Re: [ISN] Linux snares security tool

From: InfoSec News (isnat_private)
Date: Wed Nov 14 2001 - 07:07:49 PST

  • Next message: InfoSec News: "[ISN] The cyberterrorism czar: What's next?"

    Forwarded from: "Ejovi B. Nuwere" <ejoviat_private>
    
    From: "Nicole Bellamy" <nicole.bellamyat_private>
    Cc: "George Cora" <george.coraat_private>,
       "Leigh Purdie" <Leigh.Purdieat_private>
    
    Ejovi.
    
    As promised in my initial e-mail, I have looked into this matter and
    spoken with experts who actually have day-to-day experience and
    working knowledge of Linux and in particular, Linux security. They
    have advised me to rework my article slightly to include reference to
    C2-compliance--which is the most distinguishing factor of the new
    tool. I have run a proof by them and they are happy with the
    amendments, which I will be posting on our site now.
    
    Although I strongly disagree with your personal attacks against me,
    that is another matter and one which will be addressed --especially
    due to the fact that you have yet to remove or apologise for your
    slanderous comments.
    
    As for the infosec news list readers you have approached, please pass
    on to them my sincere thanks for their feedback and the notice of my
    amendment. It is interesting to note that in a community such as
    Linux, which is fighting daily against oppression from proprietary
    systems, members of this community would personally and professionally
    attack any journalist that gives weight to their fight, and attempts
    to expose brilliance in the ranks, rather than mistakes and
    vulnerabilities.
    
    It is surprising that such a community is not applauding its members
    who are attempting to make a difference rather than shooting down the
    messengers.
    
    By the way, if you intend to post this on your site, please feel free
    to use the entire e-mail this time, rather than just chosen excerpts.
    Also, my comments related to this story are my own, during initial
    e-mails and the follow-up since.
    
    Thanks again and regards.
    
    Nicole
    
    
    
    ----- Original Message -----
    From: "Ejovi B. Nuwere" <ejoviat_private>
    To: "Leigh Purdie" <Leigh.Purdieat_private>
    Cc: "Nicole Bellamy" <nicole.bellamyat_private>; "George Cora"
    <george.coraat_private>
    Sent: Saturday, November 10, 2001 8:14 AM
    Subject: Re: No Subject
    
    
    > Thanks for the response Leigh,
    >
    > As a security professional, you too must admit this article is
    > misleading. Statements such as "InterSect Alliance says it has
    > developed the first integrated security auditing and event..."
    > alone is not true. The first C2 open source compliant product?
    > Well that may be true. Since there arent many C2 compliant
    > products out there, commercial or open source.
    >
    > I'd be willing to give you the benefit of the doubt. But this
    > article states you are the first host based IDS for linux. Which
    > is not true. And I've received several responses to my original
    > email sent to ISN, Internet Security News, all of which agree with
    > my opinion. So we will have to agree to disagree on this one.
    >
    > Respectfuly
    >
    > ejovi
    >
    >
    > On Fri, Nov 09, 2001 at 03:11:46PM +1100, Leigh Purdie wrote:
    > > G'day Ejovi,
    > >
    > > Thanks for the comments below, hopefully I can answer your questions to
    > > your satisfaction.
    > >
    > > Many security tools have been available for Linux for a long time now,
    > > often being recompiled from applications developed for generic Unix
    > > systems.
    > >
    > > I've been a user of applications like tripwire, tcp wrappers, for a long
    > > time now. I think I first used tripwire in the early 1990s. I often
    > > encounter confusion from people as to the purposes of such tools.
    > >
    > > Many people, for example, feel that once a firewall is in place, a
    > > system is protected. You an I both know that it takes a large amount of
    > > network, host, and procedural security controls to make a site truely
    > > secure (and even then, there are still risks!). Just like you wouldn't
    > > call tripwire a firewall, nor is it similar to SNARE.
    > >
    > > Tripwire fills a void in security by providing an administrator with
    > > notification when a file is modified/added/changes permissions etc.
    > >
    > > LIDS fills another void by implementing mandatory access controls in the
    > > kernel and providing enhanced access control.
    > >
    > > However, one thing that Linux has been lacking for a long time now, is
    > > the "C2 style" user auditing capability. This is the role that SNARE
    > > fills. Many other operating systems, such as NT or Solaris, incorporate
    > > this feature, and many government departments refuse to install Linux,
    > > because there is no auditing capability.
    > >
    > > Having worked in an organisation like the Defence Signals Directorate
    > > (very much like the US National Security Agency (NSA)), I know the
    > > importance of security standards, and the reluctance of government to
    > > install hardware or software that does not meet certain standards.
    > > Hopefully, SNARE is a step in the direction of ensuring Linux meets
    > > those standards, and is able to be used more by government agencies, and
    > > large organisations that need to meet government standards.
    > >
    > > ZDNet seem to me, to be a very careful and capable news agency that are
    > > committed to correctly and accurately reporting a story. Nicole made
    > > sure that she undertook a comprehensive interview before releasing the
    > > story, and although no reporter can report verbatim what was discussed,
    > > I think the story is a fair and accurate reflection of SNARE's role in
    > > Linux.
    > >
    > > As such, if you believe that SNARE is of poor quality for an open source
    > > release, or you feel as though the capabilities are overstated, then
    > > please feel free to discuss it with us further. Drop me or George an
    > > email, or call us on the number available from the contact page.
    > > However, I don't think it's appropriate to accuse ZDNet of anything
    > > untoward.
    > >
    > > Some comments we have received from other users relating to SNARE might
    > > assist in reassuring you that the story was accurate:
    > >
    > > Daniel Swan, maintainer of the comp.os.linux.security frequently asked
    > > questions document:
    > > "Leigh, this looks quite impressive.  I will be happy to include it in
    > > the FAQ.   I will be releasing another version in a couple of weeks, so
    > > look for your product's inclusion then. I also look forward to trying it
    > > out myself."
    > >
    > > Martin Heerling, germany:
    > > "First I want to congratulate to snare - I was quite amazed about it.
    > > I like the "Objectives" approach with specifying patterns or regexps.
    > > That's definately cool."
    > >
    > > GuardianDigital, sellers of the Engarde linux distribution:
    > > "This is very interesting. .. Perhaps you'd be interested in working
    > > together in some capacity."
    > >
    > > Lance, USA:
    > > "Hello,
    > > This has got to be one of the most awesome utilities (SNARE) I've seen
    > > in Linux yet.  Congratulations on the GREAT work done by you guys.  So
    > > much information given, wow...what an improvement over other logging
    > > utilities...."
    > >
    > > >From a government source:
    > > "Truth be told, SNARE looks like it could possibly overcome the last
    > > major hurdle to the 'legal' adoption of Linux in the U.S.
    > > military/government structure.  While it's already endemic throughout
    > > the Department of Defense, there is a bit of a backlash coming due to
    > > the number of incidents coming in, and the lack of hard auditing data
    > > to help track down the miscreants."
    > >
    > > Regards,
    > >
    > > Leigh.
    > >
    > >
    > > On Fri, 2001-11-09 at 09:57, Ejovi B. Nuwere wrote:
    > > > Bcc:
    > > > Subject: Re: [ISN] Linux snares security tool
    > > > Reply-To:
    > > > In-Reply-To: <00d301c168a8$f92c29a0$b2e90ccbat_private>; from
    nicole.bellamyat_private on Fri, Nov 09, 2001 at 09:59:08AM +1100
    > > >
    > > > Leigh Purdie, please tell me how your product differs from
    > > > LIDS.
    > > >
    > > >
    > > > On Fri, Nov 09, 2001 at 09:59:08AM +1100, Nicole Bellamy wrote:
    > > > > Hi Ejovi.
    > > > >
    > > > > Thank you for your comments. ZDNet Australia values any feedback,
    especially
    > > > > when it relates to editorial quality, and/or accuracy. I have copied
    in
    > > > > Leigh Purdie, the CEO you mentioned, and an expert in Linux
    security.
    > > > >
    > > > > I consulted Linux 'experts' before going to print to check the
    accuracy of
    > > > > the article, which they did, and I am satisfied with responses I
    received.
    > > > >
    > > > > ZDNet Australia strives to provide an impartial, balanced view of
    news in
    > > > > the IT industry. As such, it is important to report on new
    developments.
    > > > > Often these are not controversial, and may seem to be complimentary
    to the
    > > > > company producing the technologies, this is not intended, nor
    compensated in
    > > > > any way. I personally have no affiliation with the company
    mentioned, nor
    > > > > the staff within it.
    > > > >
    > > > > However, I appreciate your comments and will endeavour to ensure the
    > > > > validity of them. As we speak, I have contacted various Aust Linux
    > > > > personalities to advise me on the accuracy of the claims you have
    made. I am
    > > > > sure you can understand the need to check facts and claims.
    > > > >
    > > > > Thanks again for your e-mail. Perhaps next time you have comments to
    make
    > > > > you could give me a call directly, and ascertain the accuracy of
    your
    > > > > comments.
    > > > >
    > > > > I hope I have assisted in whatever it is you hoped to achieve with
    this
    > > > > e-mail.
    > > > >
    > > > > Thanks and regards
    > > > >
    > > > >
    > > > > ________________________________________________
    > > > > Nicole Bellamy
    > > > > News & Technology Producer
    > > > > ZDNet Australia, a CNET Networks Company
    > > > > PO Box 670  BROADWAY NSW 2007
    > > > > Tel: +61 2 8514 9943   Fax: +61 2 9960 2953
    > > > > http://www.zdnet.com.au  http://www.gamespot.com.au
    > > > > _________________________________________________
    > > > >
    > > > >
    > > > >
    > > > >
    > > > >
    > > > > ----- Original Message -----
    > > > > From: "Ejovi B. Nuwere" <ejoviat_private>
    > > > > To: "InfoSec News" <isnat_private>
    > > > > Cc: <nicole.bellamyat_private>
    > > > > Sent: Friday, November 09, 2001 7:20 AM
    > > > > Subject: Re: [ISN] Linux snares security tool
    > > > >
    > > > >
    > > > > > Dear Nicole,
    > > > > >
    > > > > > Is this an article or jibberish? Jibberish or a press release
    > > > > > poorly cloaked as a article? What exactly do you mean by
    intergrated?
    > > > > > Are you saying that all the major Linux distrubutions will include
    this
    > > > > > as part of their base system install?
    > > > > >
    > > > > > Or are you saying that it works on Linux? I'm confused. I suspect
    you
    > > > > > are too. Why did you not research the subject, if you had you
    would have
    > > > > > found tripwire (http://www.tripwire.org/) which has been around
    and
    > > > > > widely used for almost 10 years.
    > > > > >
    > > > > > What about quoting experts other then the company CEO? Either
    you've
    > > > > > been had, or need a refresher course in journlistic intergrity.
    > > > > >
    > > > > > Your friend,
    > > > > > ejovi
    > > > > >
    > > > > >
    > > > > > On Wed, Nov 07, 2001 at 03:35:07AM -0600, InfoSec News wrote:
    > > > > > > http://www.zdnet.com/zdnn/stories/news/0,4586,2822782,00.html
    > > > > > >
    > > > > > > By Nicole Bellamy
    > > > > > > ZDNet Australia
    > > > > > > November 6, 2001 5:46 PM PT
    > > > > > >
    > > > > > > InterSect Alliance says it has developed the first integrated
    security
    > > > > > > auditing and event logging subsystem for the open source Linux
    > > > > > > operating system, beating much larger organizations to the
    punch.
    > > > > > >
    > > > > > > Its new tool, Snare (System iNtrusion Analysis and Reporting
    > > > > > > Environment) has been developed with a goal of reducing the cost
    of
    > > > > > > entry into system auditing and host-based intrusion detection
    for
    > > > > > > system managers, simplifying the process of configuration,
    reducing
    > > > > > > resource requirements and providing meaningful reporting to
    end-users.
    > > > > > >
    > > > > > > According to Leigh Purdie, director and principal security
    consultant,
    > > > > > > this is the first release of code for a host-based intrusion
    detection
    > > > > > > system, although there have been inroads made into the
    development of
    > > > > > > source code to address network-based intrusion detection.
    > > > > > >
    > > > > > > The two systems differ in that while a network-based intrusion
    > > > > > > detection tool enables the user to determine when an intrusion
    is
    > > > > > > being attempted, the host-based system allows the user to
    identify
    > > > > > > when an intrusion has been successful.
    > > > > > >
    > > > > > > Purdie believes that the lack of the Snare code has hindered the
    > > > > > > adoption of Linux into widespread use by organizations in
    Australia.
    > > > > > > By releasing Snare as open-source software, he hopes this will
    "set
    > > > > > > Linux on the path towards acceptance by organizations."
    > > > > > >
    > > > > > > The Snare auditing subsystem is designed to "enhance an
    organizations
    > > > > > > ability to detect suspicious activity by monitoring system and
    user
    > > > > > > actions", as stated in its release report.
    > > > > > >
    > > > > > > Given the current debate surrounding staff-monitoring, Purdie
    was
    > > > > > > quick to point out that InterSect Alliance is not responsible,
    nor
    > > > > > > accountable for, any privacy infringements occuring as a result
    of
    > > > > > > organizations using this system. However, the company does
    intend to
    > > > > > > provide privacy recommendations to organizations as a part of
    its
    > > > > > > training on the product.
    > > > > > >
    > > > > > > "Privacy is critical in a lot of institutions. When we provide
    > > > > > > solutions we recommend one of the things they (organizations)
    > > > > > > implement is staff contact; to let staff know what is happening,
    why
    > > > > > > it's happening, what data is being used for," said Purdie.
    > > > > > >
    > > > > > > Snare fills Linux security void
    > > > > > >
    > > > > > > The lack of integrated security features--perceived or
    actual--has
    > > > > > > long been a barrier to widespread Linux adoption.
    > > > > > >
    > > > > > > According to an InterSect Alliance report, "the lack of
    host-based
    > > > > > > intrusion detection in the form of an auditing system, has been
    cited
    > > > > > > in the past by organizations as a significant contributor to the
    > > > > > > decision to choose alternative operating systems over Linux in
    > > > > > > operational roles."
    > > > > > >
    > > > > > > InterSect Alliance decided to pursue the Snare project as a
    means of
    > > > > > > addressing this shortcoming and therefore boost Linux' appeal.
    > > > > > >
    > > > > > > While working on similar tools for other operating systems, such
    as
    > > > > > > Sun's Solaris and Microsoft's Windows NT--all of which contained
    an
    > > > > > > audit collection subsystem--the company realized the lack of
    this
    > > > > > > feature in Linux, and "thought something was missing," according
    to
    > > > > > > Purdie.
    > > > > > >
    > > > > > > What followed was eight months of effort and "not having a
    life", said
    > > > > > > George Cora, director and principal security consultant.
    > > > > > >
    > > > > > > While eight months seems minimal in software development terms,
    Purdie
    > > > > > > maintains that Snare is actually the culmination of ten year's
    work
    > > > > > > into the host-based intrusion detection system, added to a
    combined
    > > > > > > total of more than twenty year's experience in security for the
    > > > > > > directors.
    > > > > > >
    > > > > > > The short time to market can also be attributed to three other
    > > > > > > factors, according to Cora: "We have the programming skills, we
    have a
    > > > > > > small company that is not bureaucratic, and we put aside the
    > > > > > > established OSes (operating systems) and started from scratch."
    > > > > > >
    > > > > > > He also maintains that the presence of the open-source community
    > > > > > > allowed them a shorter development time.
    > > > > > >
    > > > > > > InterSect Alliance does not have the infrastructure in place to
    > > > > > > distribute Snare commercially, but by using the open-source
    community,
    > > > > > > it was able to release the software quickly, to a widespread
    audience.
    > > > > > >
    > > > > > > Cora believes that releasing Snare as open source should also
    lead to
    > > > > > > a faster uptake of the product itself.
    > > > > > >
    > > > > > > "If we had tried to commercialize this [rather than releasing as
    > > > > > > open-source software], people would be less eager to use it due
    to the
    > > > > > > cost of entry associated with it," Cora said.
    > > > > > >
    > > > > > > This lowered cost of entry is the ingredient that will ensure
    much of
    > > > > > > the product's success. Already InterSect Alliance has received
    > > > > > > pre-release queries from local--and global--organizations.
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > > > -
    > > > > > > ISN is currently hosted by Attrition.org
    > > > > > >
    > > > > > > To unsubscribe email majordomoat_private with 'unsubscribe
    isn' in
    > > > > the BODY
    > > > > > > of the mail.
    > > > > >
    > > > > >
    > > > > > ejovi nuwere
    > > > > > http://www.ejovi.net
    > > >
    > > >
    > > > ejovi nuwere
    > > > http://www.ejovi.net
    > > --
    > > Leigh Purdie, Director - InterSect Alliance Pty Ltd
    > > http://www.intersectalliance.com/
    >
    >
    > ejovi nuwere
    > http://www.ejovi.net
    
    ----- End forwarded message -----
    
    
    ejovi nuwere
    http://www.ejovi.net
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 09:31:10 PST