contact
A quick post to tell everybody that OpenBSD's Markus Friedl is requesting everyone to test the latest ->OpenSSH 3.6 nightly snapshots to help ensure a quality final release. Read the original post to
In recognition that guaranteeing network security is vital to the future roll-out of electronic commerce, and in the context of growing concern over the increasing potential for cyber-attacks, the European Commission has proposed the ->creation of a European Network and Information Security Agency (ENISA).
The agency is designed as a centre of competence where both member states and EU institutions can exchange information and seek advice on matters relating to cyber-security.You'll find the original announcement ->here (in doc format which is something I do not understand???). Hope the agency will have some interesting initiatives like the similar agencies in USA did for hardening linux.
Here is a transcript of a mail sent by ->Niels Provos to the focus-ids mailling list. Among other things, Niels is doing an amazing work on different projects like ->honeyd, ->OpenBSD, ->OpenSSH, ... Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd can help to build complete honeynet architecture.
With the release of Honeyd 0.5 over the weekend, I am pleased to also
announce the first Honeyd challenge!Honeyd is a virtual honeypot running as a small daemon to create
virtual hosts on a network. The hosts can be configured to run
arbitrary services, and their personality can be adapted so that they
appear to be running certain operating systems.The goal of this challenge is to develop interesting feature additions
to Honeyd. Possible improvements are forensic analysis tools for
Honeyd log files, passive fingerprinting of connections, realistic
routing topologies, etc. Your submissions will be judged by a panel
of experienced volunteers, rated, and shared with the security
community.We are able to award prizes to the best submissions. Top prizes
include a free pass to CanSecWest/core03 including a free hotel room
for up to four days, a $200 and a $100 Amazon gift certificate.
Furthermore, the top ten entries receive a copy of Lance Spitzner's
new book "Honeypots: Tracking Hackers," signed by Lance and me. Judges
include:- Mike Clark
- Job de Haas
- Niels Provos
- Rain Forest Puppy
- Lance SpitznerThe challenge officially begins on Monday the 17th of February. You
have four weeks to complete your submissions. Please, send your
results no later than 24:00 GMT, Friday, March 14th. Submissions will
be judged and released on Friday the 21th of March. More information
on the challenge and submission requirements can be found athttp://www.citi.umich.edu/u/provos/honeyd/challenge.html
All questions, concerns, and submissions should be sent with a subject
including "Honeyd Challenge" toprovos-honeyd@citi.umich.edu
We hope that you have fun with this challenge. Our ultimate goal is
to show the usefulness of tools like Honeyd, allow you to improve your
understanding and share the lessons learned.Regards,
Niels Provos.
I'm taking one week off. Yabon and scs will not be updated before next week (February 17th 2003). Luckily, several small papers of my own are on their way! Until then, feel free to browse the archives and my friends' blogs. Happy browsing and take care.
Grégoire.
Here is an interesting opinion to add to the undergoing debat about the full disclosure of security flaws. British security specialist David Litchfield (->news - ->website) has said that a small bit of the code he made public at a security conference in the US last year, showing how a vulnerability in Microsoft SQL Server 2000 could be exploited, was used by the author of the Slammer worm.
[...] in the light that someone has taken my code and put portions of it to nefarious purposes, I have to question the benefit of publishing sample code. How much 'good' was acheived by publishing the code and how much 'bad' came out of it. Normally the good, by far, outweighs the bad - but there are infrequent cases like we have all just experienced, where perhaps the bad outweighs the good
[...] With this in mind I am questioning the benefits of publishing proof of concept code. I am due to present a paper on the remotely exploitable buffer overrun in the Microsoft Locator service at Blackhat this February but should I then also publish the code used to demonstrate the problem? Should I even be discussing the problem in a public arena?
IMO, full disclosure or proof of concept code are not the problem here. The advisory regarding ->security hole in the products from van dyke software recently shows a good example of a successfull collaboration between a security analysis firm (which make the advisory public) and a software vendor (which release the patch).
The original notification of this vulnerability was made to VanDyke Software by iDefense on January 10, 2003 and was announced publicly on January 29, 2003.
VanDyke posted this page (ndrl: the patch page) on January 29, 2003.
Even more, I'm convinced that full disclosure is needed, really. Release a full disclosure advisory for a given security flaw can put the pressure on the vendor company to release the appropriate patch. And here comes the real problem: Patch. It's been one of the dirty little secrets of the security industry for years: Software patches don't work. Slammer worm is exactly that: a patch problem. The patch was made available month ago but was not applied because patching is a time consuming and paintfull process (investigation, tests, deployment, support). This point is very well explained and detailled in ->Anticipating the Unknow from eWeek.
