[SecurityRatty] tag: network

Changhai Ke of ILOG: The More Part of CEP over ESP is Far from Mature

Sun, 06 Jul 2008 07:58:30 +0000

This post was originally a comment On CEP Maturity and the Gartner Hype Cycle by Changhai Ke of ILOG. Changhai Ke’s comment was so well written, I have reposted it as a blog entry.

The “More” Part of CEP over ESP is Far from Mature

By Changhai Ke, ILOG

An EDA and CEP must be understood as 2 different areas. EDA is an architecture pattern for enterprise applications. The components are loosely coupled by the use of events. In its strict sense, this is more an architecture pattern than an algorithm.

CEP, on the other hand, targets at the event processing and pattern recognition level. For me, it’s the research for the right algorithm to use to recognize the situations. Pattern recognition, event correlation are all good characterizations for CEP. Back 15 years ago, the alarm correlation in the telecom area was done using production rules (it is still the case), and this perfectly falls into the CEP area.

In fact, EDA comes after CEP, but the CEP at that period was not explicitly called CEP. The nature of their respective study is not the same, one is at the architecture and middleware level, the other is at the algorithm side. As both are concerned by events, it seems that people more or less implicitly include CEP in EDA, mix the two and introduce confusion. Why not. But it’s important to understand that CEP (on its algorithm side) could mature on its way without being worried about the event transportation layer.

As a system, CEP needs input events for processing. If EDA is considered as the only way to bring and transport events to the CEP systems, then of course CEP won’t become successful without the prior success of EDA. But in my understanding, CEP targets some real-time or close to real-time applications, and the event transport layer in those applications are the most often ad-hoc and over-optimized. I fear that EDA has the same kind of performance goal.

Another distinction needs to be made. CEP is more general than ESP (event stream processing), characterized by an EPL for data aggregation with notifications. Even on the market most of the CEP vendors provide EPL languages, CEP has the vocation to cover more than that. The “more” part is not well defined, at least it should include the event correlation, and correlation is not just data aggregation.

The ESP part of CEP could be considered as quite mature. There are so many EPL languages, and tuning has been made on the runtime side. It seems also that some applications based on ESP have proved to work. But the “more” part of CEP over ESP is far from mature. It is often described that CEP could use several technologies, such as statistical models, Bayesian network, time series, rules, etc. I agree that there are a few systems using rules. But where are the others?

Sincerely,

Changhai Ke

Firewalls On Your Windows Servers

Sun, 06 Jul 2008 04:37:16 +0000

A survey last year by David Litchfield of NGS Software showed "...there are approximately 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 Oracle database servers directly accessible on the Internet." Egad! That's almost certainly not a good thing. Many of them are accessible by accident and many of them are run by just plain incompetent people; 4% of the SQL servers were so old they were still vulnerable to the Slammer worm from many years ago. One point it raises, even if you don't in intend for your server to be accessible directly on the Internet, is defense in-depth. There should be a firewall on the server so that at least the attack surface is somewhat restricted. Out of this philosophy, starting with Windows Server 2008, the Windows Firewall is turned on by default. Many users will notice this change in the form of connectivity failures, but that's a good thing because it forces you to think about what's open and closed on your server and make a decision about it. An entry on the SQL Server Security Blog discusses these changes and how you can approach them to make your Windows Server 2008-hosted SQL Servers secure. First you have to locate your servers; it's a good bet that quite a few owners of those Internet-facing servers that Litchfield found don't even know the servers are up. You need to review the host security implementations on those servers to make sure that they conform to your policy. You also need to review your network firewall policies to make sure that the two are compatible. Verify that it's all working as expected; in other words, test the configuration. Then remedy the problems. Read the blog for more details. On your Windows Server 2003 servers you might even want to turn the firewall on as a defensive measure. Or you might want to turn it off on 2008. But it should be you making a conscious decision.

A bloggers network to be proud of

Sat, 05 Jul 2008 06:54:00 +0000

I started blogging about 2 and half-years ago because I felt like it would be fun to add my two cents to the public debate. When Brad Feld introduced me to the Feedburner guys I was given an insiders view into the quickly developing blogging world. When Feedburner started networks, I thought it would be interesting to start a network of all the security blogs that I was reading. I also inherently knew in my gut that eventually there would be some common good that would benefit all of the members of the network by aggregating our content and buying power for ads. I also believed and still do believe that there are other ways that a network such as the Security Bloggers Network can be a force for good.

However, reading the SBN feed tonight I was just blown away! From being on the road, I had not read the SBN feed in my Newsgator reader for almost 2 days. I had over 160 articles cued up in the feed. Forget for a moment that the Security Bloggers Network now has over 160 blogs and a combined feedburner subscriber base of almost 67,000 readers! The content is king. Going through the articles I could not believe the total coverage, the ongoing commentary and give and take, but most of all it was the quality. There are so many great members of the network who are just so damn smart and are writing about such important stuff.

I am humbled and incredibly proud of the what the Security Bloggers Network has become. If you are interested in security, whether it be the technical aspects of security, the business of security or the security industry, you cannot afford to miss this SBN feed.

We are kicking around a lot of new activities and ways to publicize the member blogs of the network over the coming months. Stay tuned for details, but in the meantime keep reading, you won't be sorry!

Facebook Group for Complex Event Processing

Sat, 05 Jul 2008 03:22:59 +0000

We now have a FaceBook group for CEP, so if you are into on-line social networking, enjoy!

http://www.facebook.com/group.php?gid=23977227924

Feel free to add any links or messages you like. Vendors sites welcome too! Just network, market, relax and have fun!

"Interesting" Advert Placements On Facebook

Thu, 03 Jul 2008 14:45:10 +0000

I've had a few people mention "odd things" happening when trying to install an application on Facebook called "Gridview". Well, I decided to try it out. On the install screen, you see this:

Makes sense so far. Here's the install screen where you agree to let the application loose on your profile:

Click to Enlarge

Once done, you see the following screen and this is where it all starts to go a bit wrong:

Click to Enlarge

Note that the application is ALREADY installed by this point, because the Gridview icon is on your list of current applications (highlighted by the red box on the left).

However, top right (also highlighted) is a box made to look like a standard Facebook "continue" button. When installing the application for the first time, this caught me out too - I didn't notice the app was already installed and (naturally enough) clicked the "continue" button, thinking there was something else I needed to do to complete the installation.

Imagine my confusion, then, when I was suddenly presented by this:

Click to Enlarge

A page asking me to download "Mothers Day E-cards", via IAC (creators of Smiley Central, amongst other things). By this point, you've left the Facebook network completely and are sitting on a page served up by an advertising network - go back to the Facebook screenshot above and check out the URL at the bottom of the browser. That's the actual destination of the "Continue" button.

That's a pretty sneaky tactic, if you ask me.

What needs to be established is, who is responsible for the placement of the fake "Continue" button? Is it the creator of the application, or is it legitimate advertising space on Facebook being subverted in a rather creative fashion by an advertising agency promoting IAC products?

I've tried reinstalling the application a few times, and the graphic displayed sometimes changes to more overt "this is an advert" style banners leading to other sites offering similar downloads / offers. Other applications installed don't seem to display sneaky adverts like that in the same location, but every application install is somewhat different so that's not really a conclusive answer.

At any rate, be wary of what you click on when installing Facebook applications...

Hidden endpoints: Mitigating the threat of non-traditional network devices

Thu, 03 Jul 2008 11:40:22 +0000

Organizations have many safeguards in place for network-enabled devices like PCs and servers, but few realize the threat posed by non-traditional devices like printers, physical access devices and even vending machines. Endpoint security expert Mark Kadrich offers up some worst-case scenarios and explains how these and other endpoints can be protected.

Misc Reading Related To Verizon Breach Report

Thu, 03 Jul 2008 10:07:00 +0000

All sort of fun stuff was unearthed, discussed and - sometimes - made-up upon reading the Verizon Security Breach Investigations report. Here are some things from the pile which I found fun:

Report itself [PDF] and brief on it from Verizon (and two fun follow-ups, this and this here)
"90% of all statistics can be made to say anything… 50% of the time, aka my thoughts on the Verizon report"
"Data Breach Post Mortem Offers Surprises" (well, to some people, they are surprises ...)
"Insider Threat Exaggerated, Study Says" (not, it doesn't, BTW)
"Verizon Business Report Speaks Volumes" (from Richard, thus a MUST read)

And of course, here is my favorite part: "In 82 percent of cases, our investigators noted that the victim possessed the ability to discover the breach had they had they been more diligent in monitoring and analyzing event-related information [AC - i.e. logs] available to them at the time of the incident." and this "Furthermore, a crime scene devoid of any network and system logs, a key resource for computer forensics, is a disturbingly common occurrence."

What can I say? Back to battle stations for me - to fight the war of making logs more popular! :-)

Content Scrapers And Security Blogs

Thu, 03 Jul 2008 03:48:19 +0000

I saw an interesting post over at Anti-Virus-Rants today, where Kurt Wismer linked to an article regarding content scraping. In essence, the site doing the scraping (Security Ratty) ended up with "Security Ratty is a slimy, content stealing thief" on the front page. I find this interesting, because not so long ago I'd considered doing something similar with one of those fake security spam blog things that lift the content and splatter a ton of adverts on their site, while removing correct attribution.

Instead, I decided to do a little digging and quickly traced it back to a guy running a whole network of various sites, blogs and other networks. However - something didn't seem quite right. For all intents and purposes, he seemed like a normal, legit guy. He had pictures of himself on various portals. He openly advertised his main line of business, which (I think) was something to do with accountancy. There was a personal blog about pet dogs.

Holding fire on the "Here's a post specifically for your scraper site poking fun at you, aren't I clever" post, we found out that the guy had purchased a bunch of ready-to-roll blogs in good faith and had no idea the sites were removing correct attribution (and replacing it with fake names), amongst various other things. Realistically, I didn't expect him to know the ins and outs of all the little details that turned reproduction in good faith into something that just about started to cross the line. A few helpful emails back and forth, and everything was fixed at their end and it didn't snowball into some big stupid argument over nothing.

Coming from an arts background, I'm realistic enough to know that if you put something out there, it's going to get copied and / or republished without your permission (or worse) down the line. That's the risk of publishing material online, and to a large degree, there is absolutely nothing you can do about it. The way I see it, you spend the rest of your days on a futile hunt to shut down all the content scrapers, or accept that (at the very least) the information you hope may be of use to somebody will reach and help them in some way.

If it doesn't have my name attached to it, I can live with that - but I'd rather invest my energies in research and writing than a few hours brief "victory" via a slow procession down an RSS feed. I'm not familiar with the ins and outs of the particular case linked to, but for all I know, the scraper site in question is entirely automated and devoid of any real life person manning the controls. If that's the case, the "victory" is rendered almost entirely pointless save for a cool-for-a-while screenshot.

Is that really a good use of time and effort? Personally, I'm more pleased with our behind-the-scenes EMail resolution but different strokes, different folks and all that...

Equifax bolsters border security

Wed, 02 Jul 2008 20:00:00 +0000

Equifax, the company that compiles credit reports, has chosen network-access-control technology to make sure contractors and employees access its network with machines that meet the firm's security requirements.

i-safe has some great articles for your online safety

Wed, 02 Jul 2008 19:25:39 +0000

They have a bunch of learning modules for kids to seniors to law enforcement.
Check em out.

clipped from ilearn.isafe.org

Which module do I watch?
There are five options with five different users in mind. Those registered as educators with i-SAFE have the greatest
access to view the modules because you work closely with students and parents. Those registered as parents and fifty+
have access to either of those modules since many users fit both categories. However, students are limited to the i-MENTOR
Training Network. And the Operation i-SHIELD module is reserved for those in law enforcement. Below is a breakdown of each
module. To begin, please register by creating a user name and password at the top of this page. That will help direct you to
the appropriate i-LEARN module. Enjoy!