divisionbyzero

“People who know a little bit of statistics – enough to use statistical techniques, not enough to understand why or how they work – often end up horribly misusing them.  Statistical tests are complicated mathematical techniques, and to work, they tend to make numerous assumptions. The problem is that if those assumptions are not valid, most statistical tests do not cleanly fail and produce obviously false results.”

“People who know a little bit of IT Security – enough to use an IDS or SIEM, not enough to understand why or how they work – often end up horribly misusing them.  Security tools use complicated technical techniques, and to work, they tend to make numerous assumptions. The problem is that if those assumptions are not valid, most security tools do not cleanly fail and produce obviously false results.”

Being able to do analysis, sorting, or database storage of syslog messages is incredibly useful. There are tons of solutions on the market to do just that. If you’re working on a system developed in house that you’d like to incorporate syslog messages into, then it may be easier to hook directly into the syslog stream than to introduce another piece of software into the environment which needs to be glued.

Syslog-ng facilitates easy integration with Perl binaries as the Perl program is spawned once during the daemon start up and a handle to that program’s STDIN is maintained for dispatching of messages. Using POE, we can turn this into an event driven model, making additional complexity simple.

In this example, we’ll create a POE Master session that receives all of the syslog-ng input from STDIN. Using off the shelf components, we’ll run a TCP Server on port 9514 that will allow clients to connect and subscribe to feeds based on the “program” name of the message being dispatched.
Read the rest of this entry »

I had the privilege of speaking at LinuxWorld 2008 in San Francisco this year. It was a lot of fun and I certainly enjoyed the discussions with folks after my talk. My talk was on “Network Introspection with Open Source Tools” and I threatened to post updates on my progress here.

I’ve been working on packaging the code that I have into something that might be useful to the general public. I’ll post another blog entry when I have a rough cut version of the package available for testing/breaking.

If you’ve noticed (probably not), recently the server has been unreachable. A few weeks back this was due to a bad hard drive. I finally transferred everything over to the new hard drive and got the sites back up and running thanks to a few friends and The Planet.

Then this weekend, the data center that hosts this server exploded. The site is back up and running now, but there should be a few more hours of downtime on the horizon as they install and integrate a permanent electrical infrastructure to the data center.

Also, I’ve been selected to speak at the Linux World Expo in San Fransisco this year! My talk is “Network Introspection with Open Source Tools.” If you’re going, please stop by and heckle me!

I may start updating this blog at some point.

In our first installment, we looked at some solutions to provide a hospitable environment for proxy evasion. Today, we’ll dig deep into how to do this with my favorite protocol of all time, SSH.

OpenSSH is a glorious implementation of a critical network protocol. Most networks have disabled and banned the use of telnet, rsh, and ftp in favor of the more “secure” SSH protocol. OpenSSH runs on every platform I’ve encountered (using CygWin on Windows). SSH provides an encrypted channel for data transfer. Usually that’s Keyboard Interactive Sessions or Files (using SCP), however SSH is capable of setting up multiple channels and acting as a SOCKS4 or SOCKS5 Proxy.

Read the rest of this entry »

The holidays are always a lot of fun. I ran out of time to do some things like keeping this blog updated. There’s been a ton of stuff in the news relevant to IT security. I’m not going to recap.

I’ll be continuing my Proxy Evasion series as soon as I get a chance to put together some screen shots for the tutorial part of the article.

Hopefully that article will be completed relatively soon.

Hope everyone had a great holiday season.

Pick up a copy of this book:

There are a ridiculous number of organizations using transparent proxying as a means to limit access to external resources. The idea is that by proxying all web traffic, they can keep employees from visiting porn sites. I’m not necessarily convinced that this does them much good. My general experience has been that the type of people looking at porn during the day will not become more productive as a result of losing the freedom to look at porn at work. They’ll still be useless employees that you have to performance review instead of firing for inappropriate use of technology.

Additionally, these proxies do very little to increase the security of the network. I’m fairly certain that by the time the Proxy Vendor is alerted to malware distributing websites, an anti-virus company has already issued an update. This is redundant. Normally, I’d fully support this redundant – ok, I’ll drop the buzzword – Defense in Depth solution.

However, piggy-backing on the heels of ay real security value, which is best described as the graph of 1/x, are made up categories of websites to deter your users from doing things that your CEO believes are inappropriate. Interestingly enough, if the CEO is involved in Fantasy Football, you’ll be hard pressed to find an IT Infrastructure that denotes that classification of sites as inappropriate. I digress.

Read the rest of this entry »

The American Populace is being inconvenienced, spied on, stripped of Constitutional Rights, and taxed without any idea where that money is going. The perpetrator is not some foreign, militant, activist group, it’s our own Government. There’s no outcry. All of these treacheries are being committed to increase security while the fact remains that all of these drastic measures have failed miserably. The one constant is the relentless pursuit and protection of these programs by our elected officials. They should be the voice of the populace, and perhaps they are. Perhaps, ‘Security Theatre’ is good enough for the masses.

Read the rest of this entry »

As you may or may not know, I am gainfully employed by the Federal Government in the area of Information Security. Recently the Bush Administration responded to media hype to issue a Federal Mandate requiring all government owned laptops use encryption technologies to encrypt their data.

There are two interpretations of this memo.

• Encrypt the ENTIRE disk.
• Encrypt just the files containing the data.

So, what’s a lowly security administrator to do?! Choices are bad! Obviously you encrypt the entire disk! Right?! no? Why not?
Read the rest of this entry »

I just found this interesting video blog, and this entry is right up my alley.

ZeFrank on Terrorism