Wednesday, May 7, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Joel Snyder's lengthy interview on NAC [StillSecure, After All These Years]

Posted: 07 May 2008 06:05 AM CDT

The Network World guys have a lengthy transcript of a webinar with Joel Snyder of Opus One and Interop Labs talking about his experience with NAC.  Joel says that Microsoft is leading the charge in bringing NAC to market. Not that NAP is a be all and end all of NAC but it is serving as a foundation that other NAC  vendors than build upon.  Joel also talks about his view that he likes to work with ACLs versus VLANs.

There is a ton of good stuff there but I disagree with Joel on two things.  I think NAP will lead to rapid and broad NAP adoption.  But right now Joel suffers from lab-a-titis.  Yes NAP is great in the lab, but who has Vista and Server 2008 in the real world up and running.  Until we see wider adoption of these platforms, NAP will not reach the masses.  Also, I think dealing with ACLs are a bigger pain than VLANs. This is based on hundreds of engagements by StillSecure engineers in setting up NAC environments.  But as I said, if you are interested in NAC have a read, there is lots of good stuff there.

rtpbreak 1.3a Released - RTP Analysis and Hacking [Darknet - The Darkside]

Posted: 07 May 2008 01:41 AM CDT

rtpbreak 1.3a has been released, we initially brought you news of this tool back in August 2007 with the first announcement of rtpbreak. With rtpbreak you can detect, reconstruct and analyze any RTP session. It doesn’t require the presence of RTCP packets and works independently form the used signaling protocol (SIP, H.323, SCCP etc). The...

Read the full post at

Links for 2008-05-06 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 07 May 2008 12:00 AM CDT

My Iron Man Review (a.k.a. Alan’s heresy) [An Information Security Place]

Posted: 06 May 2008 11:59 PM CDT

OK, as much as it pains me, I have to respectfully disagree with The Shimel about his review on Iron Man.  First off, I really think you have to have some knowledge of the Iron Man comic story to truly appreciate this movie.  Clearly Alan does not have that history (and he is probably going to call me a dork or something since I do) when he makes statements like this :

I didn’t understand how he got the superpower, it was just a powered suit and how it worked was pretty silly.

HOLY CRAP!!!  That is near heresy in the Marvel Universe!  Tony Stark does not have powers other than he is extremely intelligent (I believe he developed some extrasensory powers one time, but I have not collected and read comics for a while).  That is what enabled him to make the suit and the piece of technology that powered the suit.

I have to say that while I do agree with Alan that the movie is predictable, I also must say that it is thus far the best big-screen representation of a Marvel Comics character.  It stayed very true to the original story, which is always very important to me.  In contrast, the Hulk movie was horrible and boring (have more hope for the next one), Daredevil was just pure idiocy (mostly because it Ben A Fleck in it - though the playground fight scene was almost as bad as the ice skating scene in King Kong), the Spiderman series has always been underwhelming (they have screwed that story up so bad that Spidey might as well be shooting webs out his ass), The Fantastic Four movies were just…well, I wish they weren’t (especially since they royally hosed Silver Surfer’s story and character, which really pissed me off since he is my MOST favorite Marvel character of all time), and the X-Men moves, while pretty dang good, were still off on the story lines.

I guess what this all comes down to is three categories:

1. You have no preconceived notion of what the movie was about, so you can enjoy it or dislike without baggage

2. You thought you had some idea what the history of the characters are, so when you see something else you don’t like it (similar to Alan’s review in this case)

3. You are intimately familiar with the story line pre-movie and either love the movie for being accurate or hate it immensely because they screwed the story up completely.

Of course, then there’s the fourth group that would not go see the movie if they were strapped to a wild team of mad donkeys (my wife falls firmly into this category - love you baby).

So anyway, not that I have blown off some steam, I think the movie was good precisely because Tony Stark did NOT have superpowers.  He didn’t in the comic, and he didn’t in the movie.  Just a really smart dude who knows how to build really cool toys that just happen to blow up crap.

Man, I know way to much stuff about comics.  Oh, here’s a picture of me with The Hulk.  It’s remarkable how close our builds are, isn’t it?


And here’s what I looked like after I read Alan’s post on Iron Man:



Token Passing with Incognito Part 2 [Carnal0wnage Blog]

Posted: 06 May 2008 10:15 PM CDT

Alright, i love this tool and its been officially merged into the msf trunk which is just super.

After talking to the guys at work and doing some thinking on it, the most useful aspect of incognito is being able to become a domain user (if they have logged into the compromised box since the last reboot). Why would i want to be a user instead of the all powerful SYSTEM? well, for one thing, users have access to "net" commands and can enumerate domain information and can view and map shares and what not, generally system while megabadass on the box you are on cant do jack on the domain. SOOOO unless you popped a shell on the DC we need to try to become a user.

so on to the screenshots...

So normal scenario we pop a shell with metasploit, with the NEW "old reliable" msdns_zonename exploit and use the meterpreter payload. Once we are in our meterpreter shell do a "use incognito" to load the library.

we list the available tokens by user using "list_tokens -u". Once we see someone we want to try to impersonate we run the "impersonate_token "domain\\user" command. We can verify it worked using a getuid in meterpreter.

At this point we have two options. We can run commands as our new user and create our own user and add them to whatever groups we want to add them to. Keep in mind that "most" of this works because the person we are impersonating had admin priviliges on the domain (as far as adding users to the domain). If we just wanted to become a user to do domain enumeration we can still do that.

so lets see getting a command shell with our impersonated token.

you have to make sure you pass it the "-t" option to use your token.

2nd option is to just add a user and add them to the appropriate group(s). Just follow along, its not too hard.

now you can just log in normally to the domain, or do whatever it is you need to do to get your paycheck.

I did some playing with the dameware and this tool. i'll save comments for a future post and I need to do some more playing but it appears to be leaving a token in memory as well.

Reverse Compliance or "Logs as Proof of Incompetence?" [Anton Chuvakin Blog - "Security Warrior"]

Posted: 06 May 2008 07:27 PM CDT

Now, I wrote a bunch of things about logs for PCI DSS compliance (including my book chapter) and overall logging for compliance. How about "reverse compliance" against logs? 

Whaaaat? WTF is "reverse compliance?" 

"Reverse compliance" is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements,  lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

When this type of thinking in progress, people start going even further towards:

  • If I have no logging, people will not know that I was "0wned" for years and thus have to notify the customers (reverse breach disclosure compliance)
  • If I have not logs, nobody can blame that I knew (or - had a way to know)  about the successful attack and data theft? 
  • If breach investigation will lead to a dead end due to not having logs, maybe I won't be fined as severely?
  • If I don't have logs to show the auditors, they won't blame me for mismanaging security in my environment (or - they will only blame me for not having logs and not for all the other serious issues I have...)
  • If I have no logging, I cannot be found to be in violation of many PCI DSS requirements since evidence of violation will be in the logs (but, will, obviously be in violation of Requirement 10)

The key question is how widespread "reverse compliance" is? I am sure that many of my enlightened readers would think that no organization is that f*cked up :-) Well...

... some sadly are. Is "worst in class" label appropriate here? Maybe not, since these companies are thinking that they are "being smart about their business"  and saving money by avoiding those "useless" (also known as "common sense" ;-)) compliance requirements.

So, will you log if logs will prove your incompetence?

That is, my friend, the whole question here...

On the other hand, I hope that this "approach" is not too common in the age of breach notification laws: logs or no logs, they will have to tell the public and - often! - without logs they will have to announce that ALL is lost. The burden in on them to prove what was NOT stolen IF the server where the data is stored was found to be owned.

For example,   a compromised server + critical data stored = every record is assumed 'lost' in the absense of logs.

This is, in fact, one of the stronger motivation for log management today as it shows you clear, obvious savings: notify 200,000 people vs notify 40,000,000 people of the breach at, say, $5 apiece....

Technorati tags: ,

Tmin fuzzing test case optimizer released [Security-Protocols]

Posted: 06 May 2008 06:17 PM CDT

Tmin is a quick and simple tool to minimize the size and syntax of complex test cases in automated security testing. The tool is somewhat related to delta, which is a more featured general purpose...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Fixed! [ - A Revolution is the Solution]

Posted: 06 May 2008 02:02 PM CDT

Things I am happy about this week:

1) The comments on Spywareguide are working again, and you can now post as you see fit. Swear to God.

2) The day I posted this ramble complaining about Feedburner woes, Netvibes (who, judging from endless posts in their support group via Google, seem to have been the cause of endlessly fluctuating Feedburner stats) went and migrated all of their users to the new interface. Since that day, my stats have been back to normal and have actually gone up a little bit. Anyone else out there using Feedburner noticed a more regular pattern in their stats since a week ago?

3) Insert your own happy thing here, I'm all out.

So Cool: Richard on NAC [Anton Chuvakin Blog - "Security Warrior"]

Posted: 06 May 2008 01:34 PM CDT

This is fun: Richard "IDS is dead" Stiennon says "NAC is dead."

I will now start calling him Richard "Both IDS and NAC are dead" Stiennon. Also, he is hereby proclaimed a Mortician of Security Industry :-)

Sorry, it is all in good fun!

More on that tomorrow in my "Security Reading II" piece, BTW.

House of Hackers Possibilities [GNUCITIZEN Media Portfolio]

Posted: 06 May 2008 07:04 AM CDT

This post is meant to give the House of Hackers community, future sponsors and clients some ideas on how to make most of the system. I will discuss a few ideas around the social networking platform, its capabilities and use. I am also planning to give you clues about in what way 3rd-party organizations can tamper into the network and perform crowdsourcing, etc. At this very moment, we have 348 members. It’s worth having a read of this article.

House of Hackers

First of all, if you haven’t heard yet, House of Hackers is a social network for hackers. From our prospective, a hacker is a person people express admiration for his/her work, skills, creative edge, cleverness, uniqueness, intelligence, etc. WE DO NOT PROMOTE CRIMINAL ACTIVITIES. The network is designed to enable its members to exchange ideas with each other, communicate, form groups, elite circles and tiger/red teams, conglomerate around projects and participate in a hacker recruitment market. If you are interested, please let us know. The market is designed to provide business opportunities to the House of Hackers members in a free, open and fair manner. This is not all, however.

Groups and Formations

House of Hackers provides its community with wide range of useful crowdsourcing types of services. For example, individual members can form groups. Some people may choose to make their groups wide open for everyone, others may like to restrict them to just a few members they trust. This group thing is very, very useful. For example, such formations can be used in order to setup a small, boutique, penetration testing shops. Through our recruitment network, these shops will be able to run their business and also contribute back and communicate with other members from the community. One of the best ways to find whether certain people or groups are suitable for a particular job is to get the opinion of the crowd. Therefore, the better these groups and individuals perform, the more opportunities they will have.


This feature is extremely useful. If you run an event and you would like get an rough idea how many people will attend, then House of Hackers could help. Just login and setup an event. It is easy and free. It is also very useful because if the event is interesting then people will comment on it and potentially make other people attend as well. For example, I encourage people to attend the HITB MY conference that takes place later this year. On the top of that, event organizers can contact members directly and arrange any further details regarding entrance fees, etc.

Plugins and Network Extensions

Everyone can write applications, widgets and extensions for the network. It is all free and based on Open Social. This means that your applications are reusable. It also means that you can harvest the power of the masses with small clever applications and you don’t have to worry about complicated setups or even accumulating enough users for your needs. I already have a few ideas about useful applications.

The Hacker Recruitment Network

Though the House of Hackers, organizations/companies will be able to hire some of the world’s most talented information security experts, but not only (hackers in general). Organizations who are interested in participating in this initiative get a lot more then just that. They can check the credibility of the person/group they want to hire. It is extremely helpful. Although there are plenty of good Information Security companies out there with solid profile, keep in mind that the project you are spending money on may end up in the hands of unqualified personal. You don’t want that to happen. If you are interested in exploring these opportunity, contact us now.


If your business needs research or advice in order to get going in certain direction, or it needs customized software for particular needs, House of Hackers can help. You can harvest the power of the hacker network. You can fund particular groups and members. You will be also able to track activities and progress through the plugin framework, and many other things to ensure that the project is getting done. Let us know if you are interested. Funding House of Hackers is much better option then hiring people you don’t know if they will be suitable for your environment.


Of course, we allow companies to sponsor the social network for a minimal fee. You can put your logo as a sign of support. That way not only your brand will get a good exposure but also you show that your company/organization is supporting intriguing, interesting and rather innovative business ideas. GNUCITIZEN is one of the most recognized WhiteHat Hacker BRANDS online and we fully stand behind the House of Hackers initiative. Let us know if you are interested in such options.


The community is rapidly expanding. Considering the level of creativity involved in the House of Hackers community, we will come up with a lot more ideas very soon.

Worst. Idea. Ever. [ - A Revolution is the Solution]

Posted: 06 May 2008 03:35 AM CDT

All I want to know is, who comes up with this stuff?

See, I've been waiting.....and waiting......and waiting......for the sessions from RSA2008 to hit the web, so we can watch and listen and absorb or whatever. There's a lot of people who couldn't make it who have also asked me if / when my own presentation would be available to listen to. Last year, RSA seemed to be pretty open about who could get their hands on the talks (Hell, we still have one complete with funky Flash thing here).

Now? I get an Email from the RSA organisers last night pointing me to this page, with the following genius idea:

The information and ideas discussed at RSA Conference 2008 will have an impact on the information security industry for years to come. Be sure to capture all of the discussions by replaying the session recordings from this year's Conference. (Free for 2008 Full Conference attendees, $395 for non-attendees)

Wow, yes! What a brilliant idea! We'll have "an impact on the security industry for years to come" by.....letting all the same people who saw the talks originally watch them again!


Also, WTF and doh. Let's be honest and put the hyperbole aside for a second - nothing talked about at RSA will "have an impact on security for years to come", because nobody cares. It was a bunch of talks about stuff, and now it's over. Some were good, some were bad, same as it ever was. But hamming it up with over-the-topness just so we can justify charging lots of money to let people hear it who couldn't make it / afford it? Man, that sucks. That sucks ass, and is a terrible, exclusionary idea.

If there was anything of worth, of interest spoken about at RSA, how are we helping to spread those ideas by chaining them to full conference passes or extortionate amounts of cash after the event is long gone?

And why is it always just about the "security industry" anyway? There's a whole variety of people and initiatives that likely fall outside that narrow definition (purely because they're not running around yelling BUY THE BOX!) and yet they're just as active, just as important to the security scene as anyone else.

But of course, they didn't pay stupid amounts of money to attend and so don't count. Excuse me while I roll my eyes. How many people attending these conferences are only there because their company paid for them to go in the first place? And how many of those people wouldn't come within a hundred feet of security conferences if they actually had to pay up themselves?

Nobody can claim access to 365 session recordings for $395 is good value for money, because nobody in their right mind is going to listen to three hundred and sixty five sessions unless they are clinically insane.

Anyone with any interest in RSA2008 that didn't go is more likely to want to hear the odd handful of sessions - and here's a breaking newsflash, they are NOT going to pay out four hundred bucks just to hear them. I don't believe RSA have a "reduced fee" anywhere to listen to (say) five talks, but meh, even that would suck.

I really doubt half the people at RSA on free Full Conference Passes (courtesy of their company) would complain if people who didn't attend got to hear the talks for free after the event. Again, by this point nobody cares, right? It's now just a bunch of talks at some conference somewhere, and everyone is now too busy gearing up for the next conference in a few weeks or months time.

And if someone argues that it's not good form to have the great unwashed masses listening in for free when all those companies had to stump up tons of cash for full conference passes? Well, too bad for all those companies. Surely half the fun of the full pass is the chance to hear people speak in person that you always wanted to see present twenty feet away from you - not simply possession and apparent ownership of the words that came out of their mouth.

To me, security is all about protecting those same "great unwashed masses" with as much vigor and force as the companies at RSA devote to protecting enterprise and business customers - great unwashed masses that (currently) don't have a hope in Hell of hearing talks that might actually contribute to making them consider security a little more in their day to day lives.

It all seems a bit greedy and possessive to me, but then I only spoke at RSA.

What do I know?

People Service Use Case Demo [RSA Conference - Blog]

Posted: 06 May 2008 03:20 AM CDT

Imperatives driving human-centered identity [RSA Conference - Blog]

Posted: 06 May 2008 03:14 AM CDT

Doing Security a Disservice [RSA Conference - Blog]

Posted: 06 May 2008 03:04 AM CDT

Patch Window Shrinking - Semi-Automated Reverse Engineering [Darknet - The Darkside]

Posted: 06 May 2008 02:59 AM CDT

As far as I know this has been happening for some time, sometimes a patch comes out for a vulnerability that many people don’t know about (including the hackers) so they will see what problem the patch fixes (possibly through reverse engineering) then develop an exploit to leverage on the flaw. It seems things are a [...]SHARETHIS.addEntry({...

Read the full post at

Mid-Week Spywareguide Roundup [ - A Revolution is the Solution]

Posted: 06 May 2008 01:49 AM CDT

Haven't had one of these for a while, so here goes.

* Here Phishy, Phishy and Booze & Binders: Some leet hax script kiddy applications currently in circulation. I'd throw in a picture here, but amazingly the Blogger image upload tool is broken. Again. Blogger is full of so much win and awesome, and by win and awesome, I mean crap and fail.

* Locking down Facebook Chat: Nothing particularly revelatory, but a little delve into the wonderful world of Facebook Chat, or (to be more accurate) how to get rid of the damn thing if (like me) you had no clue what you were supposed to click on when confronted by hundreds of people saying HELLO LOL. Once more, no pictures. Blogger. Fail. Epic fail.

* Myspace - Who is Watching the Detectives Part 3: Did Myspace ever fix their "system error" that allowed people to view exactly who had been snooping round their profile pages? Click this and find out. Ooh, the suspense.

* Off-Topic Fun: Videogames are Awesome: Spurred on by my post about the Dreamcast phishing incident a few weeks ago, I decided to go deep into off-topic country and post up a bunch of my old videogame systems. I used Flickr for these images, so nothing stops me from posting these up:

My Shenmue Collection, originally uploaded by Paperghost.

ChuChu Rocket Box Set (Front), originally uploaded by Paperghost.

I encourage anyone remotely interested in old game systems to post up some screenies of their collections. I had planned for people to post their links directly on Spywareguide, but it appears the hope invested in the comment fixing was a little premature. With that in mind, post your links here and when (if) the comments start working again on SPG, I'll port everything over there.

If you're not doing anything wrong, why worry about privacy? [The Security Mentor]

Posted: 06 May 2008 01:03 AM CDT

One answer to that question is that you might have just broken up with someone who has access to a government database. Information Week reports on a Federal agent indicted for stalking an ex-girlfriend using a government database.

What we have to insist on as citizens is accountability. That case could have been much worse if it had happened in secret.

Non-Fiction Review: Economics & Strategies of Data Security by Dan Geer [The Falcon's View]

Posted: 05 May 2008 08:27 PM CDT

I've just finished reading Dan Geer's Verdasys publication Economics and Strategies of Data Security. It's a very interesting read, though hastily printed without adequate proofing and editing (i.e. several typos). Overall, this is a good read, though it devolves into...

Product Maturation or Product Evolvement? [Alert Logic]

Posted: 05 May 2008 06:43 PM CDT

My friend Michael Farnum had a great post late last week. Basically, what I took from it was that in a commoditized product market, choosing the right technology goes way beyond a feature discussion. I agree, but I wanted to expand on a couple of things here. First, traditional IDS/IPS can be considered a commodity [...]

Iron Man Cameo - Samuel L. Jackson is Nick Fury [Jeff Jones Security Blog]

Posted: 05 May 2008 06:30 PM CDT

Late Friday night, I was one of the millions of weekend viewers that help make Iron Man the second-best premiere ever.  I am surprised by those results, but only because Iron Man isn't so well-known as other Comic Book heroes like Superman or Batman.

Yes, I liked it and was pretty sure I would even before I wnt.  However, Robert Downey Jr. really did an excellent job as Tony Stark and the movie was faithful to the Origin Story, though it was updated to modern times.  I love to see the casting of good actors to make these characters into movies.

I had heard that there was an extra clip after the credits (which were super long, btw), so I stayed around until they were over and then snapped the picture to the left of the final scene and thought I'd share it with you.

And the cameo dialog seems to mean there will be a follow-up movie of some sort from Marvel, though maybe not Iron Man 2:"... I'm here to talk to you about the Avengers Initiative."

The Public Perception of the Image of Hackers [GNUCITIZEN Media Portfolio]

Posted: 05 May 2008 06:11 PM CDT

It’s been a long day. I am happy to inform you that the House of Hackers community has reached remarkable 80 members since its opening 10 hours ago. It even got some exposure on Dark Reading ( Hackers in the House), thanks to Kelly Higgins.


The reason I am bringing all this to your attention is because of HD Moore’s comment regarding the House of Hackers initiative:

HD Moore, director of security research for BreakingPoint Systems, says his initial take on the House of Hackers announcement in the blog post is that the recruitment aspect of the House of Hackers could lure the wrong crowd. “If anything, hackers who work in security do all they can to appear professional and trustworthy and that really seems to undermine it,” Moore says. It could end up attracting “‘employers’” who aren’t interested in the legality of the work they sponsor, he says.

I think that this comes down again to the public perception of the image of hackers. Unfortunately, it is fine to say Information Security Expert but it is NOT fine to call yourself a Hacker. I guess I repeat myself but hacking has nothing to do with breaking into computer systems. I suppose I am preaching to the wrong crowd but it is time get these concepts straights because hackers kill 50% of their potential by calling themselves Information Security Experts/Analysts etc. Why? Well, if you can solve problems from one sphere in a creative way, surely you can do similar for other spheres. To me, that is exactly what hacking is all about and people who are capable of doing this should make it clear otherwise they may loose interesting opportunities. I define myself as a hacker due to the approach I usually undertake when solving a problem. There is no other word that describes my personally better and therefore I hope I could stick to it for the time to come.

In the case of House of Hackers and HD’s comment, well, I guess everybody has different goals. But we are all professional security consultants. GNUCITIZEN has been running under the Hacker slogan for 2 years and I cannot see how mine or any of the members’ reputation have been damaged. The House of Hackers initiative is here to provide similar principles that we’ve already embraced under the GNUCITIZEN umbrella and we found them working. Indeed, we are looking for funding and organizations that are willing to try out the community but I cannot see anything wrong with that. If someone wants to abuse freelancers’ service, they could as well do that with any other security testing company out there. Just like any other freelance job, you have to prove yourself, etc.

I hope that this post makes people think about all these ideas and maybe change their mind if they have the hacker stereotype already embossed on their values system.

Nobody Is That Dumb ... Oh, Wait X [Anton Chuvakin Blog - "Security Warrior"]

Posted: 05 May 2008 04:26 PM CDT

The fans of "Anton-style humor" will (darn it, MUST!) appreciate the X-th (i.e. super-anniversary) installment in my strictly aperiodic "Nobody Is That Dumb ... Oh, Wait" series,  a cheap [but - hopefully! - more humorous] imitation of the infamous "doghouse."

Today's entry is about throwing free money and free work [of somebody else, mind you] down the proverbial crapper.

So, the other day I was at one security conference which had a bit of a vendor expo. Since I work for a log management vendor, I am always on the lookout for new log-producing technologies. Typically, I just ask the vendor to send some log samples so that we can either create an official support package for this new log source or, at least, see how such logs will fare with our log indexer (that enables LogLogic index searches and  Index Reports).

Obviously, every vendor I ever approached loved it: after all, they might get something for nothing. If they are small, integrating with LogLogic might help their business. If they are big, they are typically happy that their "partner ecosystem" is growing. All it takes for them is sending a small sample of their logs - and we will do the rest.

While cruising that show I noticed a booth of a relatively well-known (but still pretty small) security appliance vendor. So I chatted with them a bit and in the end asked the engineer to connect  me with their core  folks so that we [LogLogic] can get a sample of logs and then develop support for it.  We don't really have to do it for them, but, then again, it might come handy, who knows.

Imagine my surprise (nah, shock!) when an email came that they "don't really want that."  I thought long and hard about the possible benefits of NOT having your logs in a log management system, but only one stood above the rest - and that is STUPIDITY! Thus, this entry :-)

Technorati tags: , ,

Poll #8 Log Analysis Context [Anton Chuvakin Blog - "Security Warrior"]

Posted: 05 May 2008 03:48 PM CDT

So, my next poll is up - and it is fun: Which of the types of information below are most useful when trying to make sense of a log entry?

Vote here!

Past polls:

  • Poll #7 "What tools do you use for Windows Event Log collection?" (analysis)
  • Poll #6 "Which logs do you LOOK at?" (analysis)
  • Poll #5 "What are your top challenges with logs?" (analysis)
  • Poll #4 "Who looks at logs in your organization?" (analysis)
  • Poll #3 "What do you do with logs?" (analysis)
  • Poll #2 "Why collect logs?" (analysis)
  • Poll #1 "Which logs do you collect?" (analysis)
  • Log Haiku #6 (Final) [Anton Chuvakin Blog - "Security Warrior"]

    Posted: 05 May 2008 03:15 PM CDT

    How do you eat an elephant?

    Piece by piece you do!

    But what it objects to it? Logs do.


    Sorry, no more logging haiku were created - hopefully the logging book project will come back to life soon...

    Communicating about risk - part 1 []

    Posted: 05 May 2008 01:12 PM CDT

    In his comments a couple of weeks ago, Walter brought up an important point.  Paraphrased, he pointed out that misrepresenting the precision of an analysis is a bad thing.  He also pointed out that this isn't so much a problem with the analysis model (although it's more likely to occur with a quantitative model), but rather tends to be a problem with how an analyst communicates results to management.

    With that in mind, I thought I'd write a couple of posts about communicating risk.  In this week's post, I'll talk about "risk qualifiers" that can be critical in helping management understand the true nature of some risk scenarios.

    "I can live with this…"

    Let's say that you've done an analysis and the results look something like what's shown in the charts below (I've included both a qualitative and a quantitative version):

    At first glance, a decision maker might think "This doesn't look so bad.  I can live with this level of risk."  But that's not necessarily the whole story…

    Unstable conditions

    An unstable risk condition exists when the following characteristics co-exist:

    • Threat event frequency is low
    • Vulnerability is high
    • Probable loss magnitude is significant

    When these conditions exist, the low loss event frequency is driven solely by the low threat event frequency.  In other words, we're not actively managing loss event frequency; we're just trusting to luck.  If threat event frequency changes (or an event occurs at all), then significant impact will likely occur.  An example might be an internal application that handles a significant volume of sensitive consumer records, but that has little or no authentication or authorization control in place.

    Now, if all we provided management was a qualitative "Medium/Low" risk statement or a quantitative statement that "probable loss event frequency is roughly once every ten years with a probable loss magnitude of $500k", then we haven't really allowed management to make an informed decision.  

    This additional information about the unstable nature of the risk condition is critical for a couple of reasons:  1) it allows management to decide whether they want to gamble, and 2) instability can reflect poorly from a due diligence perspective.  

    Fragile conditions

    A fragile condition exists when the following characteristics co-exist:

    • Threat event frequency is high
    • Vulnerability is low, but dependent on a single effective control
    • Probable loss magnitude is significant

    At a glance, this will look similar to an unstable condition.  In this case however, a single control is all that prevents a high loss event frequency.  An example might be a single layer Internet architecture, where the volume of threat events is high but the firewall is generally quite effective.   


    One big advantage these qualifiers provide is to be able to differentiate between risk conditions that, from a risk chart perspective, look the same.  This differentiation allows us to prioritize better, which leads to more cost-effective risk management.  

    Another advantage is that it provides nomenclature for expressing what our intuition has probably already recognized.  In other words, the experienced information security professional would intuitively recognize the difference between an unstable or fragile condition and one that isn't (but that may look the same on a chart).  In my experience, what we tend to do in those instances is label the condition "high risk".  The problem with this is that it  lumps these scenarios in with those where loss event frequency and loss magnitude are high, which erodes management's ability to prioritize effectively.

    At the end of the day, effectively managing any complex set of issues requires an ability to differentiate.  These qualifiers have proven to be extremely useful in that regard.


    NiN Gives Away Full Length Album - The Slip [Security-Protocols]

    Posted: 05 May 2008 10:09 AM CDT

    Nine Inch Nails is giving away their new album for free entitled The Slip, exclusively from The album is available in a variety of formats including high-quality MP3, FLAC and or M4A...

    [[ This is a content summary only. Visit my website for full links, other content, and more! ]]

    Landing House of Hackers [GNUCITIZEN Media Portfolio]

    Posted: 05 May 2008 08:09 AM CDT

    House of Hackers is an exclusive, hacker community network. The House of Hackers community is established to support the hacker culture, mindset, way of life, ideologies, political views, vision, etc.

    House of Hackers

    Members of the community are able to exchange ideas with each other, communicate, form groups, elite circles and tiger/red teams, conglomerate around projects and participate in the independent, hacker recruitment market. The market is designed to provide opportunities to the House of Hackers members in a free, open and fair manner.

    Hacker Recruitment Market

    The hacker recruitment market is designed to provide business opportunities to gifted members of our community.

    Organizations, which are looking to hire independent Information Security consultants or Tiger/Ted teams, can post a description of the job and the desired qualifications which are expected from the participants. Various groups and members can contact the publisher directly and arrange any further details between themselves.

    The market is open because the better you are in what you do the more work you will be able to get and the higher profile you will eventually build. This approach allows gifted security consultants to escape from their boring everyday routine and start a new life full of excitement and new opportunities. It is needless to say that these types of services are better payed as you will be able to cut the middle man and take all the profit for yourself.

    The market is open and it is only supervised by the House of Hackers board members. Fees will be accepted for each posting which will be feeded back to the community through the various funding and research programs we are planning to initiate very soon.

    As you’ve probably notice, this program is at a very early stage. We will ask you to join the House of Hackers network and also spread the word by linking to this site, talking about it in blog posts showing network badges, etc. The sooner we build the community and aggregate companies to support the idea the better for you and all other members. If you want to break free of the monotony, this is your only chance. Whatever we build here it will work for you.

    If you are an organization seeking to explore opportunities with the House of Hackers network, please contact us now. We can assure you that members of this network will provide far much better service then any other information security company out in the market today.

    House of Hackers is a community project. This means that you decide whether it will succeed or fail.

    No comments: