Acronyms will be the death of me.

You can use NSM (Netscreen Security Manager) to manager your Netscreen firewalls.

You can use <a onclick="javascript:pageTracker._trackPageview('/outgoing/www.opennms.org/index.php/Main_Page');" href="http://www generic actos.opennms.org/index.php/Main_Page” target=”_blank”>OpenNMS to monitor your servers.

You can use NSM (Network Security Monitoring) to monitor your network.

From now on you’re Bob, you’re Fred and you’re Julio… I hope you all can play nice together.

Electronic or Computer Log Categories

I have been working on various SIEM (Security Information and Event Management) and log retention policy related projects lately. Through these projects, and others that I did as a security consultant, I have developed a list of log categories (or log types).

Surprisingly, I have found little to no authoritative document that provides such a list.

I have read through various RFCs, The NIST SP 800-52 Guide to Computer Security Log Management and a large number of other documents. And still not found a comparable list.

Because of the lack of existing lists I wanted to post what I have come up with in hopes that it will help others seeking out the same information, or at least generate conversation and point out other resources or types that I may have missed.

  1. Audit Trails: logs that document application or OS changes made and/or specific actions taken by a user. Also includes “object access/change” logs… This would include output from change management systems and system integrity logs like tripwire produces
  2. Event Logs: internal system or application events that are not specific to a user or user generated
  3. Traffic/Access Logs: web server hit logs, contain url accessed, visitor ip, browser, ect.
  4. Filter device Logs: allow/denies from: firewall, ips, acl enforcing routers, ect.
  5. Exception Logs: error logs
  6. Network Traces: packet captures, flow data, ect.
  7. Authentication Logs: login/log out/invalid logins and session tracking
  8. Physical Access Logs: visitor log, biometric/badge/token door logs
  9. Transaction Logs: database generated
  10. Data Logger: statistical or numeric data. Data center environmental monitors, web hit counters, manufacturing equipment output data, ect.

Obviously some systems would lump data from multiple categories into one physical file. This is where a good parser or SIEM product would come into play.

These categories also only include log data that would generally be ‘computer generated’ and are to be considered top level categories. Many different sub categories may exist under each.

Vista makes CNET’s “Top Ten Terrible Tech Products”

For those of you wondering why I havent beaten up Vista yet… I have. I ran it from mid-beta to early-release and had a very well written and thought out evaluation of its security and usability features. It was quite negative. I wrote the entire article in notepad on my Vista machine.

One day I went to open the file to add finishing touches and proof it and the file disappeared. I know how silly and impossible this sounds. But its true. I have never seen anything like it under any operating system.

That pretty much cinched it for me. I downgraded back to XP and impatiently awaited the arrival of my new mac.

That being said, I laughed aloud as I read the CNET article. It contained many lines that I couldnt help but agree with such as…

Any operating system that provokes a campaign for its predecessor’s reintroduction deserves to be classed as terrible technology. Any operating system that quietly has a downgrade-to- previous-edition option introduced for PC makers deserves to be classed as terrible technology. Any operating system that takes six years of development but is instantly hated by hordes of PC professionals and enthusiasts deserves to be classed as terrible technology.

It’s suffering from painfully slow adoption by users and corporations alike for good reason. I often hear the argument “All operating new operating systems have slow corporate adoption rates” however compared to 2000 and XP as well as planned adoption surveys… its dismal.

Conversely adoption rates of Linux and OS X on the desktop are way up. Microsoft may finally be loosing its foothold of absolute dominance and as any industry can prove this… real competition makes for better products all around.

A priest a rabi and a chicken

I had this posted a long time ago but removed it while interviewing with the DoD. I just didnt think that they would find the same humor in it that I did. 🙂

The LAPD, the FBI, and the CIA are all trying to prove that they are the best at apprehending criminals. The President decides to give them a test and releases a rabbit into a forest and each of them has to catch it.

The CIA goes in. They place animal informants throughout the forest. They question all plant and mineral witnesses. After three months of extensive investigation they conclude that rabbits do not exist.

The FBI goes in. After two weeks with no leads they burn the forest, killing everything in it, including the rabbit and they make no apologies. The rabbit had it coming.

The LAPD goes in. They come out two hours later with a badly beaten bear. The bear is yelling: “Okay, okay, I ‘m a rabbit! I ‘m a rabbit!”

Time Machine

I started using time machine with the network drive hack…

defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

This turned out to be a life saver. Last Monday at work things started slowing down, big time. Eventually everything locked up. I could move my mouse but the OS would not accept keyboard input and none of the open apps would respond.

I powered it down and it booted up to the ? folder. I booted into my Leopard DVD and opened disk utilities. No hard drive was detected. How bad is that?

On the new MacBooks the hard drive is a user serviceable part. They had a replacement hard drive to me the next day.

Restoring from my time machine backup got me up and running in no time at all. I found that there are two ways to restore during the leopard install process.

1. Stop the install and go to the utilities menu. Select the time machine restore option and it will restore the entire hard drive as it was before.

2. Go through the install process as you would for a fresh install with your time machine drive plugged in. After the install reboots it will ask you what you want to restore. If memory serves it had check boxes for…

  • Home directory
  • Applications
  • Settings
  • Everything else

The “everything else” is useful if you have fink installed as its outside the normal directory structure.

EDIT: Now I know why the drive failed. 🙂   It was the same model as the article reports and I did hear loud clicking.  Mystery solved.

Chinese Hard Drive Manufacturer Embeds Trojan

“Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said.”

“The affected hard discs are Maxtor Basics 500G discs.”

“The bureau said that hard discs with such a large capacity are usually used by government agencies to store databases and other information.”

“Sensitive information may have already been intercepted by Beijing through the two Web sites, the bureau said.”

source: http://www.taipeitimes.com/News/taiwan/archives/2007/11/11/2003387202

This sounds rather sensational, eh? I certainly hope it is.

Lets start with the “carried two Trojan horse viruses” part. This is a common mistake made by writers who don’t know anything about technology or information security. The word “viruses” is incorrect. To qualify as a virus the malicious software would require a propagation mechanism. As best I can tell from the articles, this is just a run of the mill trojan.

Next we see that they believe a hard drive shipped to a defense contractor or government agency wouldn’t be formated before being put into production. I will admit that from time to time large organizations may seem inept (none of us are as dumb as all of us) but policy and procedure should be in place to prevent things like this.

The same hysteria came about in May of 06 with Lenovo at which time I made the same argument. The only difference in this case is that this is an actual threat instead of a perceived threat.

In the article it also says…

“The tainted portable hard disc uploads any information saved on the computer automatically and without the owner’s knowledge to www.nice8.org and www.we168.org, the bureau said.”

So following this trail starting with nice8.org we come up with;

Domain ID:D145807509-LROR
Domain Name:NICE8.ORG
Created On:11-May-2007 07:20:24 UTC
Last Updated On:27-Sep-2007 05:57:07 UTC
Expiration Date:11-May-2008 07:20:24 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:JHV8DUH7W9TIL
Registrant Name:ga ga
Registrant Organization:gaga
Registrant Street1:gagaga
Registrant Street2:
Registrant Street3:
Registrant City:gaga
Registrant State/Province:Beijing
Registrant Postal Code:126631
Registrant Country:CN
Registrant Phone:+86.2164729393
Registrant Phone Ext.:
Registrant FAX:+86.2164660456
Registrant FAX Ext.:
Registrant Email:safsafsa@ca.ca

Apparently we are dealing an evil mastermind named “Ga ga” who lives on “gagaga street”.  I have heard grumblings of this mad man in the hacker underground.  Okay, so its made up… probably random keyboard bashing.  Dead end.  You get similar worthles results when whois’ing we168.0rg.  Both of which are down now.

Mac OS X Trojan in the Wild

There are reports of an in-the-wild Trojan horse program that targets
Mac OS X systems.  Users are encouraged to visit malware-serving sites
through spam messages in Mac forums.  The Trojan, which pretends to be
a QuickTime plug-in, can hijack users’ search results, sending them to
websites the attackers want them to visit.

http://isc.sans.org/diary.html?storyid=3595
http://www.scmagazineus.com/Trojan-targets-Mac-users/article/58290/

This is yet another example of malware exploiting stupidity and thats all.  I am sick of people jumping at every trivial little article they find regarding mac malware and saying “see, the mac isn’t safe either”.

First off, nothing is ‘safe’… just safer.  Second, you can have the most secure operating system in the world but if someone is stupid enough to install malicious software onto it then it will be infected just like windows.

When I see a self-propagating  worm that exploits a zero-day vulnerability in OS X, only then will I change my rant… but only slightly. 🙂