Saturday, July 09, 2005

What Does Your ISP Block?

The only low cost broadband provider in my neighborhood is Comcast. I determined this evening that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y block ports 135-139 and 445 TCP inbound and outbound. What ports does your ISP block? I am seriously considering getting a T-1 from Speakeasy.

Friday, July 08, 2005

Request for Comments on NSA IAM and NSA IEM

Does anyone have experience with NSA's Infosec Assessment Methodology and Infosec Evaluation Methodology? Through my local ISSA chapter, I've signed up to take courses on both programs for a combined price less than that offered for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM alone at anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r venue. Being a consultant in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DC metro area, I believe I am going to hear NSA IAM and IEM mentioned more frequently. Any thoughts?

TaoSecurity Podcast

I've been considering launching an audio supplement to this blog called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TaoSecurity Podcast. I have more than a dozen "show elements" that I could mix and match every two weeks or so, discussing digital security, incident response, network forensics, FreeBSD, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r subjects carried here.

Would anyone be interested in such a program? If so, please leave a comment. Also, what would you want me to cover, and how often? Thank you.

Cool Site Unfortunately Miscategorizes Threats

While chatting with Aaron Higbee of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecureMe Blog yesterday, he mentioned a cool new site: Threats and Countermeasures. A majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contributors are Foundstone consultants and parent company McAfee is paying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bills.

Anyone who's been reading my blog for a while knows of my linguistic crusade involving words in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standard risk equation, with risk being a product of threat, vulnerability, and asset value. (See Risk, Threat, and Vulnerability 101, OCTAVE Properly Distinguishes Between Threats and Vulnerabilities, SANS Confuses Threats with Vulnerabilities, and The Dynamic Duo Discuss Digital Risk.)

How does cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Threats and Countermeasures site match proper definitions? At left is a screen shot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site's main knowledge base menu. I don't see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word threat being used correctly here. "Default network appliance passwords" aren't threats; those are vulnerabilities. "Running unnecessary services" is a vulnerability, as is "weak security around scripting extensions."

Perusing T&C, I don't see threat used properly. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content described as "threats" are really attacks. The Cross Site Scripting page is a good example. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content listed under "Threats" are attacks or exploits. The content under "Attacks" appear to be specific examples of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material listed under "Threats".

So what is going on here? Obviously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guys who put togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Threats and Countermeasures are security experts. Besides cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir knowledge base, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site offers and impressive collection of blogs that I recommend reading.

I think part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 warped view of threats promulgated by T&C owner Foundstone. It all began with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 announcement of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir so-called Threat Correlation Module for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Foundstone "Enterprise Risk Solution" suite. Back in late 2003 when this announcement was made (and I was working for Foundstone), marketing folks realized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms "vulnerability" and "vulnerability management" were no longer a way to differentiate a company in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market. Vulnerability management was becoming commoditized, so companies began pushing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms "risk" (e.g., "Enterprise Risk Solution") and "threat."

I was initially interested in being part of Foundstone's new Threat Intelligence team, supporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Threat Correlation Module. I thought this would be a cool opportunity to deploy honeynets, interact with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "underground," and collect intelligence on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parties that conduct attacks. Instead I was told I would monitor disclosure sites -- BugTraq and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like -- and populate Foundstone's database with that information. At one point I was told that a "hole in OpenSSH" is a "threat," when clearly that is a vulnerability. Shortly after I realized Foundstone's view of "threat" was a new way to market vulnerability data, I left cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company.

This is not to say that Foundstone's product is bad. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contrary, I think it is very powerful. The idea of correlating new vulnerability information against a database of enterprise assets, and measuring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk to an organization, is excellent. It's just too bad cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product and concept are misnamed.

While it is difficult to misuse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term risk (risk being defined as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of suffering harm or loss), it is too easy to misuse "threat." As a reminder, a vulnerability is a weakness in an asset which could lead to exploitation. A threat is a party with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities and intentions to exploit a vulnerability in an asset.

With few exceptions, no security vendors deal with threats. There are only two ways to gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r information on threats: passive interaction or active interaction. Passive interaction means watching threats as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y conduct reconnaissance, exploit targets, and pillage assets. Active interaction means communicating with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves, through email, voice, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r means.

Two organizations I know that deal with threats in an unclassified environment include The Honeynet Project and iDEFENSE. The former mainly learns about threats by watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m compromise honeynets, while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latter pursues and communicates with threats. Managed security monitoring providers who look for more than worms can also be considered threat-aware; examples include NetSec and LURHQ.

I guess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "threat" concept is just too sexy for most security vendors to avoid. Even people who should know better, like Bruce Schneier, misuse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms threat and vulnerability. (See my review of Beyond Fear; it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second on that page.) Although I will probably be seen as stepping on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 toes of smart security people, I will not stop pointing out when those important terms are misused.

Thursday, July 07, 2005

My Criteria for Good Technical Books

I was recently asked if I would review an upcoming book. In my reply, I listed four criteria I use when making my review evaluations.

  1. Accuracy. If a book contains several large or numerous small technical errors, I will lower my rating. I may stop reading entirely if I lose confidence in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author's capacity to deliver reliable information. This is a problem if I am reading a book outside my core expertise.

  2. Originality. I really dislike reading books that cover material already published elsewhere. I do not mind some repetition if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result makes sense, but in most cases authors should just start covering new material. For example, I would prefer a new book on network attack and defense to avoid explaining TCP/IP. Authors: if a book explaining your introductory material already exists, cite that title and present your new material in your book. Brian Carrier's book is a great example of how to make me happy. He doesn't bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r explaining security; he sets up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reader with citations and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n starts explaining file systems. Awesome.

  3. Candor. I cannot stand books that claim to cover one topic and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n completely fail to do so. I must name names here to make my point: Scene of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cybercrime: Computer Forensics Handbook spends over 540 pages on generic security issues before finishing with two chapters on what can only loosely be called forensics. Check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Table of Contents to see what I mean. That book pales in comparison with Incident Response, 2nd Ed.

  4. Lack of implementation details. I like to hear good security cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory and techniques. However, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author doesn't tell me how to implement this advice, I question why he or she bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red to mention it. I do not demand examples of every scenario. For example, I become suspicious when I read a chapter titled "securing servers," but never see a single invocation of command line syntax. Some reviewers of my latest book want me to address networking configuration outside of Cisco-land. I don't have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, expertise, or equipment to cover Juniper, Foundry, and so on, but my Cisco examples should make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point clear.

What makes you like a technical book? My favorite ten books of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past ten years are listed at Bookpool, and those ten meet my criteria.

Trying Microsoft Update and MBSA 2.0

Today while updating my Windows 2000 laptop I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to try two new Microsoft programs. The first is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Microsoft Update, more of a one-stop-shop for Windows patches. The second is version 2.0 of Microsoft Baseline Security Analyzer. Computerworld has some coverage, but here was my experience.

When I started Windows Update, I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following screen.



I decided to follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Upgrade" recommendation. After running Microsoft Update, I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se results.



You can see that Microsoft Office updates and updates for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Microsoft programs are available. I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new interface works well.

Once I downloaded and installed all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 updates, I turned to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new MBSA 2.0. It doesn't look that much different, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 improvements are under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hood.



I got my results following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scan of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 single laptop.



I don't necessarily agree with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "severe risk" assessment. I think MBSA complained because it found a FAT partition I use to share data between Windows 2000 and FreeBSD on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same laptop. MBSA prefers using NTFS.

In any case, MBSA did not report any security vulnerabilities. It was good to apparently see Microsoft Update retrieving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right updates and MBSA confirming it.

ICMP Attacks Against TCP Revisited

Slashdot alerted me to a KernelTrap article about Fernando Gont at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent OpenBSD hackathon. I mentioned Gont's work in April. The Slashdot post has some surprisingly good commentary, like this historical perspective and this summary.

Three aspects of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 KernelTrap story bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r me. First, Cisco sounds like it is more interested in patenting a fix for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem, and less interested in getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem fixed in a timely manner. Second, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disclosure process sounds broken, with Gont now preferring to avoid dealing with vendors entirely. Third, Cisco sounds like one of its employees needs a real attitude adjustment:

"'They blamed me for submitting my work,' Fernando said in exasperation. 'One of Cisco's managers of PSIRT said I was cooperating with terrorists, because a terrorist could have gotten cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper I wrote!'"

Sorry, terrorists attack planes, buildings, and (tragically in Spain and now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK) trains and subway systems. They do not use ICMP to degrade TCP connections.