I’m currently in the process of doing some upgrades to the website, so it might look and behave different from usual. Bare with me…

A common question when discussing intrusion detection versus intrusion prevention is “why on earth would we want to do only detection?”. The pretty simple reason is (which I have written about tons of times) the inaccuracy of finding and identifying something that is a very small part of the entire set looked at. I think we can learn alot in performing security in the digital world from the analog. For instance, why is it that we have very few systems in the analog world that claims to prevent something once detected? The security cameras in the subway isn’t hooked up with stun guns right? The “X-ray station” at the airport is monitored by real personel, why is that? And why not having a way of automatically stopping a car that is violating the traffic control signs? Because it doesn’t work. Why would the digital world be any different?

I learnt from Schneier of a good example of the difficulty of performing monitoring and incident detection, in the real world. From the article,

The 178 video cameras that keep watch on San Francisco public housing developments have never helped police officers arrest a homicide suspect even though about a quarter of the city’s homicides occur on or near public housing property, city officials say.

Why is that? Could it be because “Nobody monitors the cameras, and the videos are seen only if police specifically request it from San Francisco Housing Authority officials”. No shit.

Another interesting comment:

The cameras have occasionally managed to miss crimes happening in front of them because they were trained in another direction, and footage is particularly grainy at night when most crime occurs, according to police and city officials.

In the digital world we don’t have darkness clouding our detection instruments, but our “cameras” (intrusion detection systems) can be just as grainy and badly positioned. I agree with Schneier when he says that the cameras, who intends to have a scaring affect on criminals, also causes a false sense of security for the inhabitants of San Fransisco. Since we normally don’t disclose that we have “digital cameras”, aka intrusion detection or prevention systems, in the digital world we can pretty much rule out the scare off effect. What about the false sense security?

I learned by Slashdot that some of the Ubuntu servers have been hacked. As some of the comments to the Slashdot post suggests, that is no catastrophe itself (but it quickly can be). Everyone makes mistakes, and prevention eventually fails. They are not alone. What matters is wheather or not they have the routines, tools and processes in place to investigate, analyse and limit the damage.

What is interesting is that we actually get to know that they have been compromised, and that raises some questions: Does knowing about the compromise increase or decrease my trust in the Ubuntu source? Let us look at what the announcement gives us:

Knowledge of the breach lets us

• Choose wheather or not to apply future updates of fear that they might contain backdoors, at least until the scope of the compromise is fully determined.
• If considered necessary by -us-, choose wheather to withdraw all ubuntu boxes and replace them with another distribution or OS
• Watch and see how the Ubuntu community and sponsors, e.g. Conical, reacts to this. How serious they are with security and how well their processes and routines are for handling these kind of emergency situations.
• be somewhat assured that the Ubuntu servers and its administrators are competent enough to detect the compromise, and yeah, that can be hard.

If things were as yesterday, with no breach, what knowledge does that give us?

• Can they detect a compromise if there were one? Do they have the necessary tools and processes to do so?
• Are the servers compromised? The source code? Are there backdoors in the software?
• Should we react? How? What might be compromised?
• …. etc

The point is, without any other information, an announcement of a compromise yields us with more information to make decisions than a company that has no apparent security issues. This is a fundamental problem with security. It’s similar with vulnerabilities: a company anouncing a vulnerability in their software at least proves that they are looking, the absence of one proves nothing. I’m not saying I wish more companies were compromised, but I wished they reported once they were. The companies that are not can have other things to show that their customers can be assured that they have the necessary tools and processes in place. I come to think of information security frameworks such as ISO 17799 and similar standards witch at least proves that a companies is putting some effort into security.

To sum the post up. The following weeks will tell more of Ubuntu’s security-priorities than some of their un-compromised rivals.

This years Blackhat featured a talk about reverse engineering IPS signatures. The talk demonstrated that vulnerabilities can be reverse engineered from signatures, which is especially interesting with zero-day signatures. The talk got alot of attention and Tippingpoint, who was the IPS which the condition was demonstrated on, apperently changed their way of distributing their zero-day signatures. I’m looking forward to getting my hands on the talk itself or the slides to get a glimpse of the methodology.