Saturday, September 27, 2003

Review of Investigative Data Mining for Security and Criminal Detection Posted just posted my four star review of Investigative Data Mining for Security and Criminal Detection. From the review:

"I read 'Investigative Data Mining for Security and Criminal Detection' (IDM) after attending the 2003 Recent Advances in Intrusion Detection (RAID) conference. Researchers at RAID mentioned "self-organizing maps," "neural networks," "machine learning," and other unfamiliar topics. Mena's book helped me understand these subjects in the context of performing data mining. If you steer clear of the author's discussion of intrusion detection in chapter 10, you'll find IDM enlightening and a little scary."

Data mining is a hot topic. Slashdot discussed neural networks recently, which can be used for data mining.

Tuesday, September 23, 2003

Five Years Ago Today...

Five years ago today I left the information warfare planning directorate at Air Intelligency Agency and joined the Air Force Computer Emergency Response Team at then-Kelly Air Force Base in San Antonio, Texas. Back then we were part of the Air Force Information Warfare Center, tasked with monitoring all of the intrusion detection systems deployed inside border routers at Air Force's installations. I was a new captain and had voluntarily attended some UNIX training after work hours while deployed to RAF Molesworth in late 1997.

Just yesterday I was asked how to get into the computer security field. Here's how I did it. I looked at the AFCERT's manning roster for the network security monitoring teams and put myself on the schedule. Wherever I saw an opening -- usually between 2 and 10 pm or 10 pm and 6 am -- I added my name. I sat next to people who seemed to understand the alerts they were analyzing and asked a lot of questions. Six months later I was in charge of the real-time NSM team, and a year later I was in charge of all NSM operations. I wrote my first white paper in late 1999 and spoke at my first SANS conference on 25 Mar 00. Currently I'm writing Real Digital Forensics and The Tao of Network Security Monitoring, both to be published in 2004.

What is BitTorrent?

Whenever new software appears, like the latest Knoppix (3.3 appeared yesterday), I read at Slashdot that "BitTorrent" links are available. I decided to investigate this and found myself at the BitTorrent web site. Like the pages of most developers, it's cryptic and not immediately apparent how to use the software.

This Wiki page was more helpful, clueing me in to the fact that BitTorrent is a peer-to-peer file-sharing system. O'Reilly wrote about this too. I installed the BitTorrent client at degreez and tried it out with the files listed at BitTorrent Files for Slashdot Effect Victims.

I clicked on the Red Hat 9 Binary ISOs link, which points to This brought my BitTorrent client up. It prompted me for a location to save the file I would download via BitTorrent, so I selected a directory. Next, I could see the BitTorrent client work its magic.
I plan to experiment with this. I initially tried to retrieve Knoppix 3.3 via BitTorrent, but eventually downloaded it via a fast overseas mirror over HTTP. Update: Here's another example of using BitTorrent -- Slackware 9.1. Linuxtorrents provides several links. Here's a script to run bittorrent in the background on UNIX. There's a great FAQ.

Try Tenable Security's NeVO before 30 Sep 03!

I downloaded the demo version of Tenable Security's NeVO today. I was unable to get it to work on Red Hat Linux 7.3 but I did install it successfully on FreeBSD 4.8 RELEASE. NeVO is a passive vulnerability scanner. It sits and watches your network for services and protocols which could be exploited by an intruder. It doesn't actively check for vulnerabilities like an assessment product might do. This is similar to Sourcefire's RNA or "Real-time Network Awareness" concept.

Below is an example of NeVO's output. It's in the .nsr format produced by the active vulnerability assessment tool Nessus, written by Tenable employee Renaud Deraison. For example:|27201/tcp|8518|INFO|The remote host is using a version of Portable OpenSSH which may allow an attacker to determine if an account exists or not by a timing analysis.;Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer;CVE : CAN-2003-0190|27201/tcp|8501|INFO|The remote host is running a SSH server :;SSH-2.0-OpenSSH_3.5p1|27201/tcp|8528|REPORT|The remote host is running a version of OpenSSH which is vulnerable to a flaw in the buffer handling functions which may possibly leading to command execution.;Solution : Upgrade to OpenSSH 3.7 or newer|443/tcp||161/udp|4582|INFO|The remote host is running an SNMPv1 agent. Having such an agent open to outside access may be used to compromise sensitive information. Certain SNMP agents may be vulnerable to root compromise attacks.|161/udp|4500|INFO|The remote host is running an SNMPv1 server that uses a well-known community string - public;Solution : This signature was obtained through direct sniffing of the network, so if possible, migrating systems to SNMP v3 would be more secure. For non-local attacks though, your community string is easily guessed and should be changed to something more random.|0/tcp|1|INFO|The remote host OS could not be recognized. Its fingerprint is : 64437:255:1371:1:0:1:1:48|0/tcp|8502|INFO|The remote host is running a SSH client: SSH-2.0-PuTTY-Release-0.53b

Notice how NeVO detected SSH running on a port other than 22 TCP -- in this case, 27201 TCP. Service identification on non-standard ports is something I've been interested in finding. (For service active service identification on non-standard ports, try AMAP. NeVO data can be imported into Nessus for easier reading, or imported into a spreadsheet.

This is a great idea. At the very least it could be used to supplement active vulnerability assessment products. Sometimes active VA crashes hosts with weak TCP/IP stacks or other vulnerable services. Passive VA works by observing parties access those stacks or services. It's a great way to collect security data in sensitive environments where no one trusts active VA products. I would argue that hosts should be robust enough to withstand scanning, but it helps to have another option available. This demo version of NeVO expires 1 Oct 03.

Monday, September 22, 2003

Cell Phone Spam

Some overzealous activitst for legalizing marajuana sent a text message spam message to my cell phone last week. Someone named "Alison" from, claiming to be from the ACLU, sent a URL to an advocacy site. I won't publish the URL to deny her the publicity she seeks. The phone number from which the spam was allegedly sent shared the same area code and first three digits.

Suggestion for Patching Windows Dial-Up Users

Larry Seltzer makes a great recommendation for Microsoft to assist its Windows dial-up users:

"One way to make things easier for dial-up users, and even broadband users in many cases, would be to issue periodic update CDs. Imagine a disc with all of the updates on it and a program, it could even be written in Windows Script Host, to check a system for which updates need to be installed, apply them in the correct order and even reboot in between. Such a program would not be hard to write.

Microsoft could charge a trivial amount for the discs but it would be better just to give them away and encourage users to pass the discs around when they were done. At that point you'd still need to check Windows Update for recent additions, but it's unlikely you'd have an unbearably long download time...

I recently put this suggestion to Microsoft and their response basically avoided the whole issue. Why wouldn't the company want to offer such a CD, assuming that's the motivation behind their stonewalling?"

"Snort not backdoored, Sourcefire not compromised"

I'm not going to cite the source of the rumors which prompted this story, since I don't want to give publicity to those seeking it for its own sake. Rather, I though it important to post in its entirety a recent message Marty Roesch of Sourcefire sent to the snort-users mailing list. By the way, sign up for one of Marty's seminars, coming to a city near you. I'll see him in DC on 7 Oct. Now for Marty's post:

Date: Sun, 21 Sep 2003 20:44:11 -0400
From: Martin Roesch
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Snort-users] Snort not backdoored, Sourcefire not compromised


It's come to my attention that some group is claiming to have broken into a Sourcefire server and backdoored the Snort source code. First things first, there is no backdoor in Snort nor has there ever been, everyone can relax.

A shell server got compromised well over a year ago, but what these guys aren't telling you is that the network that it was on was not only logically separate from the rest of the domain, it was also physically removed from it too (by about 23 miles, approximately the distance from the Sourcefire office to my basement). Yes, that's right, they busted into a shell server that was maintained on a physically separate network in my basement. That particular machine was maintained as a shell server for various people to log into so that we can have a sacrificial box to use to chat on IRC without having to worry about our real network getting compromised, and it has served its purpose well.

While we do try to keep that system from suffering break-ins, we also realize that many IRC clients aren't exactly the most secure pieces of code in the world and sometimes there are problems in server code as well (like apache and sshd), so we put together servers like that one so that we can interact with people while minimizing the risks to the company's networks and servers. I thought this was fairly standard practice for many security companies, maybe I'm wrong.

If you're wondering "how do you know the code isn't backdoored?", since we know that that server is an "at risk" server we're not in the habit of checking code into CVS from there. If that's not good enough for you, Snort has been through three code audits since March (one Sourcefire internal, two third-party external) and there are most definitively no backdoors in the code, nor were there any.

Hope that clears things up.

BTW, the sample code that they put into their little screed was nothing more than an update of the 'stick' program from 2001, not really anything to get worked up about.


Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort -
Snort: Open Source Network IDS -

Thursday, September 18, 2003

Reviews of TCP/IP Analysis and Troubleshooting Toolkit, Real 802.11 Security, and Network Performance Toolkit Posted recently posted three new reviews. From the four star review of TCP/IP Analysis and Troubleshooting Toolkit, whose author provides videos of trace analysis:

"As a network security monitoring analyst, I like to read network troubleshooting books. They help me understand protocols I see on the wire, usually using case studies that are far more exciting than reading dry Request For Comment (RFC) documents. "TCP/IP Analysis and Troubleshooting Toolkit" (TAATT) isn't a "tool" book like Wiley's "Network Performance Open Source Toolkit." Rather, TAATT tries to explain the operations of many popular protocols. It does a fairly good job, and deserves a look."

From the five star review of Real 802.11 Security: Wi-Fi Protected Access and 802.11i:

"I was somewhat hesitant to read "Real 802.11 Security" (R8S) as it seemed to offer too much theory and background on wireless security. I prefer "getting to the point" and telling me what works and what doesn't. R8S changed my mind. The book's lively style helped me survive fairly heavy discussion of cryptography and implementation of security protocols. The authors remarkable clarity and insights reminded me of Ross Anderson's "Security Engineering," a book I respect highly. I finished R8S with a better idea of the future of wireless security and how to secure existing wireless deployments."

You can visit the authors' university site here.

From the five star review of Network Performance Toolkit: Using Open Source Testing Tools:

"I don't have a lot to say about "Network Performance Open Source Toolkit" (NPOST), other than I think it's excellent. We need more tool-oriented books to teach admins how to do real work on their networks. NPOST delivers chapter after chapter of practical, hands-on material applicable to the networking shop in any organization."

If you're wondering why I don't post more negative reviews these days, remember that I almost exclusively limit myself to books appearing on my reading list. If I post a negative review, it's because a book to which I dedicated time ended up burning me!

Tuesday, September 16, 2003

Project to Customize Windows

We need more projects like XPlite. This is a system to "modularize" Windows components to facilitate their removal and reinstallation, if necessary. Windows would be much easier to secure if we could install the absolute minimum number of packages to support our applications. This is why I like the FreeBSD ports system. I install a base FreeBSD OS, and load the ports tree. Within the ports tree, I add whatever I need, and the ports system only adds what's necessary to support that application. Brilliant? Perhaps -- but that's FreeBSD, and also a few Linux variants (Debian and Gentoo). :)

Verisign -- "The Value of Trust"?

I can't believe the stunt Verisign is pulling now. The screen shot says it all. Essentially, all nonexistent domain names are resolving to, which itself resolves to I learned about this issue through the NANOG (North American Network Operators Group), Slashdot, this article, and Verisign's "notification". The talk I've seen involves, but that resolves to for me. I even queried an authoritative domain name server for (, which handles the domain). Some have said ISPs are already null-routing

I think this post makes a good case for review of Verisign's actions. This is not how an administrator for the two most important generic top level domains should act!

Thoughts on OpenSSH Vulnerability

If you've read this blog for a while you'll notice I try not to regurgitate the day's headlines. If my brain is my RAM, this blog is my hard drive -- a place I'd like to keep stories archived. So, rather than restate the OpenSSH issues (it doesn't take much, does it?), I'd like to record this thought. How should organizations posture themselves against threats to core infrastructure? Since OpenSSH is the recommended means to administer all sorts of devices, its importance approaches that of BGP, DNS, and similar services.

We're familiar with the plan -> prevent -> detect -> respond model. We form and practice plans and policies to guide our organizations. We prevent exploitation of vulnerabilities with security strategies like defense-in-depth, access control, least privilege, segmentation, and vulnerability management via proactive assessment and patching. We should perform detection via network security monitoring -- collecting, validating, and escalating event, session, full content, and statistical data. We respond to policy violations and intrusions (unlawful, unacceptable, or unauthorized use of our resources) via containment and mitigation. Is there anything else we can do when a threat to core infrastructure like OpenSSH arises?

Where possible, I think it would be helpful to have redundant systems to perform those critical services. Note that redundant does not mean "identical." Why have an extra Microsoft IIS server ready to replace the one just hacked by an intruder? It's much better to have an Apache server ready to go. (I'd argue it's better to have Apache be the primary and another solution as the back-up.) For DNS, pair BIND and djbdns. For email, run sendmail and postfix.

Where does this leave OpenSSH? Well, today I tried lsh. I had no problem installing it since it lives in the FreeBSD ports tree. While lsh may not be as well-scrutinized or tested as OpenSSH, it's not the vulnerable OpenSSH service waiting to be exploited. How could this be used in a production environment?

  1. You suspect OpenSSH may be vulnerable. You're running OpenSSH on port 22 TCP (a bad idea in my book -- why not run it somewhere else?) and the lsh daemon on port 222 TCP. Port 222 isn't allowed remotely, while 22 is.

  2. You make two quick changes to your firewall rules: Disable port 22 TCP inbound and allow port 222 TCP inbound. This quickly removes outsider access to vulnerable services.

  3. You administer critical systems using lsh (which can be accessed using standard OpenSSH clients) and patch the vulnerable OpenSSH services.

  4. Once done, disable port 222 TCP access and reinstate port 22 TCP.

The same approach could apply to other services, with modifications. This can be implemented on the client side too. Replace Internet Explorer (30+ unpatched holes and counting) with Mozilla Firebird.

When I was a Boy Scout, my Scoutmaster always asked one question whenever I planned a camping trip or hike: "What's plan B?" Not having alternatives was unacceptable. The security community has got to start devising plan Bs, because people rely on our services and expect them to work.

Monday, September 15, 2003

Good Samaritan Saves Bank's Behind

A good Samaritan who buys computers from eBay saved the Bank of Montreal's behind. According to this story:

"Geoff Ellis, a 26-year-old masters student living in North York, purchased the computers last week from Ecosys Canada Inc., a computer asset-management firm in Mississauga. He paid $400 each for two powerful IBM Netfinity servers that would have cost about $5,000 new.

Ellis buys, fixes up and then resells used computer equipment on He had posted the two machines on the popular online auction site for six hours before he noticed, after turning one of them on, that it contained an operating system that let him access file folders from the bank without needing a password.

He immediately removed the items from the Web site, he said."

I bought a handful of servers from eBay a couple months ago. I have since installed new operating systems on each one, but maybe I should have checked to see what was left behind by the previous owners? Market pressure won't change an organization's behavior when it comes to disposing of computers, but perhaps regulation and inspection would make a difference.

RAID News Posted

Scroll a few pages down and you'll see I posted my thoughts on last week's RAID conference in Pittsburgh. Enjoy!

Sunday, September 14, 2003

Installing a Free X Server on Windows XP

I needed to export X sessions to my Windows XP laptop, so I turned to Cygwin/XFree86. In less than 10 minutes I had am xterm from a FreeBSD machine appear on my Windows XP desktop. Here's how I did it.

  1. Download and execute Cygwin setup. The Cygwin/XFree86 User's Guide gives plenty of hand-holding if you need it. I selected all of the XFree86 packages plus OpenSSH. You'll see why OpenSSH was included shortly.

  2. Once Cygwin has finished installing, start a Cygwin shell, typically via 'C:\cygwin\cygwin.bat'.

  3. Within the Cygwin shell, start the X server via 'sh /usr/X11R6/bin/' as shown below. You'll see an xterm appear.
  4. Within the xterm, allow the remote host to connect via X by executing '/usr/X11R6/bin/xhost', where is the IP address of the remote host.

  5. Now use SSH to connect to the remote UNIX system. For example, 'ssh -l username -X'. Using the '-X' switch enables X forwarding, if it's not already specified in the SSH configuration file.

  6. Once connected to the remote UNIX system, send back an xterm by simply executing 'xterm'.

    I also sent 'xeyes' back to my system to show the sorts of graphical information that can be transmitted. It's as simple as that! All of the X traffic is sent via the encrypted SSH link, so you don't have to worry about exposing that information to the Internet.

If you're wondering how to upgrade the Cygwin packages already installed, this thread makes it clear that you only need to rerun the Cygwin setup.exe program.

Thursday, September 11, 2003

Happenings at TruSecure

This Register story gave details on a good virus prevalence report (available in their whitepaper library. It describes TruSecure's assessments of important viruses of the past few years. I also saw Marcus Ranum wrote a paper on false positives while he was an "independent consultant." I then read this press release saying TruSecure hired Marcus as "Senior Scientist" on 19 Aug. Good luck Marcus!

Way to Go Mike Fratto

Congratulations to Mike Fratto of Network Computing magazine for speaking the truth about the intrusion detection vs. intrusion prevention debate in two articles. First, from Inside NIP Hype ("NIP" meaning "Network Intrusion Prevention"):

"NIP is not a replacement for firewalls and won't be in the foreseeable future. Why? The fundamental problem is false positives -- the potential to block legitimate traffic. Before you can prevent attacks, you have to detect them, but NIP systems rely on intrusion detection, which is hardly an exact science. A properly configured firewall will allow in only the traffic you want, and you can bet the farm on that. We need to feel this same confidence in IDSs before we can believe in NIP systems, but IDS vendors have employed lots of talented brain cells trying to raise detection accuracy, and they're nowhere close to 100 percent." (emphasis added)

Exactly! How is a firewall doing intrusion detection any better than a non-firewall doing intrusion detection?

Mike continues to raise the clue bar with these insights from NIP Attacks in the Bud:

"Network Associates doesn't let users see what constitutes a signature. When we asked about this, the company said it didn't want to help people develop evasion techniques. The Exploit Alert Detail dialog on the Alert Viewer reveals text matches for a given alert, but that one match could be a subset of all possible matches.

Given time, we could have puzzled out most of the signatures via exhaustive searches, so we think Network Associates is just being difficult. In comparison, NetScreen opens signatures for review and editing--an approach we prefer.

The lack of signature information quickly became frustrating, and it complicated troubleshooting when a match was based on a protocol anomaly because there wasn't enough information to know why a match occurred. We had to send packet traces to Network Associates to determine why an SNMP packet was being detected as a NetBIOS issue. It took a few days, but the company resolved the problem and provided an update to the signatures. Signature updates are automated, but you need to buy a support contract to get them." (emphasis added)

This is exactly the problem with many commercial IDS tools. If an analyst can't independently assess why the IDS generated an alert, she will not trust it and will disregard its warnings. Unfortunately, NWC still gave the NAI product its recommendation.

Incidentally, if you read the article in paper or .pdf check out Mike's new hair-do. Holy flowing mane, Batman! I wish I could manage that. :)

Wednesday, September 10, 2003

RAID Conference Concludes

Today I drove home from the 6th annual Recent Advances in Intrusion Detection (RAID) conference held at Carnegie Mellon University. The picture at left shows the nearby University of Pittsburgh's magnificent Cathedral of Learning, which is just about the coolest name for a building I can imagine. (It reminds me of Kwai Chang Caine's answer to a question on what he does: "I work, eat, learn.")

This was my first RAID conference, and I took several pages of notes on what IDS researchers are doing. The conference began with a presentation by Richard Clarke. Some of his more interesting points included:

  • He confirmed US DoD networks have indeed suffered worms and/or viruses on "classified networks." He also stated "one ugly fact... every network I know of has been penetrated -- recently and regularly," with the exceptions being one or two classified government networks. However, he "[hasn't] seen cyberterrorism yet," although he has seen "nation states doing reconnaissance" against each other and thinks the recent DNS attacks may have been nation state activities. I asked him about structured threats like organized crime, and Clarke replied he's more worried about nation states performing targeted attacks.

  • He claimed the northeast blackout which seems to have started in Ohio was "remarkably similar" to tests done by DoD red teams. Ohio power workers claim their displays reported normal status while the system failed. DoD red teams take similar approaches. A cybersecurity taskforce is now part of the blackout investigation. Two days before the blackout, power companies (through the North American Electric Reliability Council (NERC) adopted new security guidelines." Others are issuing warnings.

  • Clarke believes if the US Congress or EU tries to legislate security, "it won't work." Government will destroy the Internet if it tries to take it over to protect "critical infrastructure." His reference to Terminator 3 was apt: "People need machines. People take critical infrastructure for granted until it fails. Machines fail when subjected to malicious code."

  • Answering a question on poor code, he said "why is their software so shitty... because they can" [sell lousy software]. He believes big companies should band together to create a software assurance standard along the lines of the Underwriters Laboratory. He recomends the creation of a "patch management center" which offers testing of new patches to prevent redundant testing on vanilla systems throughout industry. Clarke is researching security standards for the Business Roundtable and has found 27 thus far -- too many!

  • Clarke shared stories about ELIGIBLE RECEIVER, an exercise in 1997 to test information infrastructure, particularly in the Pentagon. Although the exercise was scheduled for a week, Clarke claimed that by Tuesday the National Military Command Center was compromised and the exercise was stopped early on Wednesday. As a consequence then US Deputy Secretary of Defense John Hamre told every military service to deploy intrusion detection systems (IDS), which was one of the reasons we saw a huge surge in sensor installations in the AFCERT around that time.

  • Whereas the problems with IDS used to be not enough data on intrusions, now the mindset involves "dumping alerts into databases." In 2002 Clarke said the Internal Revenue Service and Veteran's Administration decided to pool their IDS data and mine it for trends.

  • Clarke named three IDS weaknesses: (1) insiders, who according to an upcoming Secret Service survey, are causing a "vast number" of American companies to lose money; (2) virtual private networks, which allowed a vector for a "business-to-business" customer of Bank of America to infect it with the Slammer worm; and (3) wireless, where IDS coverage is lacking.

  • He's counter 127 companies which sell IDS products, with lots of venture capital still available for security. Unfortunately, CIOs think the IDS vs. Intrusion Prevention System (IPS) debate is "silly." Furthermore, CIOs are questioning their security spending, saying "no matter what I do, I'm still owned." Why spend more money if nothing works? Clarke believes the future lies with "self-healing networks" which function regardless of compromise.

Richard Stiennon of Gartner, formerly a consultant at PriceWaterhouseCoopers, spoke as well. He was a nice enough guy but I don't think his arguments hold water, and I wasn't impressed to hear him he disabled his own laptop by installing a spyware cleaner! Here are some of his main points, either printed on his slides or spoken:

  • "Gateways and firewalls are finally plugging the holes... we are winning the arms race with hackers... the IDS is at the end of life." He "recommends delaying large investments in IDS and event management, piloting application defense and network IPS products, and locking down access control."

  • His vision of "defense in depth" includes: firewalls -> vulnerability assessment or management -> network intrusion prevention (separate from the firewall) -> host intrusion prevention -> antivirus -> security management. This vision is based on conclusions gained from "talking to users," since he doesn't have a product test lab!

  • A "deep packet (or stream) inspection firewall assembles (normalizes) packets and inspects them for compliance with a set of rules." "Rule classes" could include "attack signature, protocol anomaly, behavior, antivirus, or custom content inspection."
  • Stiennon claimed that IDS offers "mountains of data, hours of labor, heaps of alerts, false positives [and] IR nightmares," while the "security nirvana" of IPS will "drop protocol attacks, block known attacks, [and spend] less time tracking down what happened."

  • He named Cisco (who bought Okena), ISS, Enterasys, NFR, Symantec, Intrusion, Tripwire, Lancope, and Arbor Networks within the IDS market, and Tipping Point, NetScreen (via purchasing OneSecure), and Network Associates (via purchasing Intruvert and Entercept) as IPS vendors. He noted Tipping Point complained to Gartner it wasn't "getting its message out," and I found that the company declined .pdf an award nomination in the IDS category from Network Computing Magazine. That's staying on message!

  • Beyond IDS and IPS, Stiennon made interesting insights into the strenghts of content switching vendors F5, Radware, Cisco, and Blue Coat, which already does content inspection. The other vendors only need to add more security content inspection to their products to cause headaches for more traditional security vendors. On the application defense side, Stiennon mentioned Netcontinuum, Teros, Sanctum, KaVaDo, Ingrian, and Array Networks.

  • Vendors offer security event management products include GuardedNet, ArcSight, E-Security, Intellitactics, and NetForensics, the most inaptly named security company I kn ow.

  • I asked him where the "magic" comes from that makes modern firewalls perform the intrusion detection functions he says are failing. His answer was not satisfactory. Earlier he talked of Checkpoint adding INSPECT code for Snort signatures into the firewall's kernel.

Once the invited guests were done, the conference turned to papers. Some of the researchers I met were unhappy that many of the papers weren't "science" or "research," but "engineering" and "applied research." They preferred to see papers with little or no practical application. This was a new concept to me. Apparently the downturn in the tech economy has left most commercial research labs, particularly IBM Research doing less "pure research" and more "solutions to problems."

  • One of the most interesting talks was by Philip Chan of Florida Institute of Technology, titled "An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly
    Detection" (.pdf). He criticized the 1999 DARPA Intrusion Detection Evaluation Data Set. Apparently getting access to data to run through their algorithms and code is a huge problem. Dr. Chan analyzed the popular IDEVAL data to show its weaknesses and proposed some solutions.

  • Vern Paxson participating in a panel discussion on worm/virus propagation and asked "doesn't anyone read the literature?" In other words, why isn't malicious code worse? He mentioned permutation scanning, flash worms, metaserver worms, topological worms, can contagion worms as subjects for worry. He wondered if botnets were built because spammers pay for them, and pointed to a paper to be published at Worm 2003 called "Access for Sale" by S. Schecter and M. Smith.

  • Arno Wagner of the DDoSVaX project spoke about using NetFlow records for analyzing malicious code. (Incidentally, I finally found an open source NetFlow collector in the FreeBSD net ports tree -- fprobe! I've tried it with EHNT (also in the tree) and will fire up flow-tools next.)
  • The presenter of "Characterizing the Performance of Network Intrusion Detection Sensors" (.pdf), was absolutely hammered by the attendees. He was attacked for his methodology and results, particularly that the NICs he used to test Snort performance may have been the real bottleneck. Since he used a TAP to collect data I asked if he combined streams. He said he ran Snort against only one output. Since most real-world deployments care about both sides of the conversation, his choice wasn't realisitc.

  • The paper "Using Decision
    Trees to Improve Signature-based Intrusion Detection" (.ps) introduced me to Snort NG, which claims better performance than Snort 2.0 using the Snort 1.x code as a base.

  • After the talks I spoke with Brian Hernacki of Symantec, who told me about ManHunt's ability to work with a switch to change the SPAN port it monitors. This idea of sampling traffic is a great one.

Well, that's my RAID wrap-up. I don't intend to return again, but I do plan to check the future programs and read the papers that interest me.

Update: 5th Anniversary of "FloodNet"

Five years ago today Wired reported on FloodNet. It was an attempt by a group called the Electronic Disturbance Theater to overwhelm Web sites, among them the Pentagon. It's significant because, according to the Wired article, the Pentagon took countermeasures:

"Participants in the FloodNet protest needed only to load the FloodNet Web page. The page contained a Java applet configured to request and load the three target Web sites every three seconds. The Electronic Disturbance Theater estimated that up to 10,000 people took part in the demonstration, delivering 600,000 hits to each of the three Web sites per minute.

The automated rapid-fire requests are designed to overwhelm the target Web sites so they cannot be viewed by their intended audience, known as a 'denial of service' attack.

The Pentagon's Web-site support team apparently struck back with a Java applet of its own. That applet sensed requests from the FloodNet servers, and loaded -- and reloaded -- an empty browser window on the attacker's desktop. The move forced the protesters to reboot their computers."

Sunday, September 07, 2003

Anton Chuvakin submitted a post alerting me to an article by Gartner gadflies John Pescatore, Richard Stiennon, and Anthony Allan. From the article:

"You should continue to detect intrusions. However, you shouldn't invest in stand-alone, network-based intrusion detection systems (IDSs)... by 2006, most enterprises will perform intrusion detection as part of firewall processing with next-generation firewalls... There have been enough advances in algorithms and high-speed network security processors to enable next-generation firewalls to perform network intrusion detection and blocking at all layers of the protocol stack. Mature products will ship in 2005... Purchase security management products - see "CIO Update: Gartner's IT Security Management Magic Quadrant Lacks a Leader," - to perform IDS alarm data reduction and correlation to firewall and vulnerability assessment logs, or outsource IDS monitoring to managed security service providers... Gartner has published a new report that includes material on intrusion detection and prevention, "Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture."

My advocacy of Network Security Monitoring makes me agree that "stand-alone" NIDS aren't sufficient. However, Gartner's logic makes no sense. Essentially they are saying firewalls shipping in 2005 or 2006 will be sufficiently advanced to perform the IDS detection functions of today. In 2 or 3 years IDS will also have advanced, so what's the difference? The bottom line is Gartner continues to make waves in order to sell their pricey reports to scared CIOs facing regulatory and customer pressure.

Saturday, September 06, 2003

Slides on NSM Webcasts Posted

I recorded a second webcast on network security monitoring for This webcast focuses on tools to implement NSM, namely tcpdump, argus, snort, and trafd/trafshow. I talk about their use and capabilities. You can view it here. I posted the slides here. Previously I recorded a webcast on NSM theory with my friend Bamm Visscher, lead author of Sguil. You can view it here or here and read answers to questions submitted by listeners. A SearchSecurity editor commented on our talk as well. The slides for that Dec 02 webcast are here.

IT Security Hottest Job

Challenger, Gray & Christmas named "IT Security" the "hottest" job for 2003 and 2004, according to this article. From the story:

"The post of chief privacy officer just got the nod for the highest-paying hot job, bringing in an average salary of $122,360. An IT manager or security manager came in ninth on the list of high-paying hot jobs with an average salary of $91,470.

Security is simply hot this year. The security industry came in second, just behind preventative health care, for the hottest industry of this year and next.

Security and IT managers are earning salaries of more than $91,000, according to the report. And a survey of top corporate information systems security executives for Fortune 500 companies found that the average overall compensation level was $237,000."

$237,000? What are those guys doing to justify that sort of salary? Running vulnerable Windows boxes? :)