Sunday, October 31, 2004
Saturday, October 30, 2004
Friday, October 29, 2004
Thursday, October 28, 2004
Wednesday, October 27, 2004
Tuesday, October 26, 2004
Monday, October 25, 2004
Sunday, October 24, 2004
A lot of the issue centers around intent, something which often involves the court in determining. It's what Mr. Kabay's article is trying to avoid having to do.
If we could write laws using his logic, you'd need a license and a government monitor to cut your steak. Why? Because a major portion of all murders are committed with knives, of course! They must be controlled now!!
The use of "Quod erat demonstrandum" at the end of his article is also a bit offensive. He uses it to signal that he's proved his point and it's justifiable to pass out the pitchforks and torches and head towards the castle.
A friend (hi Steve!) has a much better one: Ita bardus plector.
Saturday, October 23, 2004
Because of this, today I'm venting about "firewalls" and "security".
"Firewall" is a term which has been hijacked by companies selling everything from NAT boxes to add-on software to content filtering appliances for e-mail. (Yes, it's the old layer 3/4 vs. Layer 7 argument vent again!) A proper firewall involves a bastion host (the hardware, software and services stripped to the bare minimum to function and then configured to running in a specific manner) running very specific services which provide the maximum possible control on protocols and services that your users (via management) cannot live without.
As a general rule of thumb for deciding how to handle a request for a protocol:
- disallow the protocol
- if you can't disallow it, proxy it (Layer 7) with a dedicated proxy to control the protocol's options and heavily log the protocol's use (who, what, where, when, how long)
- if you can't do that, proxy it (Layer 7) with a generic proxy to limit the source/destination IP's and the directions that the requests can be made and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, consider using a many-to-one NAT box (yeah, a LinkSys box) and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, (as a last resort) use a packet filter (Layer 3/4) to limit source/destination IPs/ports and log as much as possible
That last method is the most dangerous. It's a horrible (but widely used) practice. If you used it for your web traffic, all an attacker would have to do to map your network would be to source his scans from port 80 and scan for ports greater than 1023 (hint: MS boxes listen on a LOT of ports above 1023). Yes, it's an oversimplification and there are many mitigating factors. There are also factors that worsen the situation (such as OS's or firewall programs that "leak").
You should seriously consider NOT using any Layer 3/4 filtering product that uses "packet inspection" and "state inspection" and claims the product will "provide the same capabilities as Layer 7 proxying". If it were the same, it wouldn't need all of the hype.
This practice (or the lack of it) is part of what's behind the new laws that are coming out. Businesses perverted the risk model (risk = threat x vulnerability) by adding in a financial vector (risk = threat x vulnerability x asset cost) and applied it to information security, failing to recognize the difference between a business risk and a security risk. This is why laws such as GLB, Sarbox, FISMA, California's SB 1386 and the like come into being. It is government stepping in and reinforcing the difference between the two types of risk.
Some say that the function of the federal government is to provide those functions that local or state government cannot or will not. In this case, it's probably going to prove true. Because a company is willing to treat a security risk as a business risk, just to maintain a profit, it puts everyone even remotely associated with that company in danger. Thus, the need for federal legislatures to "step in".
Currently the laws are very generic, requiring that a program or role exist within a company. Insurance companies are helping somewhat, giving discounts to subscribers who "meet or beat" the insurer's standards. However, if the majority of corporate practices do not change (the laws are currently gentle encouragement), we will see dictated standards, practices, and inspections.
Food poisoning is serious enough to require periodic inspections and licensing. The federal, state, and local laws make it very difficult (and expensive) to open a restaurant and run it at a profit. However, the risk is that a few dozen people get sick for a few days. Consider that exposure of medical, financial, or legal data sources have the capability of instantly screwing up hundreds of thousands of people's lives for years at a time. Then think about how surprised you're going to be when laws are enacted which allow (and require) independent or government inspection of your books, your policies and your practices. (Hint: take a look at what's coming in April. Some of those laws already exist.)
The good news and bad news (for everyone) is that this will create yet another industry, one that will be rife with charlatan's at the start but will eventually evolve to require it's own explicit standards and practices. We are most likely to see the infosec equivalent of a CPA (and you think the SANS and CISSP certs are difficult?). There are already various functions within government which provide various administrative and investigative functions relating to information security. It's not that far of a jump for government to provide equivalent compliance testing and licensing functions.
Friday, October 22, 2004
Thursday, October 21, 2004
Wednesday, October 20, 2004
Tuesday, October 19, 2004
Monday, October 18, 2004
Sunday, October 17, 2004
access to any (that's ANY!) system, then you need to take a few
precautions to help recover from a network compromise. The following
are steps that we've learned in the open lab:
- Know the MAC
address for the default gateway (have it written down)
- Know the
hostname(s) and IP address(es) for your servers, especially your DNS and
- if you're done with a dangerous tool, delete
it and the source code
- scan your systems, inside and out, before
and after active analysis
- log and record as much as possible, no
matter how silly it seems
Some of those are forensic
measures but those first two are valuable bits of information if you're
suddenly trying to figure out why the Google page suddenly reads "All
your lookups are belong to us!"
Saturday, October 16, 2004
Friday, October 15, 2004
Thursday, October 14, 2004
my sleep patterns and I'm only now catching up. Probably explains the
grouchy post below too. Things should even out in the next few weeks
but Mondays and Wednesdays are still going to be 16-hour days.
subscriptions, finding it after Liudvikas pointed
out Paul Vixie's vent <a href="http://www.cs.rochester.edu/~bukys/weblog/archives/2004/10/13.html#
I tend to agree with Mr. Vixie, having been a BIND ad
min for close to a decade and luckily I've never had a break-in. The inclu
sion in the SANS Top 20 looks suspicious, after the fact. A conflict of in
terest, or at least the appearance of one seems to be the case at this time
This is the sort of thing that any organization whose livelihood is bas
ed on integrity and knowledge. Could it be that SANS has had a brush with
what most organizations suffer (at least periodically) once they reach a ce
rtain size? What I'm talking about is politics in an a-political organizat
ion. That's the nice way of saying it. The ugly way of saying it is perso
nal agenda's, one-up-manship, cliques, character assassination, and/or fact
Then again, I could be overly paranoid. I just find it suspiciou
s that the only alternative to BIND that was suggested is the one which suf
fers from the same type of purist politics as the Windows vs. Linux purists
. (There, have I angered everyone yet?)
Remember, security requires good
programming and good administrative practices. Liudvikas, thanks for the
Wednesday, October 13, 2004
Tuesday, October 12, 2004
Monday, October 11, 2004
Sunday, October 10, 2004
Saturday, October 9, 2004
Rebuilt 4-year-old laptop with new version of Linux (and I didn't have
to patch/rebuild the wireless/power/pcmcia modules). Actually made it
thru 10 of the 17 houses at Homearama
2004. Absolutely loved the 3rd floor in one, the
kitchen in another, and the first floor in another. Unfortunately, I'll
never be able to afford any of them. Nice houses, but not worth what
they're asking for the houses.
Friday, October 8, 2004
Thursday, October 7, 2004
an online test to see if you can recognize phishing fraud without
looking at the source code. I assume it's an intellectual excercise as
the first thing you'd want to do is look at the source code. In real
life, you want to avoid HTML-based email and never ever click on a link
in e-mail. Type it by hand instead and only if you're sure what it is.
is an article on a topic that really frustrates me: removing the
perimeter. The author treats firewalls (and, for that matter, security)
as a single blackbox approach rather than as part of a layered process.
While the Internet and tech business may be driven by the "next cool
thing", security is not. It's based on well-defined processes and
practices. It will probably take a couple years but management should
eventually catch on (the hard way) and we'll go back to defense
Wednesday, October 6, 2004
process that hackers more or less take to break into systems. For those
of you that are considering using this process, consider that law
enforcement is getting better at tracking down hackers.
Also, some of
the data in that "howto" isn't exactly accurate. Example: l0pht is now
a commercial business with gov't ties. Example: cDc lost their "key
players" years ago and are now a forum for anti-goverment vents.
you must hack, do it to your own systems. Learn what it takes to clean
up after a system has been broken. Learn how to locate the bad code.
Learn how to analyze the bad code. Start analyzing other people's
break-ins (search Google for "Scan of the Month"). Figure out where
your strengths are and shore up your weaknesses. Become an expert, not
Alternate Data Streams in NTFS
- LADS - List Alternate
Data Streams (freeware)
s (open source stream viewer from Sysinternals)
- Hidden Threat: Alternate Data Streams
- The DiamondCS Archive - NTFS Alternate Data Streams
- What Forensic Analysts should know about NT ALTERNATE DATA STREAMS (ADS)
- Info on ADS from Lavasoft (makers of AdAware)
- The Dark Side of NTFS (Microsoft=92s Scarlet Letter)
Tuesday, October 5, 2004
Monday, October 4, 2004
chapter from Defend IT: Security by Example. The chapter is
entitled "The Role of Computer Forensics in Stopping Executive
Fraud" and uses a case study to outline the process and highlight
some of the issues encountered in investigations. (via Forensic Focus)
here's one. If the MPAA earns $.02 per blank CDR because they might be
used for copying music, what right does the MPAA have to complain? If
someone can point me toward any legal opinions on the issue, it would be
appreciated. Also, since I've been burning logs and file backups to CDR
for almost a decade (I'm in an area where magnetic backups don't last
long) at the rate of 1 or 2 disks per day, is there any way I can get my
news article about how LURHQ provided expert witness to rebut a
defense's expert witness. Seems they'd left out a bit of information
about how spam can be bounced off of misconfigured systems. It's nice
to see the legal profession finally catching up. Our area only has one
technically trained lawyer and he is a very busy person.
Sunday, October 3, 2004
Saturday, October 2, 2004
one get passed. The only thing that it does is make life just a
little bit more inconvenient for us law-abiding types. Those that trade
files illegally will continue what they're doing. Requiring an e-mail
address to download mail has been done by the more prominent legitimate
sites (e.g.: MP3.com) all along.
Now it's law that everyone do it.
Anyone else "get" California seems to think that they have jurisdiction
over technology and the Internet? Don't think so? Define "file
sharing". Poorly written laws tend to get enforced in extreme ways or
not at all.
The law is here. It doesn't say anything about P2P or any other specific manner of "file sharing". It only states that Californians have to disclose their email address when more than 10 people are involved. It doesn't say to whom they have to "disclose" an e-mail address to. Under that badly defined law, if a left coaster provides CC or GNU licensed matter on their website, they have to provide a legitimate e-mail address.
I wonder how spammers will react to a new vector for address collection.
Anti-Spyware Resources site, the following are links to articles
describing the symptoms of a spyware infection:
Journal: Symptoms of Spyware and Other Pests
Symptoms of Spyware
- PC Magazine:
11 Signs of Spyware
- SeriousVirusWarning.com: Adware and Spyware Symptoms
- Directory One: How To Check If Your Infected by Spyware
In the same list is a link to LI Utilities's Windows process
lists. A very good-to-have.
for DMZ security. What he's describing is ingress and egress filtering
for the DMZ.
Similarly, you want to tune your DMZ IDS in the same
way. You don't need specialized rules for MyDoom or SQL exploits if all
that's in your DMZ is a web server. Instead, turn on the signatures for
web exploits and create a signature or two to catch anything not
HTTP-based. Come to think of it, you're also going to see some DNS as
the server does name resolution on your visitors but, unless you're
running a DNS server in the DMZ, it will only be outbound queries.
point is that you should know what's needed for your DMZ to function,
you should know what "normal" traffic looks like (keep metrics!) and you
should configure your protections accordingly.