.:Computer Defense:.

Q. What is your role at $vendor?
A. VP Product Management at nCircle. My job is to make sure that nCircle continues to build the most effective and most competitive solutions to the most urgent customer security and compliance audit problems.

Q. What got you into IT/IS?
A. Actually, it was 1982 and I was just starting college. I had one elective and was trying to decide between Economics and Computer Science. I picked Computer Science because it sounded more interesting and because my mother had been programming mainframes for 10 years. My first job out of college was as a developer with AT&T Bell Labs and I just never left it. I’ve been associated with IT vendors for close to 25 years now.

Q. What do you do outside of IT/IS?
A. You know, I’ve been thinking I need some new hobbies. I have two young kids that take up most of my free time. I read…a lot. I also like to write, though I haven’t done it regularly in years. I had my own blog for about four years and I’d like to find time to get back to that again.

Q. What are  you most looking forward to / what did you most enjoy about RSA this year?
A. I’m interested in seeing how the flavor of the show changes. For me, RSA is about economic trends – large scale swings in the market place. RSA has always been half-marketing/half-business development. This year, I suspect attendance will be down and we’ll see a larger percentage of the traffic representing companies trying to sell themselves. It’s a bizdev show in a buyers’ market right now.

Q. Was this your first time at RSA? Will you return?
A. Not my first show, no. (My first technology tradeshow was one of the early Interops in the 1980s where the protocol stacks were all so different. The main point of the show was to ensure interoperability and every vendor had to have a 10 Mbps (fast at the time) drop into the booth that they had to connect to successfully. Things have come a long way.)
I don’t know how many RSAs I’ve been to. I’ll definitely be back, if only for the annual ISS reunion that takes place each year.

Q. What will you be doing at your both?
A. Trying not to look too out of shape in my orange t-shirt?
Seriously, I’ve got booth duty as an “executive” plus there are a couple of 15-minute presentations I’m giving. Plus, it’s a great place to do market research if you’re a product manager. I have a couple of projects in the works that I’d like to bounce off the right personas, if I can I find them.

Q. Is there any swag available at your booth?
A. We have those cool tiny battery-powered helicopters for presentation attendees and we’re giving away a Kindle 2 to a random person who begins following us @ncircletweets.

Q. If people wanted to chat with you when could they stop by the booth?
A. Monday after 6:00 pm; Tuesday after 2:00 pm; Wednesday after 2:00 pm. Or just tweet me @markwood.

Q. Prediction for the future of IT/IS during 2009 and into 2010?
A. Security and compliance spending will rebound faster and earlier than the general economy. Virtualization is fundamentally changing the nature of our IT world and it’s going to result in customers getting a lot more choices when it comes to security and compliance solutions. That said, the drive to consolidate vendors will not abate in 2009 and may actually accelerate in 2010. It will, therefore, be critical to be a strategic vendor to your customers.

Q. Any comments?
A. I have always thought I could make a killing at RSA by having my own Dr. Scholl’s booth.

Q. What is your role at $vendor?
A. PCI QSA at TW.  or Payment Card Industry Qualified Security Assessor at RSA

Q. What got you into IT/IS?
A. Innate geekiness.  Been playing with computers since the Ti99/4a

Q. What do you do outside of IT/IS?
A. There's a life outside of IT/IS?  When I'm not on the computer, I'm spending time with my wife and kids.  God help me when the kids get old enough to IM, tweet and play Halo.

Q. What are  you most looking forward to / what did you most enjoy about RSA this year?
A. The Security Bloggers Meetup.  I'm hosting it with Rich Mogull; I'd have to say that even if it wasn't true.

Q. Was this your first time at RSA? Will you return?
A. 4th RSA, and I'll be back as long as they'll let me return.

Q. What will you be doing at your both?
A. Good question.  No one's told me yet.  Seriously.

Q. Is there any swag available at your booth?
A. Another good question.

Q. If people wanted to chat with you when could they stop by the booth?
A. Tuesday, 1-4 or Thursday 11-1.  I may have to leave early on Tuesday to participate in the "Avoiding Security Groundhog Day" panel.

Q. Prediction for the future of IT/IS during 2009 and into 2010?
A. PCI is going to continue to be a big driver in the security market.  Unless the federal government decides they can do better, then all bets are off.

Q. Any comments?
A. Who's bringing the economy size bottle of Tylenol?

So I was trying to think of something different that I could do in my blogging about RSA. After some humming and hawing I decided to do a blog series that I'm calling RSA "At the Booth". This is open to anyone working a booth at RSA. Simply send me an email to rsa [at] <thisdomain>. The questions are:

1. What is your role at $vendor?
2. What got you into IT/IS?
3. What do you do outside of IT/IS?
4. What are  you most looking forward to / what did you most enjoy about RSA this year?
5. Was this your first time at RSA? Will you return?
6. What will you be doing at your both?
7. Is there any swag available at your booth?
8. If people wanted to chat with you when could they stop by the booth?
9. Prediction for the future of IT/IS during 2009 and into 2010?
10. Any comments?

The post titles will follow the format - "RSA - At the Booth with $name of $vendor". It may be interesting to some people who want to a) talk to a particular person or b) find someone with a similar interest.

A recent SANS ISC diary entry mentions an interesting configuration point that I had been previously unaware of. It seems that AddType doesn't just enable the extension, it enables all files containing that string.

Example: AddType application/x-httpd-php .php

In the above example, both phpinfo.php and phpinfo.php.bak would be parsed as PHP.  I found this to be rather interesting and started testing with a few servers I have handy.

It appears as though this isn't the case 100% of the time.

I tested 3 servers running Apache 1.3.34, 2.2.4 and 2.2.8. It was true on the server running Apache 1.3.34, however it wasn't true on the two Apache 2.2 systems.

I contacted the handlers at ISC to follow-up with them, however I haven't heard anything confirming one way or another. Has anyone else tested this on their servers?

In 4 hours I'll be on a plane to Vancouver to enjoy CanSecWest. If you're going to be there ping me and we'll grab a beer. You can find me on twitter (treguly) or email me ht [at] this domain.

One of the patches released yesterday has a serious flaw, in that an already compromised host will not have the patch properly applied. I provided a full write-up on this yesterday on the nCircle blog and felt that the importance of the issue warranted posting a link here to increase awareness.

I decided it was time to update CDVT, so the latest version is now checked into SVN.

The Metasploit Web-based SVN seems to have stopped passing a revision number, so I removed it from cdvt.xml. At the same time I updated the regexes to scrape the version information from nmap ('stable' was previously in italics and is now underlines) and Notepad++ ('The latest version :' used to have a 'v' before the version number).

The output is now:

treguly@ns:~/code/cdvt$ python cdvt.py text display
Getting Information for 2.4 Kernel
Getting Information for 2.6 Kernel
Getting Information for Cain & Abel
Getting Information for ettercap
Getting Information for Kismet
Getting Information for Metasploit Release
Getting Information for NetStumbler
Getting Information for nmap
Getting Information for Notepad++
Getting Information for PuTTy
Getting Information for Wireshark
2.4 Kernel:                     2.4.37
2.6 Kernel:                     2.6.28.7
Cain & Abel:                    4.9.29
ettercap:                       NG-0.7.3
Kismet:                         Kismet-2008-05-R1
Metasploit Release:             3.2 Release
NetStumbler:                    0.4.0
nmap:                           4.76
Notepad++:                      5.2
PuTTy:                          0.60
Wireshark:                      1.0.6

As always, I'm open to adding additional software, just let me know what you'd like to see added.

Yesterday I stopped halfway through and said I'd continue with the responses today. So tonight I'm going to look at the responses to:

• Does Web 2.0 Make Availability More Important?
• Are Denial of Service and Availability Interchangeable?
• A Browser Crash is...?
• A Firewall Denial of Service is...?
• A Web Server Crash is...?

These are the questions that drew the responses that I was really interested in... so let's jump right in.

Question 5 - Does Web 2.0 Make Availability More Important?

With this one here, I was rather impressed by the splits, overall we had 89 'Yes' responses to78 'No's. Our biggest group (IT Professional) saw 34 to 20 in favour of 'Yes', while the second biggest group (Security researcher) was an even split of 26 to 26. Perhaps the most surprising was IS Professional with 16 to 10 in favour of 'No'. Going into this survey if I had to pick one question that I thought would be clear cut, it would have been this one. I thought that everyone would say yes, that obviously isn't the case. So what did people have to say about this question?

If anything Web 2.0 has shown how little people care about availability. - Security Researcher/No

Web 2.0 (Web 'Uh-oh') actually opens up an entirely different set of security issues... - Security Researcher/No

There are just more people pissed off about it. - Developer/No

Availability is an issue for COBOL apps written in the 1960s.  Mission critical is mission critical.  Platform is irrelevant. - IS Professional/No

It really shouldn't it should have been just as important 10 years ago. I think the big difference is rather than 10,000 web users on a site 10 years ago, today there may be 1,0,000! Web 2.0, to me, signifies a big uptake in people casually using those tools. This makes A seem important as it really affects revenues and perceptions.  But should it have been less important? I guess that's a paradigm difference amongst people, but I think it should always have been important. - IT Professional/No

The purpose, not the technology dictate when availability is more important. - Management/No

As you can see, I've only selected comments where the commentor selected 'No' as their answer. So it seems to be that it's not, 'more important' but should be considered 'as important', at least to some people. That's complete valid... just not how I looked at it. I had assumed more people... more importance. The developers comment is interesting, "There are just more people pissed off about it". That follows the logic that I had used in my assumptions, yet they answered no. I guess that means the question comes down to "more important to who"? The business, the user or both? I'd say both. If I can access the service, I'll be happy. If I'm happy I'll most likely be retained as a customer. If I stick around, I'll probably buy more and the business will be happy.

The remaining comments either passed off 'Web 2.0' as a horrid buzz word or revolved around the concept I just mentioned, more people and more business make Web 2.0 more important.

Read more...

So here we go... I know some people have been waiting to see these numbers so it's about time I share them. In the end 279 people responded to the survey, and I'm fairly happy about the responses... only one of those 279 used the comments inappropriately but I've still counted the drop down boxes from that survey. There were 204 anonymous responses and 75 with names, email addresses or websites attached to them. People that follow me on twitter may have noted last night that I was really enjoying the comments. Based on the comments to the first question I had done a quick estimate, expecting ~600 comments... however the numbers dwindled on the following comments and picked up again for the last question. In the end I received 250 comments in addition to the survey responses. I haven't yet decided if I'll make the survey data available but if I do, I'll definitely remove all personal information.

The survey posed 9 questions and allowed for plenty of space to provide comments, so I was really excited to see the answers that I would get.  Some people felt my questions biased the responses (I believe it's impossible to do anything without introducing personal bias on some level) and others questioned what I was trying to get at.  I think I'll start by summing that up as simply as I can.  If someone causes me to lose access to something, I believe they've denied me service and it is therefore a denial of service. I've seen all sorts of responses that it depends on if the denial was malicious or accidental, that it only applies to servers and so forth. I think it's much simpler than that... if I visit a website and it crashes my browser... Denial of Service. If I run a web server and someone crashes it... Denial of Service. So I wanted to know who shared my opinion and how people felt about Denial of Service.

For this post I'm going to provide graphs of the responses, mapping response to profession and some minor feedback.

Read more...

Quite a while back I had posted everywhere and contacted everyone I knew regarding a Denial of Service survey that I was conducting. It came out of the frustration of watching people and companies disregard denial of service as a valid security concern. It seemed to be an ongoing debate -- Confidentiality & Integrity vs Availability, instead of all three being treated as important. Anyways I've been under constant hounding to release some statistics from the survey, so I figured I'd do a multi-part series on Denial of Service (ok... so right now it's planned as a 2-part series). This first part is a precursor, since I had numerous people argue on whether or not DoS and DDoS were the same thing or different things and also on whether or not DoS was still valid (more on that to come). Since the survey was part of a conference talk that I wanted to do and the talk wasn't accepted, I figure it's as good a time as any to start posting.

One of the most interesting things that I came across during my initial investigation was that there's no clear definition of Denial of Service. A simple define: denial of service search on Google yields numerous results:

Attacks on wired networks require a far greater deal of computing power, often even requiring the need of distributed computing. Attacks on wired networks of course do not require any NICs or external antennae, yet often does have the need of a (broadband) connection to the Internet. (Wikipedia)

I rather enjoy this one because it has two interesting remarks. The first is that you require a great deal of computing power to perform a denial of service attack. The second is that when attacking a wired network you do not require a NIC.

A type of attack that tries to block a network service by overloading the server. (Ingate - A firewall vendor)

Blocking a network service is definitely one form of a DoS, however a single computer usually doesn't accomplish the task very well and this will usually be a DDoS.

denial of service: An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes. (The Linux Security How-To)

This time instead of "overloading the server" we see "consumes the resources". One again, we seem to be confusing DoS as a whole with a single type of DoS or a DDoS. This confusion seems to occur everywhere. When I was initially distributing the survey link, I had numerous people question why I was even bothering. They claimed that DoS was irrelevant because it was simply a packet flood, that you were "overloading the server" and "consuming the resources". This is not the case at all and, as I've mentioned repeatedly, they were looking at a single piece of the Denial of Service Pie.

So what is a Denial of Serivce? Excellent question. There are actually a few sites that define it more appropriately.

Denial of Service: Result of any action or series of actions that prevents any part of an information system from functioning. (KeyBank)

Denial of Service: Unwanted or malicious messages that render network resources non-functional. Some examples are Ping of Death, SYN flood, IP spoofing and Smurf attacks (SEQUI)

This is a much more accurate definition of Denial of Service and I'm glad to see that there are proper definitions floating around.

If I were to define Denial of Service, I would say, very simply, "The absence of Availability." I don't think the definition itself needs to go much beyond that. It is very broad, but broad can be good. Some people may argue that it's too encompassing but that definitely isn't the case. Think about the recent Slashdot downtime, while the problem was internal, it was a Denial of Service in the broadest sense of the term. Whether it's a power outage, a tornado, a tank driving through your data center, a packet flood or a malformed packet bringing down a listening server... it's all Denial of Service.

Now DDoS is another beast. Distributed Denial of Service tends to be defined more reasonably most of the time and people are generally clear on what it is. Essentially, it's what everyone I quoted above was describing, a wide-scale, multiple-source attack that consumes resources and renders the device or service inaccessible. Metasploit, and many others, have experienced this recently.

So why is all of this important? It helps you to understand the logic and reasoning behind some of the questions on the survey. Many people left comments stating that the questions were unclear, primarily because they were thinking of Denial of Service in terms of a packet flood. Before I release details on the survey, I want to be sure people have a clear understanding of what I'm talking about. I know what you're thinking, and I should have done this prior to the survey, however I didn't realize that what I considered to be a industry standard definition was not.

That is why I asked questions like, "Is Denial of Service a Vulnerability?" Some said 'no', it's a packet flood and that isn't a vulnerability. Many said 'sometimes', with the logic that some times it's taking advantage of a vulnerability and other times it's a simple packet flood. Personally, I like 'sometimes' as the answer to this question, although the comment that I'd add would be that I consider the majority of DoS to be a vulnerability (in other words, 'sometimes' doesn't need to be a 50/50 split). The answer however, may depend on where you sit within IT/IS or perhaps where you sit within your organization.

I see a vulnerability as any weakness, within reason, that leaves you vulnerable. Some see a vulnerability as a coding flaw or poor protocol implementation, while others see a configuration option as a vulnerability. I've been told that a null pointer dereference shouldn't be labeled as a 'critical vulnerability' but we've all seen what Mark Dowd can do with one. I guess my point is that no answers were cut and dry, that's why I left the ability to comment on the majority of the questions.

So back to my point... my goal was to find out what everyone thought Denial of Service meant, and when they felt the label "Denial of Service" applied. Is a web server crashing on a malformed HTTP request a DoS? If it is, then is a web browser crashing on a malformed HTTP response also a DoS? The opinions on answering this can be quite varied, and in writing this I believe I just talked myself into a third post... a follow up with my commentary to the survey data, especially to this point as the answer really intrigues me. That being said, I invite everyone to comment on this point in particular (of course I always welcome comments on everything).  Whether it's a comment below this post, or a blog post of your own... I would love to see full responses (in greater detail than the survey could have possibly allowed for) to those two questions.

I have theories and thoughts that I will expand on as well, as I explore this series (I believe I've just through of a fourth post now)... but up next will be the survey results. I just wanted to be sure that everyone had an understanding of the difference between DoS and DDoS, and that it was understood, or at very least understood that I feel, that a DoS is more than a simple packet flood.