Ranum's Rants

FUDwatch: Armenia

by Marcus J. Ranum on May 3, 2013

For a field that loves statistics, computer security sure treats them casually. In order to get my humble BA in Psychology, I absorbed my share of course hours in statistics and testing methods, including a set of lectures based upon Darrell Huff's brilliant book, " How to Lie with Statistics " - which I highly recommend. It's fun easy reading satire - those lectures had the effect of making me hyper-skeptical about any large, round, number that's thrown my way. Sometimes, I get the urge to play and this is one of those times. Please don't take anything from this point forward very seriously...

The Big Red Button and the Kill Switch

by Marcus J. Ranum on April 25, 2013

I have no idea if I had a role in the "Internet Kill Switch" debacle, but it's possible that I was one of the pushes that got that particularly horrible ball rolling. Back in 2002, when I was between jobs, I did a talk at CSI in Chicago, about the need for organizations to be better able to react to attack, especially if they were part of critical infrastructure. At the time, I was concerned particularly with denial of service attacks; I had been thinking about them and had concluded that it's never going to be possible to completely prevent such attacks. "Well, that has big implications for...

Recap: Geeking Out II with Marcus

by Marcus J. Ranum on April 15, 2013

Ron and I spent most of the webcast rotating around the theme of detection algorithms: how do you determine what is normal and what is not? We started off with one of my favorite questions, "Are there only two algorithms? Statistics - of some sort - or matching?" I think that, by the time we were done, the two approaches had withstood the argument. We also dug into some of the issues in designing large-scale log analysis systems, and how to tier architectures, do your filtering at the edges of the network, and where to maintain copies of the actual logs themselves. On the algorithms side, we...

New "Geeking Out" Interview Series

by Marcus J. Ranum on March 19, 2013

In case you didn't know, I have been hosting a series of "Geeking Out..." interviews, with a couple of my friends in the industry. What I want to do with the series is conduct focused interviews with practitoners who are out there dealing with the tough problems in our field; I'll ask them what works and what doesn't and why, and we'll all get a chance to learn and have an interesting conversation. The series is being done as a webinar and audio will be available after the webinar. Since it's a webinar, there's an opportunity for listeners to ask questions. We'll almost certainly never be...

Comments and Commenting Policy

by Marcus J. Ranum on March 7, 2013

I believe that one of the things that gives a blog life and interest is its commentariat. This is not a free-for-all zone, however, so comments are moderated (for appropriateness, spam blocking, etc). The comment area is intended so you can talk amongst yourselves, though I'll try to review it and may respond occasionally. If you have a question that may be appropriate to answer in a blog posting, I reserve the right to lift your comment out of the comment section and address it at more length. Or, if you want to email me comments, questions or topics you think I might want to address, feel...

Information Sharing: Learn From Past Mistakes

by Marcus J. Ranum on March 7, 2013

I've been asked repeatedly for my opinion about the APT1 report , and every time I try to respond I find myself waffling. The reason is simple: I think the report is a good thing, a sign of deep dysfunction in security, a stimulant to information sharing, an indicator of failed foreign policy, a brilliant marketing maneuver and a bit of business as usual. It's hard to pull those together into a simple, "yes, it's a good thing!" answer. If nothing else, it's going to serve as a stimulant for worthwhile discussion for at least the next 5 years. One possibility is that it will be the only such...

Not All ‘Cybers’ Are Created Equally

by Susan Brown on February 29, 2012

By Marcus Ranum, Tenable CSO What do these four terms have in common? Cyberwar, Cybercrime, Cyberespionage, and Cyberterror. They all start with the word ‘Cyber’ They’re all bad stuff And they’re all consistently confused with each other, despite significant differences (and sometimes conflicts) between them Many people already know my position on ‘Cyberwar’ but things have changed significantly over the past four years in IT and physical security, technology, the government, and the military. The actual ‘Cyber’ landscape is much more nuanced than many seem to realize, which has created an unnecessary public perception of extreme vulnerability (which can lead to fear, which can be dangerous).

Your APT Anti-Hype

by Paul Asadoorian on March 1, 2010

In the interest of helping you cope with the "APT" hype, I thought I'd offer a few observations and ideas about things you can do that might actually help. After all, it's too easy to point and shout "hype" - the truth is that there is a problem, and system and network administrators who are concerned with security do have to worry about long-term embedded penetrations in their network. There are two primary approaches to Intrusion Detection and they both work. But, they work against different threats, for different reasons. One is the 'classical' IDS approach: know what attack looks like, and look for the attack . That's what most of the signature-based IDS do, and they're good at it and therefore they are useful. The second is the 'analytical' approach (what Richard Bejtlich, in his excellent books, calls "network security monitoring"): know what your network and systems usually do, and begin an investigation if you see them suddenly start doing something new . As with everything, there are trade-offs. Some people would say that the first approach has a problem of "too many false positives" although, seriously, if your network is carrying such a large amount of apparently hostile traffic that your IDS is constantly ringing off the hook, I think you've already got a serious problem. The second approach has the problem that "start an investigation" may be outside the purview, skill set, or energy level of many system/network managers - especially now that the typical system/network admin is chief cook, busboy, and bottle-washer all rolled up in one.

Afterbytes with Marcus Ranum - Data Leakage

by Marcus J. Ranum on February 5, 2010

BERLIN/ZURICH (Reuters) - A Swiss lawmaker likened German attempts to buy data on cross-border tax evaders to bank robbery on Tuesday and the Swiss banking lobby said Berlin was acting as a receiver of stolen goods. Reference: Swiss lawmaker accuses Berlin of "bank robbery" This could be the start of an interesting trend: targeting information for theft and disclosure. We've already seen that the underground is willing to monetize data leakage, but if governments get involved we'll see organizations getting penalized on both sides: you're fined for leaking the data, and the data is used...

Afterbytes with Marcus Ranum - Under Constant Attack

by Marcus J. Ranum on February 3, 2010

Title : Critical Infrastructure Computer Systems Under Constant Attack Date : January 28 & 29, 2010 According to a report from The Center for Strategic and International Studies, utility companies’ and other critical infrastructure components’ computer systems are constantly under attack worldwide. The report, which was commissioned by McAfee, compiles information gathered from 600 IT and security executives at companies around the world. More than half of respondents believe that their countries’ laws are not effective in deterring cyber attacks, and nearly half believe that their...