Testing Intrusion Prevention Systems

Informative testings results of various IPSs such as Juniper IDP 200, Cisco IPS 4240, eSoft ThreatWall 200, ForeScout ActiveScout 100, McAfee IntruShield 2700.

Here's how they tested :

"In order to create a base environment in which to compare the different appliances, we set up a single system within our test network to be the target of Core Impact’s simulated attacks. We chose a system running the most vulnerable operating system we could think of—Windows 2000 Service Pack 2 with no additional service packs or security updates. We temporarily opened the channels on the test network’s firewall and installed Core Impact on a system outside the network. We then proceeded to detect and “attack” the Windows 2000 system to identify its vulnerabilities. Of the hundreds of attack modules available, we picked 85 of the most applicable. Knowing how our target system was vulnerable and the attacks we could launch against it, we connected each IPS in turn according to its recommended configuration. We then allowed each IPS to function in a real-world network environment for a day or more. Eventually we rebooted the Windows 2000 machine and ran Core Impact to simulate a barrage of intrusions. Finally, we adjusted the security profiles of each IPS and ran the tests one more time. The result was a complete picture of how effective each IPS was at preventing attacks—both out of the box and after fine-tuning. The good news is, we were able to tweak each IPS to completely shut down the Core Impact attacks."

There are, however, hidden costs related to IPSs, and that's increased maintainance and reconfiguration time, possible decline in productivity. The key is understanding the pros and cons of your solution, educating the masses of users, and run a departamental, compared to a comany-wide enforcement at the first place as far as host based IPS are concerned. Network based IPSs sensitivity is proportional to the level of false alerts generated, so figure out how to balance and adapt the solution to your network.

Suspicious system behaviour is such an open topic term to the majority of end users, keep it in mind whatever you do when dealing with HIPS. And do your homework of course.

Google Anti-Phishing Black and White Lists

Can the world's most effective search engine manage to keep questionable sites away from the search results of its users? Seems like its toolbar users are also warned about such. Google for sure got the widest and most recent snapshot of the Web to draw up conclusions from, and seems like starting from the basics of keeping a black and white list with questionable sites/URLs is still taken into consideration. Googling Google proves handy sometimes and you can stumble upon interesting findings such as Google's Black -- cache version -- and White lists of phishing and possible fraudelent sites -- there's still a cached version of the White list available and the white domains as well.

As I often say that the host trying to 6667 its way out of the network today, will be the one sending phishing and spam mails tomorrow, therefore in order to verify I took a random blacklisted host such as http://219.255.134.12/fdic.gov/index.html.html and decided to first test it at TrustedSource, and of course, at the SORBS to logically figure out that the host's has been indeed :

"Spam Sending Trojan or Proxy attempted to send mail from/to from= to="

What's ruining the effect of black and white lists? With today's modular malware -- and DIY phishing toolkits -- the list of IP's currently hosting phishing sites can become a decent time-consuming effort to keep track of, namely black lists can be sometimes rendered useless given how malware-infected hosts increasingly act as spamming, phishing, and botnet participating ones -- if ISPs were given the incentives or obliged to take common sense approaches for dealing with malware infected hosts, it would make a difference. As far as the white lists are concerned, XSS vulnerabilities on the majority of top domains, and browser specific vulnerabilities make their impact, but most of all, it's a far more complex issue than black and white only.

Another recent and free initiative I came across to, is the Real-Time Phishing Sites Monitor, which may prove useful to everyone interested in syndicating their findings.

Third-party anti-phishing toolbars, as well as anti-phishing features build within popular toolbars are not the panacea of dealing with phishing attacks. A combination of them and user awareness, thus less gullible user is the way.

Visualizing Enron's Email Communications

In a previous post "There You Go With Your Financial Performance Transparency" I mentioned the release of Enron's email communications between 2000/2002, mind you, by Enron's ex-risk management provider. Continuing the series of resourceful posts on visualizing terrorists, intelligence data sharing, security and new media, here's Jeffrey Heer's visual data mining of Enron's email communications sample :

"Using the Enron e-mail archive as a motivating dataset, we are attempting the marriage of visual and algorithmic analyses of e-mail archives within an exploratory data analysis environment. The intent is to leverage the characteristic strengths of both man and machine for unearthing insight. Below are a few sketches from a preliminary exploration into the design space of such tools."

And here's how he visualized the social network, invaluable "big picture".

Secret CIA Prisons

It's official, there're indeed (publicly) secret CIA prisons, and a public commitment towards improvement :

"All suspects will now be treated under new guidelines issued by the Pentagon on Wednesday, which bring all military detainees under the protection of the Geneva Convention. The move marks a reversal in policy for the Pentagon, which previously argued that many detainees were unlawful combatants who did not qualify for such protections. The new guidelines forbid all torture, the use of dogs to intimidate prisoners, water boarding - the practice of submerging prisoners in water - any kind of sexual humiliation, and many other interrogation techniques."

I assume operating such facilities in the Twilight Zone is flexible from an interrogation point of view, what makes me wonder though is how justified kidnappings of alleged terrorists by recruiting local intelligence agents are. Guess a guy I had a hot discussion with the other night was right, no more Russian skirmishes in guerilla warfare, the adversary leaders just dissapear and no one, even their forces ever hear anything of them -- spooky special forces stealing the hive's queen.

In case you're also interested in DoD's New Detainee Interrogation Policy, it's already available at the FAS's blog, plus "biographies" of 14 detainees.

However, there's one thing the entire synthetic community would always be thankful to the CIA though, and that's the LSD, a proven "ice breaker" during the decades.

Graph courtesy of Spiegel.de