Suggested Blog Reading – Wednesday May 9th, 2007

ReadLittle late posting this one today…better late than never!

Here’s the list for today:

Note to Universities: Web Sites Providing A Security Breach Playground – Remember when Universities were only breeding grounds for STD’s?

While I was compiling the Educational Security Incidents (ESI) Year in Review – 2006, I noticed something interesting. Of the 83 information security incidents in 2006 reported by colleges and universities, 20 such incidents were due to Unauthorized Disclosure. Unauthorized Disclosure on ESI is defined as incidents involving the release of information to unknown and/or unauthorized individuals. In other words, Unauthorized Disclosure tends to involve employee or organizational mistakes at some level.

Management and security: Still separate but equal? – Should they really be separate?

I’ve said it before and I’ll say it again: It makes sense to use certain technologies to both manage and secure your network. Yet while vendors continue to provide integration between, say, configuration management software and endpoint security products, most companies are keeping the tools separate — for now.

Liability of reverse engineering – I’m not sure where I stand on this…

Christopher Hoff asks an admittedly naïve question: “If I … engage in reverse engineering of a product that is covered by patent/IP protection and/or EULA’s that expressly forbids reverse engineering, how would I deflect liability for violating these tenets …”.

This reflects that while such issues are frequently discussed in our industry, few know what the words actually mean. For example, reverse-engineering a patent is a contradiction in terms, because you can just read the patent rather than reversing the code that implements a patent.

Automated Security Scanning Considerations – Good article.

I noticed a question on a listserv that I monitor. The person asked for an opinion on how an auditor might look at a automated vulnerability scanner that logs into the target host and performs local checks. Many vendors have been doing this for a while now. It is a great feature that really allows these tools to help companies ensure that their systems are maintaining compliance with company policies and procedures. It also assists with change management and security validation as well.

Is Snort 3.0 going to be open sourced? – I think it would be a mistake to close the source on this now. It would only look bad on Marty.

This is a question which has come up recently and I understand was a recent topic on a Snort IRC channel. It seems recent comments by me and on our podcast have raised some questions about what the future course of licensing for new versions of Snort are going to be. I also spoke about this with Thomas Ptacek of Matasano a while back and we never finished our conversation. Obviously, I am not the final word on this topic and you should look at Sourcefire for the definitive answer. However that being said, my understanding is that Snort 3.0 will have some license changes. My belief is it will still be open sourced and released under a GPL license as Marty Roesch has said many times. However, the licensing change, again from what I understand, will deal with people who embed Snort into their applications and under current license do not fall under the derivative clauses of the GPL. So under Snort 3.0 there will be changes to the base GPL as to what constitutes a derivative work. My opinion is that in essence what is happening here is Sourcefire is going to move Snort to more of a dual-licensed system.

The five phases of recovering digital evidence – Part 2 in the series…

This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and a high level overview of the five phases of recovery. In this post we’ll examine each of the five phases in finer grained detail.

Another educational institution, another SIEM eval – Most people, just like Michael Farnum, complain about the cost of a SEM/SIM/SEIM solution without taking the time to think about the people power required to do the same task. Think of the sick days, vacation, salary, and compensation package money saved on a product of this nature. Michael also complains that the correlation doesn’t work. Sure, out of the box it may not be able to handle all security events properly but that is where tuning comes into play. Just like any piece of hardware on your network you can’t expect it work for every environment out of the box…it has to be customized to your environment and policies.

I went to another client of ours from an educational institution (this time in Dallas), and they were similar to the client I spoke of in my last post. However, this site seemed to be a bit more proactive when it came to security, and he didn’t seem near as stressed as the other client.

Report available for WASCs Distributed Open Proxy Honeypot Project – It’s quite a good report. Lots of detail.

Ryan C. Barnett, WASCs Distributed Open Proxy Honeypot Project Lead, released his first Threat Report! This is wicked cool stuff.

That’s all for today…I’m busy 🙂

Scroll to top