I read a lot of research papers and security articles. I am getting so tired seeing all these tools, research papers, and new algorithms that propose new approaches in computer security and then as a proof, they are solving one of the “old” problems: Detecting worms, portscans and finding peer-to peer traffic. Guys, it’s been done. We don’t need any more tools to do it. It’s easy and nothing to show off with!
Show me that other use-cases can be solved with your new approch. That will not only tell me that you actually thought about the problem space, but it will help the security community at large to tackle new problems (maybe some that they were not even aware of)!

Anton Chuvakin just blog-tagged me. What that means is that I have to write five things about myself that not many people know and then list five other people that should do the same thing. Well, here ya go:

1. I used to be heavily involed in crossbow shooting. I was Swiss champion, was shooting in the national team for about 6 years and was the coach of the youth team for about 2 years. A great time which is responsible for a lot of what I am today.

2. I have a passion for bridges. I love taking pictures of them. I should probably start posting them 😉
3. I guess this is well known: I am Swiss. I grew up in Switzerland. In 1999 I came to the Silicon Valley for an internship, left the US again and then moved back to San Francisco in 2003.
4. My interest in security came about during my cryptography lessons in college. I was phascinated by the concepts and how they can be put into practical solutions. That initial phascination led to an internship and then later my master thesis at IBM Research in Zurich.

5. VIM: I am a huge fan of VIM. Some people hate me for using VIM for all my writing; Anton? I write my emails in VIM, I write my books in VIM, and much to the annoyance of my co-workers, I set my shells to VIM mode (set -o vi). And who is responsible for that? I am pretty sure it was Dhawal during my internship at Cylink.

So, who am I tagging?

1. Jian Zhen

2. Jan P. Monsch

3. Michael Rash

4. Deigo Zamboni

5. Axel Eble

Are you one of those people who read the ISSA articles by first checking out the title and then the little bio about the author, posted at the end of the article? I am! What is funny to me is that the acronyms after the name are getting more and more. Is there a list of accepted certification acronyms? What do you put there? Does everyone really know what they mean? And is more better?
The best one I have seen is RSA. What’s that? Is this guy certified in public key crypto? Can he do it in his head? Is he certified in RSA secure IDs? What is it? No idea. Is it really cool to put a CCNA and MCSE certification after your name? I would almost be ashamed 😉 I keep wondering whether more certifications is really better. To be honest, when I get resumes, I am a bit alarmed if someone has too many certifications. Doesn’t that mean that the person spends more time on certifications than doing real work? I’d rather have someone who knows his stuff hands-on than through certifications. But that’s just me.

Well, I was travelling again and I read my way through some of the ISSA magazines that stacked up on my desk over that past months. I have to admit, the quality of articles I read has actually improved. That does not mean that I don’t have any comments…

I read this article in the March 2006 issue of the ISSA journal about Auditing on Linux/Unix. While I like the article and how it outlines what you can do to harden a UNIX box, it is yet another article which fails to mention how hard it is to enable real auditing on Linux. I have yet to find a comprehensive guide about how to enable the auditing you really need on a Linux box. Not a single word was spent on the pam modules. The article mentiones process accounting via accton but does not really mention how that can be used and how this could be handled in a distributed logging environment. How do you get all of this data into syslog instead of looking at it via lastcomm?

Maybe these things could be addressed in a follow-on article?

It was a bad oversitght that secviz.org did not have an RSS Feed. But now there is one! The feed contains all new content posted to the portal, including comments. Subscribe so you don’t have to check back all the time to see whether there is new content.

[tag]security visualization[/tag]

I launched a new portal that deals with visualization of log files:

http://secviz.org

The portal can only survive if people- you – take an active part in contributing content.

There are multiple resources available where community input is most welcome:

* Graph Exchange: The idea is that people can submit their graphs, explain why they think the graphs are useful, and how they generated them.
* Parser Exchange: To generate graphs, you need to parse your data. This is a place where you can submit your parsers.
* Links: A whole bunch of links around data analysis and visualization.
* Discussions: A free forum where you can start discussions around the topics of log visualization and analysis.

Let me know what you think and most importantly, submit your graphs

I keep running into these little annoyances in Linux. (And as I said here before, I love Linux, but there are some things which are just bad.) This time I was trying to see what happens if you lock an accound. You didn’t even know you could do that?

passwd -l 

Do you know what syslog has to say about this?

Nov 14 16:35:12 zurich passwd[21226]: password for `test' changed by `root'

And even worse, if you unlock:

passwd -u 

Linux says:

Nov 14 16:35:12 zurich passwd[21226]: password for `test' changed by `root'

Great! What am I supposed to do with this? Is a password change really the same as a lock out of a user?

To continue on the path of auditing and such, have you tried to configure an automatic lock-out after a certain amount of failed logins? Good luck. After a while you might find pam_telly. You have to use this PAM module to achive that lockout. You can configure after how many failed passwords an account gets locked. Again, why is this in such a hidden module? Why not built-in? Is anyone going to rebuild the authentication sub-system? Please? And if you are at it, rethink the whole logging infrastructure too! Don’t forget to use a common log format, a specific fixed format that enforces certain information and is parsable! Stop logging copyright messages into syslog (Ok: dhclient?).

There is all this talk about event interoperability standards or logging standards. Don’t we have enough of them? IDMEF, IDXP, SDEE, WELF, CBE, RDEP, OPSEC. All of them are approaches to solve the same problem: Simplify or enable the interoperability of devices and applications. Does anyone support these standards? No! The question is why? Here is my answer:
Have you ever looked at these standards? Noticed anything? These guys are all trying to solve many problems at once. I already blogged about the four different types of log standards that we need. One important things it that the transport needs to be separated from the format! SDEE for example requires SOAP as a transport. Have you implemented SOAP messaging ever? What an effort. I don’t want to do it in my applications. I want something easy! Why not using simple transports? What about files or syslog. And when I say syslog, I don’t mean the gibberish you can log in the message, but I mean the transport. Very simple! Very easy to implement!
Some standards are using XML. It’s just too much work to implement XML messages. You need to keep track of the elements, the hierarchy, the attributes, validate against the DTD, the Schema, etc. And you need a transport that can support it. Nevertheless, there are a few advantages to XML: You can express lists and you can enforce a very well defined format. But that’s it.
So my point being, use a text-based format. Do we have any standards in that arena? Well, there is CEF (Common Event Format). And that’s it. I don’t konw of any others. The standard is very well designed. And not by academics or people that have never seen a log file before, but by people that have seen hundreds of different log formats. A log standard needs some other considerations. Things like event IDs or severities. Things that an event consumer is interested it! But that’s a topic for another entry.
There is a second point that you can make agains text-based formats (the first point being that lists are hard to express), which is speed. I completely agree, if you want speed, you need to go binary! Period. Use NetFlow as an example where you send some kind of a template first and then you send the messages in that format. However, there are other drawbacks: it’s harder to implement (you need preprocessing), not every transport is suited for it, etc.
So to conclude: We really need three logging standards:

The problem of how you call something is not something I think about conciously very often, but it became really obvious to me that it is important to name things and define what they really mean every so often. In my daily work I use the words Event and Log Entry all the time. While talking to developers and other geeks, it has never been a problem, but I was talking to some other groups lately, outside of my company and when I mentioned the word event it took me a while to understand that they did not think about an event the way I did. An event for them was an incident, a physical event, the constellation of things coming together and causing something to happen. For me an event is something I use very loosely. An event gets generated by a device. It’s the same as a log entry. It’s a “string” that describes what happened. Windows for example generates events. They get collected in the event log. But again, I am using the term very loosely. What’s a log entry then in contrast to an event? Hmm… And is a tcpdump record a log entry or an event or what is it? Hard to say. I guess it takes the effort of someone to define all that. I might…

I am scribbling on another book chapter. This time it’s for a visualization book. I am writing about how to analyze firewall and IDS logs. I am using line graphs and treemaps to do so. Guess what tool I am using to generate all the graphs. Yes. AfterGlow.
I am not quite done with writing, but am pretty happy with the way it shapes out. The chapter is not going to be highly technical. I am not going into how to configure AfterGlow and parse log messages and such. I focus more on the process-level. It is quite an interesting experience to put something into words that you intuitively do all the time.
I am not sure when the book is actually going to come out, but I will post here when it’s available.