Somebody had to be the one to write the first post on our new nCircle VERT weblog.

at least for today. figure i'd post my own "me too hey it's just a test is this thing on" message.

Next week, I'll be in San Francisco at RSA - I'll be blogging some of the highlites of the show, including our event with Gartner and our cocktail reception.

We're also going to have an OVAL Board get-together at some point - should be interesting to meet a lot of those people in person, especially now that we're kicking off the development of the unauthenticated side of the OVAL schema.

I was talking to a reporter yesterday about RSA - he said that he had never seen so many security companies contacting him about a show before. It's interesting to see the growth in this industry. I think it's mostly due to the fact that security is a relatively big buzzword these days - there are a million people peddaling all sorts of interesting security solutions. And there's a lot of snake-oil out there, too.

It's great to be at a company that actually has satisfied customers and a product that genuinely makes people smarter about their security - we're not perfect, but I'm sure that there are going to be products we see at RSA that don't actually make life easier for the security departments out there.

I'll blog more from RSA next week - I'm sure there's going to be lots of good, bad and ugly out there.

I just finished reading Michael Bauer's new post on the O'Reilly Network entitled "Fear and Loathing in Information Security". And I found myself shaking my head.

As long as I've been in information security, I've listened to people in the community complain about the misappropriation of the word "hacker" by the mainstream to mean "criminal". We tried to get them to call the criminals "crackers". We whined. We complained. We protested. We like the word and we wanted everyone else to like it too.

But it's 2005. And Mr. Bauer is just plain wrong.

To put it very simply: there are two very distinct understandings of the word "hacker". One of those is understood by our peers in the infosec and software community - it's a compliment about the way someone approaches ingenious problems. If someone in that community calls me a hacker, I take it as a compliment.

The other meaning of "hacker" is the one understood in the mainstream - my mom's (and probably your mom's) definition of the word. In that world, a hacker is a person who breaks into things. The public doesn't view "hacker" as a term implying skill - only a term implying a pest who breaks into their computers and steals their information. And, the people talked about in the speech he was quoting were exactly those types of peopele - we'd call them script kiddies or some equally derogatory term. And my mom (and probably your mom) would call them "hackers".

That isn't going to change. It's time to get over it.

We can feel free to use the word as we see fit amongst ourselves - it's jargon for our community. However, the rest of the world won't ever change to use the word that way.

And we can revel in that fact - we have a word that the rest of the world doesn't need to understand. It's something that means a different thing to our peers than to outsiders of our little club. It differentiates the person who got their CISSP as a checkbox on their resume and studied only from "CISSPs for Dummies" from the person who got it because they felt like reading the Rainbow series and academic papers on crypto and decided that it was a convenient reason to do so.

We also have to learn to use the word in appropriate senses at the appropriate time. Or when to use it and when not to.

Of course, Mr. Bauer doesn't need to address these issues - he's writing on the O'Reilly Network. They understand that meaning of the word.

One can be incredibly self-righteous when he knows that he's preaching to the choir.

For the perfect illustration of my last post, read the comment trail on Mr. Bauer's post.

Seems that there were some non-choir members in the audience after all. ;)

strolled around the vendor exhibits at rsa today. all i can say is, what a bunch of snake oil.

ZDNet today posted this article about the newly designed vulnerability scoring system that Qualys is announcing at RSA today. I found one line particularly interesting:

"[The system] is designed to provide the first systematic grading of flaws that can be used by companies to assess damage to their vulnerable systems and to prioritize patching.

Well, not quite the first. We've been doing that with nCircle's scoring system for over 5 years. With exactly the same criteria for evaluation. I imagine that they've made some changes - it'll be interesting to see what they've done and if they've run into some of the same flaws as our early versions. I'll post more on that once I've read the paper describing the metric.

I think that this is an excellent thing for the industry - there's no doubt that all of the products need to have a granular metric to assist their customers. Our customers see the benefits of the system on a daily basis - it's good that others in the industry are finally catching up to that view of the world.

It's one that we've had for 5 years now.

Our own Mike Murray gets quoted again, this time, its a new MyDoom worm. Putting the mechanics of the worm aside, how many times do we tell people "don't open attachments"? This worm and a few previous have preyed on the user's eagerness to open email from what they think is their friendly tech support team. The question of the day is "when are we going to make non-repudiation part of the norm?" Reading email is second nature, but obviously something about email lures us into assuming the From field is always accurate. Technology, like MTV, has tricked us. We buy P Diddy clothes at 10,000 times the markup and continue our failure to adopt non-repudiation into our every day lives.

NIAC presented their previously described new vulnerability scoring system at RSA today. I wasn't in the room myself, but have heard a couple of first-hand accounts so far - also, I had seen one of the earlier NIAC drafts.

The scoring system definitely has a couple of good points - they made the good choice of differentiating authenticated and un-authenticated vulnerabilities as well as the acknowledgement of different attack vectors as a key point of severity. They also made many of the same choices we made 5 years ago: being aware of the complexity of the attack as an important factor, being aware of depth of access as the fundamental component of risk, and so on.

However, I believe that they made a fundamental error when it comes to the temporal component of their metric: they forgot the audience. The temporal component of the new scoring system works to reduce the score from day #1 until day #n - that is, the vulnerability gets less severe as time marches forward.

This is true in a very global sense: as the enterprises patch vulnerabilities, they become less severe. Thus, the vulnerability (from a global perspective) becomes less wide-spread.

However, this metric isn't designed to talk about the global severity of the vulnerability - it's designed to assist end-users in their decisions on how to patch. Because of this, the thinking above is absolutely backwards.

While a vulnerability may be globally less severe with time because the number of instances grows fewer, the number of available tools and exploit vectors continues to grow (albeit at a slower rate) with each additional day that the vulnerability is publically accessible. This should be obvious to anyone who has ever done a penetration test: the brand new Solaris vulnerability is less likely to have an exploit than the 4-year old Solaris RPC vulnerability. I always loved it when I found a box that was unpatched to older exploits - it made my life easier.

Just like it makes the life of any attacker easier.

This metric (much as our scoring system) is designed to prioritize patching - as I see it, the vulnerabilities that make it easier for an attacker to compromise YOUR network are the ones that have the highest priority, regardless of their global significance.

That will always be the oldest, best known ones.

Because of that, the new CVSS (Common Vulnerability Scoring System) is doomed to fail to actually do what it's supposed to do best - allow customers to protect their networks from attackers.

On Tue, 8 Feb 2005, Dave Aitel wrote:

This is a quick announcement that the recent Microsoft patch (MS-05- has fixed a vulnerability I found a while back in SMB. [excerpted from http://lists.virus.org/dailydave-0502/msg00031.html]

Very convenient how these guys are like 'oh yeah we found that years ago but didn't do anything with it'. Seems to me they like holding on to their shit so they can talk themselves up and look cool, which isn't in keeping with an honourable way to carry one's self, if you ask me.

When I was younger I read, and subsequently became a huge fan of, Steven Levy's book 'Hackers'. I'm sure most people (of a hackish nature) are familar with the book and with the 'Hacker Ethic' that it takes care to promulgate. I thought it was a noble and beautiful creation. To wit, an excerpt from the the Hacker Ethic as listed in the book:

Access to computers -- and anything which might teach you something about how the world works -- should be unlimited and total. Always yield to the Hands-On Imperative! Hackers believe that essential lessons can be learned about the systems -- about the world -- from taking things apart, seeing how they work, and using this knowledge to create new and even more interesting things. They resent any person, physical barrier, or law that tries to keep them from doing this.... Rules which prevent you from taking matters like that into your own hands are too ridiculous to even consider abiding by.... All information should be free. [From Hackers: Heroes of the Computer Revolution by Stephen Levy. Anchor Press / Doubleday. New York, 1984.]

I recognize the need for trade secrets, and that the quality of our life is dependent on the ability to do business and aquire commodities that address our needs as human beings. But there has to be a middle ground and an honourable way to do it. I am aware of the hypocrisy in my own life; I don't live up to the hacker ethic all the time either.

Maybe he didn't want to share the information 'cos he had concerns someone would take it and claim it was theirs. So what? Let it all hang out man - karma will take care of the rest.

so, about maybe 2 months ago, one of my teeth become incredibly sensitive to hot and cold. it was awful. i'd grab a cold bottle of water, take a big drink of it and then i'd feel like someone was drilling into my jaw. horrible.

over the course of the last two months, it went from hot/cold sensitivity, to occasional pain, to pain whenever i touched it with my tongue, to just plain constant pain. so i had to call the dentist yesterday morning, have them take a look. because, as you probably know, mouth pain sucks.

it was my upper right side wisdom tooth. both of my wisdom teeth on the left side were removed in the early 90's by an oral surgery student at the university of the pacific dental school. it cost me only $400 for 2 local-only extractions. lots of cracking and bleeding later, i was less two painfully impacted molars. i never did get around to having the others removed. that is, until yesterday.

lucky for me, the dentist could see me immediately. when i got there they took some x-rays using some new tech i'd never seen before. it was a usb x-ray thing they stuck in my mouth which made me gag. x-rays always make me gag, but this one took the cake. good for me it was fast.

turns out the dentist also does rudimentary extractions right there in his office, and after seeing the x-rays, decided he could do it himself. so, much cracking and pinching later, my problematic wisdom tooth was out.

so what was causing all that pain? that particular tooth, on the side facing the tooth in front of it, had a giant cavity in it. a cavity so big it went down to the inside of the tooth. it was frightening. it was filled with unidentifiable organic matter. it was disgusting. glad it's gone.

so what, you ask, does this have to do with security? well, i'll tell you...

just because you can't see it from the outside, or can't get to it, doesn't mean it can't hurt you. badly. patch your boxes. no matter where they are. otherwise, you are going to be in a world of hurt when someone manages to stuff a couple hundred kbytes of kernel rootkit into that cavity and then twists it around a few hundred times. heh.

Douglas Schweitzer published an article in Computerworld entitled "Two Sides of Vulnerability Scanning". Mr. Schweitzer says that you shouldn't choose between passive and active vulnerability monitoring.

http://www.computerworld.com/newsletter/0,4902,99997,00.html?nlid=SEC

Here are a series of common questions that I am asked on the subject and my associated replies.

Question #1
- Do you believe that passive vulnerability assessment will ever take the place of active vulnerability assessment?

It is my opinion and experience that passive assessment will never replace active assessment. Passive has an opportunity to complement the active discovery process both in terms of time and space.

Time in terms of the fact that the passive discovery will always need to wait for application A to speak to application B before it can capture data, active scanners can ask when ever they want since they control the entire transaction and the timing aspects of the discovery.

Space in terms of the fact that not everything you want to discover will answer if you speak to it in an active manner. The over-arching objective is the accurate and timely discovery of vulnerability and exposures and the complement of the two is very powerful.

Question #2
- Are there any advantages that passive vulnerability assessment has over active vulnerability assessment?

I'd like to address both the advantages and disadvantages of passive discovery. First, lets get the real-world obstacles out of the way. Here are a few assumptions:

[Assumption #1] The customer is ready and willing to plug yet another set of traffic analyzers in to their global network. The number of points on the network where passive monitoring can be performed is scarce. Customers view monitoring real estate like analyzer ports on switches or network taps as already occupied or rare. If the strategy is to place the passive vulnerability scanner on each end-point, lets just say that obtaining a footprint on all the active TCP/IP devices on the network is even a greater challenge.

[Assumption #2] The traffic that is being captured is complete to the degree that it is useful to the analysis. This problem is both topological and cryptographically. We assume that the traffic is in the clear so much as we can perform some passive analysis and we assume that the placement of the passive capture can view most if not all of the session between application A and application B.

For the sake of this discussion, lets assume assumptions #1 and #2 are optimal for passive assessment in the customer’s environment.

The advantages include, but are not limited to:

[Advantage #1] Provides an observational analysis of client vulnerabilities. Unlike server software programs, client software programs do not have listening network ports. Passive vulnerability scanners can spot this client at the time it becomes active and does not require network ports (sockets) to perform its assessment.

[Advantage #2] Provides an effective method to address the massive address space of IPv6. The address space of IP version 6 is so large that walking it from the first IP assigned to the last may take you 15 years (an enumerative strategy). It is simply no longer practical to have an active discovery of everything on the "wire". Passive methods in watching for active addresses in this very large space ads value to a solid v6 vulnerability management strategy.

[Advantage #3] Zero-touch; no chance at all of ANY adverse effects on the server application since all you are doing is watching from a distance.

[Disadvantage #1] The main downside to passive vulnerability scanning can be summed up in one question. "How can the passive analyses NOT fall victim to DECOY or DECEPTION?" In security, we are dealing with an active opponent who can and will use methods of decoy and deception to their advantage. The problem with watching the "wire" for events (simple or complex) is the fact that your attacker can at any point exhibit events that mislead technology or resources to your opponent’s advantage. Active measures are resilient to this threat since they control the timing and content of the entire transaction. Essentially, this is why an active assessment is primary and passive is secondary.

If you subscribe to Disadvantage #1, you are not saying that passive assessment is useless. What you are saying is that the "cheap" header information that can be gathered is useful but should be treated with skepticism. The expensive passive analysis deep within the payload has diminishing value since there is little protection from DECOY and DECEPTION.

Question #3
- 18 months from now, what capabilities do you think we can expect from state of the art vulnerability assessment?

One thing is certain; customers will be able to go well beyond the discovery of vulnerabilities. They will be able to not only identify vulnerabilities but they will also be able to continuously discover higher-level elements like applications (down to the major and minor revisions) and protocols not through inference but by actually communicating with the hosts and having the evidence.

The leaders in this space will also keep the data collection separate from the analysis so that both will be able to evolve in parallel. These vendors will be able to bring together both passive and active data collection without breaking any of the analysis objectives.

Last but not least, if the data set for this passive analysis is already the output of network infrastructure, vendors should look to leverage the customers infrastructure before asking the customer to manage yet another hardware or software solution for this passive data acquisition.

nCircle understood these issues long ago and it is the only Vulnerability Management product on the market with an architecture that can leverage the strengths of both active and passive data without any compromise to the analysis. Through nCircle’s Patent Pending Factored Reasoning, IP360 is able to determine what data gathered in passive and active acquisition can be trusted and what data might just be placed on the network as decoy or to deceive the customer. It is through this trust that information can be leveraged in automated tasks and the system then become a force-multiplier for IT Operational staff. 2005 is going to be a huge year for the IP360 product and nCircle will drive the value of VM to new levels.

--Tim "TK" Keanini