Can you tell that I was travelling again? Gives me a chance to catch up with the security magazines that pile up on my desk. And I keep getting disappointed. Well, there were a couple of good articles I read. One from Ed Skoudis about how to secure yourself against spyware. But most of the articles are horrible.

The first thing I found is in the Information Security Magazine. Somebody had a comment about Ed Skoudis and Mike Poor’s article on “IPS: Reloaded”. This person claims that in the old world, IDSs signatures had to be tuned, but in the new world of IPSs, that’s not necessary anymore. In his words: “IPS should not be judged with old IDS standards”. So what does this guy think IPSs do different than IDSs? Do you really think that for example the CISCO IPS is a completely new product and is not based on the old CISCO IDS code at all? What about all the other IPSs? I can guarantee you that you will have to spend as much time (if not more) to tune IPS signatures as you had to spend tuning your IDS. If IPS really had the magic sauce, why would IDSs not adopt that? Forget it!

In fact, this brings me to another thought that I had while I was walking the floor at the RSA conference in San Jose this week. There are all these new companies that I have never heard of. They are presenting solutions for all kinds of problems, ranging from insider threat detection to identity management. I spent quite some time trying to understand what they are doing. What I have seen is quite disappointing. Take an insider threat management company and check what they are doing. Well, they can detect credit card records on the wire, alert you on transmissions of social security numbers (SSN) or patient health records. Sounds great. But do you know what they are doing? Right. They basically take a NIDS sensor, apply some signatures which look for SSNs or credit card numbers. In fact, one of the companies showed me their signature definition and this is what you had to enter to detect an SSN:

\d\d\d-\d\d-\d\d\d\d

Wow! Have they ever heard of regular expressions? What about:

\d{3}-\d{2}-\d{4}

This was not their worst example! Anyways. My point is that there are all these new companies that claim amazing technology, but if you look under the hood, you realize that we had the technology for YEARS! Refurbish your NIDS and you are in great shape! Why have the NIDS vendors not jumped on the wagon? I don’t know. By the way, it’s not just the insider threat companies, but also other companies. One of them sniffs the wire and decodes all kinds of application protocols to attribute user identities to IP transactions. Again, I can solve the same problem with a Sniffer. I don’t even need a NIDS for that! [Believe me, I have tried it!]

Granted, there are some new and cools things. For example companies that let you register documents and then they detect them on the wire in any variation. For example, I register my word document. Now if someone takes the document and takes a pragraph out of it or pastes it into Excel, they are still capable of detecting that the document is on the wire. That’s pretty cool!

I am on my way to EuSecWest 2006 in London. The big news is that I will be releasing AfterGlow 2.0. It’s a complete rewrite (really a new version) that supports the generation of TreeMaps, if you feed it a CSV file. For now Version 1.1.6 of AfterGlow will be kept concurrent to the 2.0 release. Version 3.0 will compine the capabilities of the two so that the Java version is going to be able to output not just TreeMaps, but also LinkGraphs.

I guess the information security magazine can look into the future. They already have their product awards out for the year 2006. Reading through the different categories, I found some really strange awards. Not that I am well versed in any of the categories they awarded, but some of the choices strike me as strange: For example in the intrusion detection category, gold went to the eTrust IDS, silver to Symantec’s Intruder Alert and bronze to the ISS RealSecure Network Sensor. I never even heard of the eTrust IDS. You know what? They have one category for HIDS and NIDS. Does that make sense? Strange. I don’t get it. And again, I never heard of the eTrust IDS. And why is SourceFire or Enterasys or NFR or any of the traditional IDSs not in the list? Have you read the latest NSS report on IDSs? Why do these awards not at all match up with that report?

Then in the vulnerability scanner category, Foundstone won gold, Symantec won silver and ISS won bronze. What’s up with that? Symantec has a silver-style product for vulnerability scanning? Where is Qualys? Where is nCircle? Well, I am confused.

I am frustrated. I found these Perl libraries to buld treemaps (Treemap::Squarified). The problem is that it needs this special input format, which is either an XML tree or you can hack it into the internal perl datastructure which are basically a bunch of arrays. Once I figured out the internal datastructure (I was too lazy to go through XML), it got worse. You need to do everything yourself. The library does not even take care of sizing the pieces for you. You need to make sure that the numbers along the hierarchy are all correct and add up. But that’s not all. After playing with that for a while (basically my problem was to convert CSV to a tree; no I did not finish implementing it), I got into GTK2 coding. Well, that’s a mess too. Hardly anything documented. I just wanted to show some pictures in a window. Easy? No! I wanted to resize them to fit two arbitrary images into one window. Resize? I could not quite figure out how to have pixbufs and Gtk2 and all that interact. So I gave up…
Back to a language that I know a bit better: JAVA. Starting over…

The RAID (Recent Advances in Intrusion Detection) conference next year will be held in Hamburg. I will be on the program committee for the conference.
Make sure you submit a paper and attend the con!

I guess by now everyone knows scapy. At this point this is more a way for me to remember this tool.

Scapy is an interactive packet manipulation program written in Python.

Have you ever noticed that some restaurant or retail stores put the entire freaking credit card number on the receipt. I got quite upset and found this very interesting California Civil Code. Number 1747.9 stating that there shall not be more than 5 numbers on the receipt. I will start complaining. You should too!