Re: FW: *ICN - A Conspiracy of Inertia?

From: o00o_j (o00o_j@yahoo.com)
Date: 03/19/02 

Date: Tue, 19 Mar 2002 13:25:22 -0800 (PST)
From: o00o_j <o00o_j@yahoo.com>
To: focus-ids@securityfocus.com

My $0.10, as I understand this article:

This seems like a good technology - something that would play very well
with current security products, but not necessarily replace any of
them. I think there are too many different types of "normal" behavior
to possibly expect this to be a cure-all (or cure-most). Every company
has different things going on in their network and systems that could
be considered malicious anywhere else. For instance, remember that
application you begged the business apps group not to purchase because
of the strange traffic it laid down on the network that they bought
anyway? Perfect example of expected but abnormal behavior.

Apart from this, there is the menagerie of security breaches and
methods of information leakage that are creative uses of normal
behavior. The behavior in and of itself is not malicious, but put into
a context it can be. A TCP connection to port 22 isn't malicious. But
it COULD be part of a portscan, which is much less benign.

I think he's going after something [potentially] no one has before, but
it *could* be that nobody thought of it. It could also be that private
companies (such as antivirus vendors) *have* been working on it but
haven't told anyone.

is this innovative? most likely. is it the silver bullet? gimmie a
break...

--- Benjamin Tomhave <falcon@cybersecret.com> wrote:
> Has anybody else heard about this? It seems to uphold a principal
> that I've
> tried to consistently apply throughout my security career -- working
> with
> known quantities whenever possible and configuring systems to only
> accept
> those known quantities. Even if the software is ficticious, it
> represents
> the possibility for a paradigm shift from the perspective of IDS,
> among
> other things. Thoughts?
>
> ----- Original Message -----
> Sent: Monday, March 18, 2002 12:17 PM
> Subject: FW: *ICN - A Conspiracy of Inertia?
>
>
> > This guy simply has no idea how big and stupid the world is.
> >
> > -----Original Message-----
> > From: internetcrimenews [mailto:internetcrimenews@infowar.com]
> > Sent: Monday, March 18, 2002 9:47 AM
> > To: icnlist@infowar.com
> > Subject: *ICN - A Conspiracy of Inertia?
> >
> >
> >
> >
> > By Sarah Scalet
> > An academic-turned-entrepreneur says he's found the key to security
> > problems - and the security community doesn't want it.
> >
> > I'm deeply suspicious of anyone who claims to have created a new
> paradigm
> in
> > security. In fact, I usually hit the delete button faster than you
> can say
> > "snake oil." But this week, allow me to entertain one such vendor
> claim
> that
> > relates to how the entire security community approaches insecurity.
> > It involves a man named John Munson, who has spent the last 30
> years
> > thinking about software reliability - and we're talking about
> serious
> > software like the stuff that powers the Space Shuttle and the
> Cassini
> > spacecraft that's currently hurtling toward Saturn. Dr. Munson, a
> University
> > of Idaho professor and NASA contractor turned entrepreneur, is not
> a man
> you
> > want to find out is a kook. Yet he's skittering on the edge of a
> conspiracy
> > theory that, if it turns out to be true, could turn the security
> community
> > on its head and empty out its pockets.
> >
> > His premise? That the security community doesn't want to solve
> security
> > problems once and for all, because the whole business relies on the
> very
> > existence of computer crime and malicious code.
> >
> > The technical details of the research that led Munson to this
> conclusion
> are
> > far beyond the scope of this column, but here's the 250-word
> version.
> >
> > Munson's life work involves researching and monitoring how software
> > responds, and sometimes breaks, because of what a user does to the
> software.
> > Software doesn't wear out like hardware; it crashes because of user
> input.
> > Astronauts can only hit so many buttons in the Space Shuttle, and
> Munson
> > used to make sure that none of those combinations would cause the
> systems
> to
> > break.
> >
> > Then, about three years ago, he decided that this research could be
> applied
> > to computer security. By monitoring the kernel of an operating
> system, he
> > set out to find nuances of behavior change when a system was under
> attack
> > from a hacker or computer virus. "It turns out there were no such
> nuances,"
> > explains Munson, at work at Software Systems International, the
> second
> > obscure company (the first one went bankrupt) attempting to profit
> from
> > these principles. "Assaults were astonishingly obvious. In fact, we
> have
> yet
> > to observe a malicious activity that is not wearing a Day-Glo
> orange
> shirt."
> >
> > If an attack on a computer system were so easy to identify, he
> asked
> > himself, then why not build in controls that identify and allow
> normal
> > behavior and stop abnormal behavior? There'd be no need for patches
> to fix
> > specific vulnerabilities, and no need for antivirus software to
> fight
> > malicious code.
> >
> > Munson says he has a few Linux servers up and running that are
> protected
> by
> > an early version of these operating system controls, which are
> calibrated
> > based on how the server normally operates. He says the controls
> could
> > eventually be built into a computer's hardware.
> >
> > Needless to say, his work has been met with considerable
> skepticism.
> >
> > "The reaction is, we don't believe you," Munson says. "But this is
> not an
> > act of faith. All the research I have done is reproducible to
> scientific
> > standards."
> >
> > Munson suspects more than skepticism. "They (security vendors)
> thrive on
> > your misery. It's a conspiracy of inertia. I don't think there's
> collusion.
> > I don't think McAfee is sitting there kicking viruses out the back
> door. I
> > do believe that they're making money at it and would like to keep
> making
> > money at it. But they're working on the wrong problem."
> >
> > Whether Munson (or anyone) can actually deliver a product that
> avoids
> > security problems altogether - and whether hackers and coders
> couldn't
> then
> > launch attacks designed to look "normal" - I cannot say. But his
> logic is
> > tempting. The way things are done today is terribly inefficient and
> > ineffective, and a lot of people are profiting from it.
> >
> > Suppose, just for a moment, that there is a solution to the
> security woes
> > plaguing corporate America - the endless cycle of installing
> patches
> against
> > new vulnerabilities, of stopping viruses and security breaches, of
> fixing
> > damage done. I'm not talking about a magical elixir but a so-called
> > disruptive technology that comes from an outsider whose ideas could
> make
> > columns like this obsolete. CIOs would be ready to hear it. But
> what about
> > the rest of us?
> >
> > What do you think? E-mail Sarah D. Scalet, security editor and
> senior
> > writer, at sscalet@cio.com.
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Cybercrime Reports: http://www.infowar.com/ccr/ccr1.shtml
> > CCR@infowar.com
> > Internet Crime Watch: http://www.infowar.com/iwatch/iwatch.shtml
> > ICN@infowar.com
> >
> > Internet Crime News ( ICN) is brought to you by Infowar.Com Ltd.
> > Please feel free to pass this on as long as all information and
> header
> > remains intact.
> > Please forward your comments or posts to ICN@infowar.com.
> > Subscribe and Remove instructions appear at the end of this email.
> >
> > Infowar.Com Ltd. 3030 N. Rocky Point Drive West. Suite 275. Tampa,
> FL
> 33607
> > 813-288-1955 Voice 813-288-1985 FAX
> > Need Further Info? Write betty@infowar.com
> > Visit the Security Store @ Infowar.com
> > http://estore.infowar.com
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > ----------------------------------------------
> > To unsubscribe send an email to icnlist@infowar.com
> > with unsubscribe as the first line of the message in PLAIN TEXT.
> >
> > To receive a digest of 15 messages per email
> > send an email to icnlist@infowar.com with
> > mode_digest as the first line of the message.
> > Note that control messages must be sent as PLAIN TEXT.
>
>

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

Quantcast