|443/tcp|
10.2.0.3|161/udp|4582|INFO|The remote host is running an SNMPv1 agent. Having such an agent open to outside access may be used to compromise sensitive information. Certain SNMP agents may be vulnerable to root compromise attacks.
10.2.0.3|161/udp|4500|INFO|The remote host is running an SNMPv1 server that uses a well-known community string - public;Solution : This signature was obtained through direct sniffing of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network, so if possible, migrating systems to SNMP v3 would be more secure. For non-local attacks though, your community string is easily guessed and should be changed to something more random.
10.2.0.123|0/tcp|1|INFO|The remote host OS could not be recognized. Its fingerprint is : 64437:255:1371:1:0:1:1:48
10.2.0.123|0/tcp|8502|INFO|The remote host is running a SSH client: SSH-2.0-PuTTY-Release-0.53b

Notice how NeVO detected SSH running on a port ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than 22 TCP -- in this case, 27201 TCP. Service identification on non-standard ports is something I've been interested in finding. (For service active service identification on non-standard ports, try AMAP. NeVO data can be imported into Nessus for easier reading, or imported into a spreadsheet.

This is a great idea. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very least it could be used to supplement active vulnerability assessment products. Sometimes active VA crashes hosts with weak TCP/IP stacks or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vulnerable services. Passive VA works by observing parties access those stacks or services. It's a great way to collect security data in sensitive environments where no one trusts active VA products. I would argue that hosts should be robust enough to withstand scanning, but it helps to have anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r option available. This demo version of NeVO expires 1 Oct 03.

Monday, September 22, 2003

Cell Phone Spam

Some overzealous activitst for legalizing marajuana sent a text message spam message to my cell phone last week. Someone named "Alison" from, claiming to be from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ACLU, sent a URL to an advocacy site. I won't publish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URL to deny her cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 publicity she seeks. The phone number from which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spam was allegedly sent shared cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same area code and first three digits.

Suggestion for Patching Windows Dial-Up Users

Larry Seltzer makes a great recommendation for Microsoft to assist its Windows dial-up users:

"One way to make things easier for dial-up users, and even broadband users in many cases, would be to issue periodic update CDs. Imagine a disc with all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 updates on it and a program, it could even be written in Windows Script Host, to check a system for which updates need to be installed, apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 correct order and even reboot in between. Such a program would not be hard to write.

Microsoft could charge a trivial amount for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discs but it would be better just to give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m away and encourage users to pass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discs around when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were done. At that point you'd still need to check Windows Update for recent additions, but it's unlikely you'd have an unbearably long download time...

I recently put this suggestion to Microsoft and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir response basically avoided cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole issue. Why wouldn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company want to offer such a CD, assuming that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 motivation behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir stonewalling?"

"Snort not backdoored, Sourcefire not compromised"

I'm not going to cite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rumors which prompted this story, since I don't want to give publicity to those seeking it for its own sake. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, I though it important to post in its entirety a recent message Marty Roesch of Sourcefire sent to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort-users mailing list. By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, sign up for one of Marty's seminars, coming to a city near you. I'll see him in DC on 7 Oct. Now for Marty's post:

Date: Sun, 21 Sep 2003 20:44:11 -0400
From: Martin Roesch
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Snort-users] Snort not backdoored, Sourcefire not compromised

--------------------------------------------------------------------------------

It's come to my attention that some group is claiming to have broken into a Sourcefire server and backdoored cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort source code. First things first, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no backdoor in Snort nor has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re ever been, everyone can relax.

A shell server got compromised well over a year ago, but what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se guys aren't telling you is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network that it was on was not only logically separate from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sourcefire.com domain, it was also physically removed from it too (by about 23 miles, approximately cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 distance from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sourcefire office to my basement). Yes, that's right, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y busted into a shell server that was maintained on a physically separate network in my basement. That particular machine was maintained as a shell server for various people to log into so that we can have a sacrificial box to use to chat on IRC without having to worry about our real network getting compromised, and it has served its purpose well.

While we do try to keep that system from suffering break-ins, we also realize that many IRC clients aren't exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most secure pieces of code in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world and sometimes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are problems in server code as well (like apache and sshd), so we put togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r servers like that one so that we can interact with people while minimizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company's networks and servers. I thought this was fairly standard practice for many security companies, maybe I'm wrong.

If you're wondering "how do you know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code isn't backdoored?", since we know that that server is an "at risk" server we're not in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 habit of checking code into CVS from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. If that's not good enough for you, Snort has been through three code audits since March (one Sourcefire internal, two third-party external) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are most definitively no backdoors in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code, nor were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re any.

Hope that clears things up.

BTW, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample code that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y put into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir little screed was nothing more than an update of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 'stick' program from 2001, not really anything to get worked up about.

-Marty


--
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Thursday, September 18, 2003

Reviews of TCP/IP Analysis and Troubleshooting Toolkit, Real 802.11 Security, and Network Performance Toolkit Posted

Amazon.com recently posted three new reviews. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 four star review of TCP/IP Analysis and Troubleshooting Toolkit, whose author provides videos of trace analysis:

"As a network security monitoring analyst, I like to read network troubleshooting books. They help me understand protocols I see on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wire, usually using case studies that are far more exciting than reading dry Request For Comment (RFC) documents. "TCP/IP Analysis and Troubleshooting Toolkit" (TAATT) isn't a "tool" book like Wiley's "Network Performance Open Source Toolkit." Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, TAATT tries to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operations of many popular protocols. It does a fairly good job, and deserves a look."

From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five star review of Real 802.11 Security: Wi-Fi Protected Access and 802.11i:

"I was somewhat hesitant to read "Real 802.11 Security" (R8S) as it seemed to offer too much cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory and background on wireless security. I prefer "getting to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point" and telling me what works and what doesn't. R8S changed my mind. The book's lively style helped me survive fairly heavy discussion of cryptography and implementation of security protocols. The authors remarkable clarity and insights reminded me of Ross Anderson's "Security Engineering," a book I respect highly. I finished R8S with a better idea of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future of wireless security and how to secure existing wireless deployments."

You can visit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors' university site here.

From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five star review of Network Performance Toolkit: Using Open Source Testing Tools:

"I don't have a lot to say about "Network Performance Open Source Toolkit" (NPOST), ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than I think it's excellent. We need more tool-oriented books to teach admins how to do real work on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir networks. NPOST delivers chapter after chapter of practical, hands-on material applicable to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 networking shop in any organization."

If you're wondering why I don't post more negative reviews cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days, remember that I almost exclusively limit myself to books appearing on my reading list. If I post a negative review, it's because a book to which I dedicated time ended up burning me!

Tuesday, September 16, 2003

Project to Customize Windows

We need more projects like XPlite. This is a system to "modularize" Windows components to facilitate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir removal and reinstallation, if necessary. Windows would be much easier to secure if we could install cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 absolute minimum number of packages to support our applications. This is why I like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD ports system. I install a base FreeBSD OS, and load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree. Within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree, I add whatever I need, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports system only adds what's necessary to support that application. Brilliant? Perhaps -- but that's FreeBSD, and also a few Linux variants (Debian and Gentoo). :)

Verisign -- "The Value of Trust"?

I can't believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stunt Verisign is pulling now. The screen shot says it all. Essentially, all nonexistent domain names are resolving to 64.94.110.11, which itself resolves to sitefinder-idn.verisign.com. I learned about this issue through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NANOG (North American Network Operators Group), Slashdot, this article, and Verisign's "notification". The talk I've seen involves sitefinder.verisign.com, but that resolves to 12.158.80.10 for me. I even queried an authoritative domain name server for 64.94.110.11 (ns1.pnap.net, which handles cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 94.64.in-addr.arpa domain). Some have said ISPs are already null-routing 64.94.110.11.

I think this post makes a good case for review of Verisign's actions. This is not how an administrator for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two most important generic top level domains should act!

Thoughts on OpenSSH Vulnerability

If you've read this blog for a while you'll notice I try not to regurgitate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day's headlines. If my brain is my RAM, this blog is my hard drive -- a place I'd like to keep stories archived. So, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than restate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenSSH issues (it doesn't take much, does it?), I'd like to record this thought. How should organizations posture cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves against threats to core infrastructure? Since OpenSSH is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recommended means to administer all sorts of devices, its importance approaches that of BGP, DNS, and similar services.

We're familiar with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plan -> prevent -> detect -> respond model. We form and practice plans and policies to guide our organizations. We prevent exploitation of vulnerabilities with security strategies like defense-in-depth, access control, least privilege, segmentation, and vulnerability management via proactive assessment and patching. We should perform detection via network security monitoring -- collecting, validating, and escalating event, session, full content, and statistical data. We respond to policy violations and intrusions (unlawful, unacceptable, or unauthorized use of our resources) via containment and mitigation. Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re anything else we can do when a threat to core infrastructure like OpenSSH arises?

Where possible, I think it would be helpful to have redundant systems to perform those critical services. Note that redundant does not mean "identical." Why have an extra Microsoft IIS server ready to replace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one just hacked by an intruder? It's much better to have an Apache server ready to go. (I'd argue it's better to have Apache be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary and anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r solution as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 back-up.) For DNS, pair BIND and djbdns. For email, run sendmail and postfix.

Where does this leave OpenSSH? Well, today I tried lsh. I had no problem installing it since it lives in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD ports tree. While lsh may not be as well-scrutinized or tested as OpenSSH, it's not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerable OpenSSH service waiting to be exploited. How could this be used in a production environment?

  1. You suspect OpenSSH may be vulnerable. You're running OpenSSH on port 22 TCP (a bad idea in my book -- why not run it somewhere else?) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lsh daemon on port 222 TCP. Port 222 isn't allowed remotely, while 22 is.

  2. You make two quick changes to your firewall rules: Disable port 22 TCP inbound and allow port 222 TCP inbound. This quickly removes outsider access to vulnerable services.

  3. You administer critical systems using lsh (which can be accessed using standard OpenSSH clients) and patch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerable OpenSSH services.

  4. Once done, disable port 222 TCP access and reinstate port 22 TCP.


The same approach could apply to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r services, with modifications. This can be implemented on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client side too. Replace Internet Explorer (30+ unpatched holes and counting) with Mozilla Firebird.

When I was a Boy Scout, my Scoutmaster always asked one question whenever I planned a camping trip or hike: "What's plan B?" Not having alternatives was unacceptable. The security community has got to start devising plan Bs, because people rely on our services and expect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to work.

Monday, September 15, 2003

Good Samaritan Saves Bank's Behind

A good Samaritan who buys computers from eBay saved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bank of Montreal's behind. According to this story:

"Geoff Ellis, a 26-year-old masters student living in North York, purchased cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computers last week from Ecosys Canada Inc., a computer asset-management firm in Mississauga. He paid $400 each for two powerful IBM Netfinity servers that would have cost about $5,000 new.

Ellis buys, fixes up and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n resells used computer equipment on eBay.com. He had posted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two machines on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 popular online auction site for six hours before he noticed, after turning one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m on, that it contained an operating system that let him access file folders from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bank without needing a password.

He immediately removed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 items from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web site, he said."

I bought a handful of servers from eBay a couple months ago. I have since installed new operating systems on each one, but maybe I should have checked to see what was left behind by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous owners? Market pressure won't change an organization's behavior when it comes to disposing of computers, but perhaps regulation and inspection would make a difference.

RAID News Posted

Scroll a few pages down and you'll see I posted my thoughts on last week's RAID conference in Pittsburgh. Enjoy!

Sunday, September 14, 2003

Installing a Free X Server on Windows XP

I needed to export X sessions to my Windows XP laptop, so I turned to Cygwin/XFree86. In less than 10 minutes I had am xterm from a FreeBSD machine appear on my Windows XP desktop. Here's how I did it.



  1. Download and execute Cygwin setup. The Cygwin/XFree86 User's Guide gives plenty of hand-holding if you need it. I selected all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 XFree86 packages plus OpenSSH. You'll see why OpenSSH was included shortly.

  2. Once Cygwin has finished installing, start a Cygwin shell, typically via 'C:\cygwin\cygwin.bat'.

  3. Within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cygwin shell, start cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 X server via 'sh /usr/X11R6/bin/startxwin.sh' as shown below. You'll see an xterm appear.
  4. Within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 xterm, allow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote host to connect via X by executing '/usr/X11R6/bin/xhost 10.1.1.1', where 10.1.1.1 is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP address of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote host.

  5. Now use SSH to connect to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote UNIX system. For example, 'ssh -l username -X 10.1.1.1'. Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 '-X' switch enables X forwarding, if it's not already specified in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SSH configuration file.

  6. Once connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote UNIX system, send back an xterm by simply executing 'xterm'.

    I also sent 'xeyes' back to my system to show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of graphical information that can be transmitted. It's as simple as that! All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 X traffic is sent via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 encrypted SSH link, so you don't have to worry about exposing that information to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.




If you're wondering how to upgrade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cygwin packages already installed, this thread makes it clear that you only need to rerun cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cygwin setup.exe program.

Thursday, September 11, 2003

Happenings at TruSecure

This Register story gave details on a good virus prevalence report (available in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir whitepaper library. It describes TruSecure's assessments of important viruses of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past few years. I also saw Marcus Ranum wrote a paper on false positives while he was an "independent consultant." I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n read this press release saying TruSecure hired Marcus as "Senior Scientist" on 19 Aug. Good luck Marcus!

Way to Go Mike Fratto

Congratulations to Mike Fratto of Network Computing magazine for speaking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 truth about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion detection vs. intrusion prevention debate in two articles. First, from Inside NIP Hype ("NIP" meaning "Network Intrusion Prevention"):


"NIP is not a replacement for firewalls and won't be in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreseeable future. Why? The fundamental problem is false positives -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential to block legitimate traffic. Before you can prevent attacks, you have to detect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, but NIP systems rely on intrusion detection, which is hardly an exact science. A properly configured firewall will allow in only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic you want, and you can bet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 farm on that. We need to feel this same confidence in IDSs before we can believe in NIP systems, but IDS vendors have employed lots of talented brain cells trying to raise detection accuracy, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're nowhere close to 100 percent." (emphasis added)


Exactly! How is a firewall doing intrusion detection any better than a non-firewall doing intrusion detection?


Mike continues to raise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clue bar with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se insights from NIP Attacks in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bud:


"Network Associates doesn't let users see what constitutes a signature. When we asked about this, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company said it didn't want to help people develop evasion techniques. The Exploit Alert Detail dialog on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Alert Viewer reveals text matches for a given alert, but that one match could be a subset of all possible matches.

Given time, we could have puzzled out most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 signatures via exhaustive searches, so we think Network Associates is just being difficult. In comparison, NetScreen opens signatures for review and editing--an approach we prefer.

The lack of signature information quickly became frustrating, and it complicated troubleshooting when a match was based on a protocol anomaly because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re wasn't enough information to know why a match occurred. We had to send packet traces to Network Associates to determine why an SNMP packet was being detected as a NetBIOS issue. It took a few days, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company resolved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem and provided an update to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 signatures. Signature updates are automated, but you need to buy a support contract to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m." (emphasis added)


This is exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem with many commercial IDS tools. If an analyst can't independently assess why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS generated an alert, she will not trust it and will disregard its warnings. Unfortunately, NWC still gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NAI product its recommendation.


Incidentally, if you read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article in paper or .pdf check out Mike's new hair-do. Holy flowing mane, Batman! I wish I could manage that. :)

Wednesday, September 10, 2003

RAID Conference Concludes

Today I drove home from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 6th annual Recent Advances in Intrusion Detection (RAID) conference held at Carnegie Mellon University. The picture at left shows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nearby University of Pittsburgh's magnificent Cacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365dral of Learning, which is just about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coolest name for a building I can imagine. (It reminds me of Kwai Chang Caine's answer to a question on what he does: "I work, eat, learn.")


This was my first RAID conference, and I took several pages of notes on what IDS researchers are doing. The conference began with a presentation by Richard Clarke. Some of his more interesting points included:


  • He confirmed US DoD networks have indeed suffered worms and/or viruses on "classified networks." He also stated "one ugly fact... every network I know of has been penetrated -- recently and regularly," with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exceptions being one or two classified government networks. However, he "[hasn't] seen cyberterrorism yet," although he has seen "nation states doing reconnaissance" against each ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and thinks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent DNS attacks may have been nation state activities. I asked him about structured threats like organized crime, and Clarke replied he's more worried about nation states performing targeted attacks.

  • He claimed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ast blackout which seems to have started in Ohio was "remarkably similar" to tests done by DoD red teams. Ohio power workers claim cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir displays reported normal status while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system failed. DoD red teams take similar approaches. A cybersecurity taskforce is now part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blackout investigation. Two days before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blackout, power companies (through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 North American Electric Reliability Council (NERC) adopted new security guidelines." Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs are issuing warnings.

  • Clarke believes if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US Congress or EU tries to legislate security, "it won't work." Government will destroy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet if it tries to take it over to protect "critical infrastructure." His reference to Terminator 3 was apt: "People need machines. People take critical infrastructure for granted until it fails. Machines fail when subjected to malicious code."

  • Answering a question on poor code, he said "why is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir software so shitty... because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can" [sell lousy software]. He believes big companies should band togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to create a software assurance standard along cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lines of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Underwriters Laboratory. He recomends cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creation of a "patch management center" which offers testing of new patches to prevent redundant testing on vanilla systems throughout industry. Clarke is researching security standards for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Business Roundtable and has found 27 thus far -- too many!

  • Clarke shared stories about ELIGIBLE RECEIVER, an exercise in 1997 to test information infrastructure, particularly in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon. Although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exercise was scheduled for a week, Clarke claimed that by Tuesday cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Military Command Center was compromised and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exercise was stopped early on Wednesday. As a consequence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n US Deputy Secretary of Defense John Hamre told every military service to deploy intrusion detection systems (IDS), which was one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons we saw a huge surge in sensor installations in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT around that time.

  • Whereas cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems with IDS used to be not enough data on intrusions, now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mindset involves "dumping alerts into databases." In 2002 Clarke said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internal Revenue Service and Veteran's Administration decided to pool cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir IDS data and mine it for trends.

  • Clarke named three IDS weaknesses: (1) insiders, who according to an upcoming Secret Service survey, are causing a "vast number" of American companies to lose money; (2) virtual private networks, which allowed a vector for a "business-to-business" customer of Bank of America to infect it with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Slammer worm; and (3) wireless, where IDS coverage is lacking.

  • He's counter 127 companies which sell IDS products, with lots of venture capital still available for security. Unfortunately, CIOs think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS vs. Intrusion Prevention System (IPS) debate is "silly." Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, CIOs are questioning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security spending, saying "no matter what I do, I'm still owned." Why spend more money if nothing works? Clarke believes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future lies with "self-healing networks" which function regardless of compromise.



Richard Stiennon of Gartner, formerly a consultant at PriceWaterhouseCoopers, spoke as well. He was a nice enough guy but I don't think his arguments hold water, and I wasn't impressed to hear him he disabled his own laptop by installing a spyware cleaner! Here are some of his main points, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r printed on his slides or spoken:


  • "Gateways and firewalls are finally plugging cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 holes... we are winning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arms race with hackers... cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS is at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of life." He "recommends delaying large investments in IDS and event management, piloting application defense and network IPS products, and locking down access control."

  • His vision of "defense in depth" includes: firewalls -> vulnerability assessment or management -> network intrusion prevention (separate from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall) -> host intrusion prevention -> antivirus -> security management. This vision is based on conclusions gained from "talking to users," since he doesn't have a product test lab!

  • A "deep packet (or stream) inspection firewall assembles (normalizes) packets and inspects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for compliance with a set of rules." "Rule classes" could include "attack signature, protocol anomaly, behavior, antivirus, or custom content inspection."
  • Stiennon claimed that IDS offers "mountains of data, hours of labor, heaps of alerts, false positives [and] IR nightmares," while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "security nirvana" of IPS will "drop protocol attacks, block known attacks, [and spend] less time tracking down what happened."

  • He named Cisco (who bought Okena), ISS, Enterasys, NFR, Symantec, Intrusion, Tripwire, Lancope, and Arbor Networks within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS market, and Tipping Point, NetScreen (via purchasing OneSecure), and Network Associates (via purchasing Intruvert and Entercept) as IPS vendors. He noted Tipping Point complained to Gartner it wasn't "getting its message out," and I found that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company declined .pdf an award nomination in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS category from Network Computing Magazine. That's staying on message!

  • Beyond IDS and IPS, Stiennon made interesting insights into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strenghts of content switching vendors F5, Radware, Cisco, and Blue Coat, which already does content inspection. The ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vendors only need to add more security content inspection to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products to cause headaches for more traditional security vendors. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application defense side, Stiennon mentioned Netcontinuum, Teros, Sanctum, KaVaDo, Ingrian, and Array Networks.

  • Vendors offer security event management products include GuardedNet, ArcSight, E-Security, Intellitactics, and NetForensics, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most inaptly named security company I kn ow.

  • I asked him where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "magic" comes from that makes modern firewalls perform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion detection functions he says are failing. His answer was not satisfactory. Earlier he talked of Checkpoint adding INSPECT code for Snort signatures into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall's kernel.



Once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 invited guests were done, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference turned to papers. Some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 researchers I met were unhappy that many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 papers weren't "science" or "research," but "engineering" and "applied research." They preferred to see papers with little or no practical application. This was a new concept to me. Apparently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 downturn in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tech economy has left most commercial research labs, particularly IBM Research doing less "pure research" and more "solutions to problems."


  • One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most interesting talks was by Philip Chan of Florida Institute of Technology, titled "An Analysis of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly
    Detection" (.pdf). He criticized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1999 DARPA Intrusion Detection Evaluation Data Set. Apparently getting access to data to run through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir algorithms and code is a huge problem. Dr. Chan analyzed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 popular IDEVAL data to show its weaknesses and proposed some solutions.

  • Vern Paxson participating in a panel discussion on worm/virus propagation and asked "doesn't anyone read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 literature?" In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, why isn't malicious code worse? He mentioned permutation scanning, flash worms, metaserver worms, topological worms, can contagion worms as subjects for worry. He wondered if botnets were built because spammers pay for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, and pointed to a paper to be published at Worm 2003 called "Access for Sale" by S. Schecter and M. Smith.

  • Arno Wagner of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DDoSVaX project spoke about using NetFlow records for analyzing malicious code. (Incidentally, I finally found an open source NetFlow collector in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD net ports tree -- fprobe! I've tried it with EHNT (also in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tree) and will fire up flow-tools next.)
  • The presenter of "Characterizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Performance of Network Intrusion Detection Sensors" (.pdf), was absolutely hammered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attendees. He was attacked for his methodology and results, particularly that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NICs he used to test Snort performance may have been cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real bottleneck. Since he used a TAP to collect data I asked if he combined streams. He said he ran Snort against only one output. Since most real-world deployments care about both sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conversation, his choice wasn't realisitc.

  • The paper "Using Decision
    Trees to Improve Signature-based Intrusion Detection" (.ps) introduced me to Snort NG, which claims better performance than Snort 2.0 using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort 1.x code as a base.

  • After cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks I spoke with Brian Hernacki of Symantec, who told me about ManHunt's ability to work with a switch to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SPAN port it monitors. This idea of sampling traffic is a great one.


Well, that's my RAID wrap-up. I don't intend to return again, but I do plan to check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future programs and read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 papers that interest me.

Update: 5th Anniversary of "FloodNet"

Five years ago today Wired reported on FloodNet. It was an attempt by a group called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Electronic Disturbance Theater to overwhelm Web sites, among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon. It's significant because, according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wired article, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon took countermeasures:

"Participants in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FloodNet protest needed only to load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FloodNet Web page. The page contained a Java applet configured to request and load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three target Web sites every three seconds. The Electronic Disturbance Theater estimated that up to 10,000 people took part in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 demonstration, delivering 600,000 hits to each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three Web sites per minute.

The automated rapid-fire requests are designed to overwhelm cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target Web sites so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y cannot be viewed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir intended audience, known as a 'denial of service' attack.

The Pentagon's Web-site support team apparently struck back with a Java applet of its own. That applet sensed requests from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FloodNet servers, and loaded -- and reloaded -- an empty browser window on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker's desktop. The move forced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protesters to reboot cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir computers."

Sunday, September 07, 2003

Anton Chuvakin submitted a post alerting me to an article by Gartner gadflies John Pescatore, Richard Stiennon, and Anthony Allan. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article:


"You should continue to detect intrusions. However, you shouldn't invest in stand-alone, network-based intrusion detection systems (IDSs)... by 2006, most enterprises will perform intrusion detection as part of firewall processing with next-generation firewalls... There have been enough advances in algorithms and high-speed network security processors to enable next-generation firewalls to perform network intrusion detection and blocking at all layers of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol stack. Mature products will ship in 2005... Purchase security management products - see "CIO Update: Gartner's IT Security Management Magic Quadrant Lacks a Leader," - to perform IDS alarm data reduction and correlation to firewall and vulnerability assessment logs, or outsource IDS monitoring to managed security service providers... Gartner has published a new report that includes material on intrusion detection and prevention, "Securing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture."


My advocacy of Network Security Monitoring makes me agree that "stand-alone" NIDS aren't sufficient. However, Gartner's logic makes no sense. Essentially cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are saying firewalls shipping in 2005 or 2006 will be sufficiently advanced to perform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS detection functions of today. In 2 or 3 years IDS will also have advanced, so what's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference? The bottom line is Gartner continues to make waves in order to sell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir pricey reports to scared CIOs facing regulatory and customer pressure.

Saturday, September 06, 2003

Slides on NSM Webcasts Posted

I recorded a second webcast on network security monitoring for SearchSecurity.com. This webcast focuses on tools to implement NSM, namely tcpdump, argus, snort, and trafd/trafshow. I talk about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir use and capabilities. You can view it here. I posted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slides here. Previously I recorded a webcast on NSM cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory with my friend Bamm Visscher, lead author of Sguil. You can view it here or here and read answers to questions submitted by listeners. A SearchSecurity editor commented on our talk as well. The slides for that Dec 02 webcast are here.

IT Security Hottest Job

Challenger, Gray & Christmas named "IT Security" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "hottest" job for 2003 and 2004, according to this EarthWeb.com article. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story:


"The post of chief privacy officer just got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nod for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest-paying hot job, bringing in an average salary of $122,360. An IT manager or security manager came in ninth on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list of high-paying hot jobs with an average salary of $91,470.

Security is simply hot this year. The security industry came in second, just behind preventative health care, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hottest industry of this year and next.

Security and IT managers are earning salaries of more than $91,000, according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report. And a survey of top corporate information systems security executives for Fortune 500 companies found that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average overall compensation level was $237,000."


$237,000? What are those guys doing to justify that sort of salary? Running vulnerable Windows boxes? :)