Re: Introduction

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: riordan@math.umn.edu: "intro"
• Previous message: ajm: "Introduction"
• In reply to: brian.smith@morebbs.com: "Introduction"

One of the problems I see with all the new introductions is that the 
existing people on the list, who the new people would probably like to 
know about too, don't reintroduce themselves.  Usually, introductions 
work both ways.  Does anyone have an idea on how we might be able to 
handle this?  Perhaps there's a list server command that already 
addresses this?

On another topic, I just wanted to mention that the Distributed Intrusion 
Detection System (DIDS) Version 2 has now been completed and released.  
DIDS, as many of you know, is a heterogenous network monitoring tool 
designed to provide a visual trace, and audit level data, of suspicious 
users.  version two incorporates new features like tagged objects so you 
can watch 'things' instead of 'users'  Clearly, there's value in watching 
the cheese vs looking for the mice.  DIDS is available to DOD customers 
for a song.  I am the point of contact for questions.

DIDS currently runs on a variety of different clients and the server 
itself is hosted on a Sun workstation.  The network bandwidth penalty is 
less than 5% but as we all know, your mileage may vary.  My 
re-introduction is that I'm the Chief of Countermeasures Development at 
the AF Information Warfare Center.  DIDS is one, of many, 
responsibilities my team has.  Essentially, we build countermeasures to 
stop crackers -- whether they are twinkie eaters or actual enemies.  DIDS 
is one of our big ticket tools, but we have many other small tools that 
we build in house to counter the threats we see.  We also work closely 
with the national investigative and intelligence communities to stay on 
top of the threat and to 'collect' new tools and techniques that can be 
used against us.

Currently, the DIDS paradigm is detection based, but we've made the 
decision to become more 'prevention' based.  Now, before the war starts 
-- this doesn't mean DIDS will take action all on its own.  It means that 
we intend to define a series of behaviors as 'suggested' evil and provide 
the 'choice' to automatically prevent/terminate them (we won't quibble 
here on the list about real-time, network propogation delays, etc).  As 
an example, becoming root when your not in the wheel group is a definite 
candidate for a configuration file entry -- if this happens, would you 
like us to kill the shell and then lockout the account?  If yes, okay.  
If not, we'll faithfully record it.  Our emphasis will be on trying to 
prevent the twinkie eaters from hurting our systems.  In cases where 
real-time delays occur, my actual experience tracking hackers has 
convinced me that the approach I described above would frustrate their 
efforts to no end.

How many other ID systems are out there that can support this type of 
environment?  Do they all need to tweak the kernel <we don't as of this 
writing>,  Sidewinder tweaks the kernel to enforce role based 
authentication mechanisms, which is similar, but not the same, as the 
paradigm we advocate.  How do 'we' <this list> build an intrusion 
detection database that lets us compare the different products on the 
same general level?  Essentially, we need sometype of maintained attackl 
database and then a protocol for evaluating the products.  Without that, 
we teeter dangerously close to the snake oil problem (no, that's not a 
reference to Cliff's new book -- I just like that phrase).

By the way, I noticied many new arrivals because of the concern/fear over 
SATAN and I thought I'd add my two cents here.  First, if SATAN is that 
big a problem, then the hackers are doing us a favor because networks 
that fall to these attacks need to be secured before we allow any more 
traffic on them.  Two, I wonder how many people realize that SATAN is an 
excellent tool for testing an intrusion detection system <leave the box 
unprotected and see wht your IDS can 'really' do>.  SATAN is a 
double-edged sword, agreed, but given the poor state-of-the-art in this 
area, SATAN will help nudge us, perhaps with some kicking and screaming, 
forward.  This is only my opinion, but it's based on actual experience 
tracking hackers and interviewing them after they're caught.  An 
interesting counter problem here -- has anyone of the people complaining 
about SATAN done a shorev command on their boxes to see what, if any, 
security patches are installed?  PS -- I realize this is prwaching to the 
choir for many of us -- I realize that and apologize in advance -- but I 
wanted to provide some grist for the discussions we all, inevitably, will 
have with others on this topic <there's strength in numbers>.

Kevin Ziese, Capt, USAF                      210-377-0477 (Voice)
Chief, Countermeasures Development           210-377-1326 (Fax)
AF Information Warfare Center                800-759-8888 (PIN 2927686)
1100 NW Loop 410, Suite #607                 ziese@lorenz.csap.af.mil
San Antonio, Texas  78213                    Email is always preferred

• Next message: riordan@math.umn.edu: "intro"
• Previous message: ajm: "Introduction"
• In reply to: brian.smith@morebbs.com: "Introduction"