Torrid Networks

Samba can be easily integrated with most popular open source antivirus ClamAV. Below mentioned few steps can do the job for you. Note that below steps were performed on CentOS 5 64 bit OS with samba version samba-3.0.25b-1.el5_1.4. Few changes might be required in other OS.

Install Samba server, if not already installed

#yum install samba

Download ClamAV packages from DAG repository.

#wget -c http://dag.wieers.com/rpm/packages/clamav/clamav-db-0.92.1-1.el5.rf.x86_64.rpm
#wget -c http://dag.wieers.com/rpm/packages/clamav/clamav-0.92.1-1.el5.rf.x86_64.rpm
#wget -c http://dag.wieers.com/rpm/packages/clamav/clamd-0.92.1-1.el5.rf.x86_64.rpm

Install the downloaded packages

#rpm -ivh clamav-db-0.92.1-1.el5.rf.x86_64.rpm
#rpm -ivh clamav-0.92.1-1.el5.rf.x86_64.rpm
#rpm -ivh clamd-0.92.1-1.el5.rf.x86_64.rpm

Download source code of samba and samba-vscan:

#wget -c ftp://ftp.in2p3.fr/pub/samba/samba-3.0.25b.tar.gz
#wget -c http://www.openantivirus.org/download/samba-vscan-0.3.6c-beta4.tar.gz

Uncompress both the packages

#tar xvzf samba-vscan-0.3.6c-beta4.tar.gz
#tar xvzf samba-3.0.25b.tar.gz

Change the directory to samba source directory

#cd samba-3.0.25b/source/

Run autogen.sh file

#./autogen.sh
Execute configure script and do make
#./configure
#make proto

Change directory to samba-vscan
#cd ../../samba-vscan-0.3.6c-beta4

Configure samba-vscan by passing the samba source as an argument with configure script
#./configure –with-samba-source=../samba-3.0.25b/source/

Execute make

#make

If successful, you will find samba-vscan object for all the supported antivirus in the same directory. Copy clamav object to /usr/lib64/samba/vfs/. This would be /usr/lib/samba/vfs in case of 32 bit Centos

#cp vscan-clamav.so /usr/lib64/samba/vfs/

Copy default configuration of vscan-clamav.conf to samba configuration directory

#cp clamav/vscan-clamav.conf /etc/samba/

Change dir to /etc/samba

#cd /etc/samba/

Edit smb.conf file to add two lines under global section

#vi smb.conf
====copy below two lines=
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
===================

Now edit vscan-clamav.conf file and change the action to be taken if infected file is found and also change the socket of clamd. In our case, it was /tmp/clamd.sock

#vi vscan-clamav.conf
====change two directives=
infected file action = quarantine
clamd socket name = /tmp/clamd.socket
=====

Now start/restart clamd and samba services

#/etc/init.d/clamd start
#/etc/init.d/smb restart

Make sure that these services start automatically on system reboot

#chkconfig smb on
#chkconfig clamd on
TESTING:

Enable verbose logging from /etc/samba/vscan-clamav.conf and watch the log file /var/log/messages

Download some test virus from http://www.eicar.org/anti_virus_test_file.htm and paste that to some shared folder at samba server. You will receive a message via windows messenger service (if started) and also you wil notice that infected file will not be available in the shared folder.

For any issues, please feel free to contact our team: contactus@torridnet.com

As you might be aware, OWASP (The Open Web Application Security Project) is a globally recognized leading body for Web Application Security standards, Frameworks, Tools and Guides, with its mission of “finding and fighting the cause of insecure software.”

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security “visible,” so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under an open source license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for the work.

OWASP Delhi Chapter is hosting a grand application security event in New Delhi i.e. OWASP AppSec India Conference 2008 on August 20th & 21st 2008 at the Hotel Intercontinental EROS, Nehru Place, New Delhi INDIA. This is a two day event with first day being the conference on “Application Security Trends and Challenges” and Second day dedicated to six sessions of Multi-track training /workshops covering today’s hot Application Security topics. We have a great line up of world renowned Application Security experts and Gurus, who have spoken & presented at world’s biggest and prestigious Information Security Conferences including BlackHat, BlueHat, RSA WorldCon, DefCON, OSCON, ISACA, MISTI, EUSec, AusCERT, ISC2 Secure World and HackInTheBox etc.

By making your team attend this event can add immediate value to your organization in terms of People, Processes and Technology. The OWASP AppSec India Conference 2008 is the first ever event focusing on Application security Trends and challenges and is the right place to learn the best practices in Application security from the Industry experts and gurus in this space.

On the other hand, sponsoring this event proudly showcases your commitment towards information security. It enables your clients to uniquely identify you as a Security savvy organization that is focused on delivering trustworthy computing in a tangible manner providing measurable benefits.

There is an exclusive CxO Power summit event (invitation only event) on the eve of first conference day and as a sponsor you benefit to interact with your C-Level Colleagues & other VIP delegates from Corporate & Government sector that can help build valuable business relationships.

Below are few quick links for your reference:

OWASP Delhi Event Brochure Conference (Day 1) Details Training (Day 2) Details Sponsorship Form Event Page

Prologue: A very newspaper-ish article which never got published, inspired from those dull public policy briefs I really enjoy reading.

——

“Break-ins from abroad seem to be increasing.” – Clifford Stoll, Stalking the Wily Hacker (1988).

Clifford Stoll, a hyperactive astronomer and computer expert, was only keen on investigating an accounting error of 75 cents in the accounts of computer usage at Lawrence Berkeley National Laboratory. Little did he know that this innocent-looking anomaly would lead him to a labyrinth of computer hacking incidents and an international espionage conspiracy that would become the recipe of a bestseller, ‘The Cuckoo’s Egg’. It was almost two decades ago when the world was shocked and awed by this intriguing tale of espionage on the electronic frontier. A couple of billion dollars (lost to global computing frauds) later, India is still the caveman in terms of Internet security.

When I heard about the alleged Chinese intrusion of MEA’s computers which happened last week, the first thought which came to my mind was, “So, one of the incidents got detected”. Considering their sophistication, it doesn’t take a rocket scientist to conclude that most of these attacks are going undetected and unnoticed. And it was not the first-of-its-kind incident; similar intrusions, like the embassy websites’ compromise last year in August have hit the headlines. In fact, the story goes a decade back, when Bhabha Atomic Research Center was 0wned by hacktivists protesting against the Pokhran nuclear tests. However, what concerns me now is that the motives of these hackers have changed from being mere anti-establishmentarians to something very sinister. It’s a sensitive matter of national security and critical infrastructure protection now. But the immature response by our government and the usual sensationalization by the media made sure that root causes of these problems go unnoticed.

While having worked for one of the foremost actionable intelligence and incidence response teams at Symantec, I can assure you that the view from the foxhole is even more alarming. Almost daily, millions of dollars are being lost to elaborate computing scams, identity frauds, and electronic espionage. Hackers, who previously believed in the virtue of full-disclosure of new vulnerabilities in computing systems, have gone underground and colluded with the street-mafia in countries like the US, Russia, Brazil and China. They operate like drug cartels, recruiting young hackers possessing new and innovative intrusion techniques and exploits which are currently unknown in the security community- termed as zero-day exploits in the cyberpunk parlance. In our circles, we even have a saying that the mouse is chasing the cat. Everyday, we investigate these ‘in-the-wild’ attack vectors which have the ability to bypass latest security tools or go undetected.

The problem lies on a very intricate technical level. The architects of now widely prevalent computing and networking systems didn’t take the security aspect into consideration when they designed them. Security was an obscure issue for these starry-eyed, beat-generation techies of the 70s and even the 80s who believed in the power of free information. Only later when the Internet became the backbone of our information superhighway and Microsoft Windows, the de-facto operating system, that we bore the brunt of this gross oversight. From then on, security has become perpetuated and shoddy patchwork trying to close and hide these loopholes. The irony here being that in most cases we react rather then being preemptive and proactive. A little has also got to do with the inability to calculate the return on investment on such fixes which can cost enormously (imagine dealing with the Y2K problem every day). The effectiveness of a security system can’t be gauged until it’s steady and operational. Only when it trips on the successful detection of an attack or fails that we can do some rough calculations by considering the value of assets which are being protected. This is the painpoint for businesses and governments. However, regulatory compliance norms like Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, HIPAA and BASEL-II have been monumental in legitimizing these needs in business terms.

Let’s get back to the issue of cyber-espionage. From 2006, security response teams across the globe have witnessed a new-breed of targeted attacks attempted solely to steal sensitive information pertaining to national security. These malicious payloads arrive at selectively chosen email addresses of government servants as harmless-looking emails with documents, spreadsheets, images or other types of file attachments. When the benign user opens the attachment, the actual malicious payload gets activated and installs a backdoor which taps all the sensitive information going in and out, relaying it across to the attackers. In other cases, the user is lured into opening a malicious website under the control of the attacker, hosting a variety of exploits. Even after the compromise, the attacker remains very stealthy to retain his fort and keep stealing the sensitive data. These client-side exploits are undetectable by widely-used security tools like anti-virus products as they leverage system loopholes which are previously unknown (zero-day) and constantly mutate themselves to remain undetectable. Investigations have revealed that the majority of these attacks have originated from China. In fact, their magnitude had become so severe that the United States government tried to confront China at the Asia-Pacific Economic Cooperation Summit last year, after reports of Chinese hackers compromising Pentagon networks. As expected, China vehemently denied these allegations though it’s a well known fact in security circles that they are very much responsible for these attempts. Security firm iDefense has even released a detailed whitepaper on the modus operandi of Chinese hackers responsible for these attacks along with their names, addresses and photographs!

So can India do anything in this high-tension, coldwar-like, bureaucratic drama rather than sitting dumbfounded while our national security gets compromised? The answer is no. Even till now, the government doesn’t have a coordinated and centralized action-plan on such incidents and protection of critical electronic infrastructure. Add to that, the international law just doesn’t work here. There is also an acute lack of awareness among various government organizations dealing with sensitive data. The Indian Computer Emergency Response Team (CERT-In), established under the auspices of Department of Information Technology, has done some commendable work in spreading the cause but much remains to be done. On the offensive side, cyber-warfare has undeniably become a very valid proposition which can impart a strategic leverage over the enemy- so Indian defense agencies should definitely think of adding hackers to their cadres. In fact, the United States Air Force Cyber Command has launched a public initiative to attract young security professionals and agencies like NSA have been doing that for years.

In 1996, legendary security academician, Dan Farmer, released an amusingly titled report, ‘Shall We Dust Moscow?’ aimed at disseminating ‘startling and depressing’ results on the insecurity of US computer networks. The report was an eye-opener and became a cult-favorite, paving the way for innovative security research. As our Internet infrastructure is still burgeoning, a similar attempt in protecting our nation is imperative by acting at the earliest to incur minimal overhead. I keenly reminisce my hacking days (every security professional has them) when I was constantly amazed and excited at the relative insecurity of Indian networks, especially the Education and Research Network (ERNET) which hosts websites of many government-funded organizations dealing with crucial research. It reminded me of George Orwell’s quote, “To see what is in front of one’s nose needs a constant struggle”. It’s high time that the government squints its eyeballs and tries to focus on this very obvious predicament.

Cross-posted from VentureWoods.org.

So ArcSight, the enterprise security and compliance management company, went public a couple of weeks ago. Market watchers and industry analysts had always held mixed views about the company, and the same story goes with its IPO too. The hints of a listing came to be known publicly in September 2006, when the Valley kahuna Ray Lane chaired a meeting on ArcSight’s future and how it could be a worthy competitor in the to-be-consolidated information security space. The talk of the town was that the company’s decently solid sales record and struggling competitors is a positive sign of a stable future; thus broader solution offerings can be built by leveraging the IPO moolah which can be used to target some of the bigger players. This puts them in a better spot than other myopic security startups which only target a small part of the ’security problem’. However, the festive mood was dampened a bit as the listing raised around $54M, slightly below expectations.

ArcSight was started during the hay days of security when companies with angel-eyed security administrators were really keen to visualize and monitor their security posture on an enterprise-wide scale. Termed as Security Incident and Event Management (SIEM) solutions, these systems were aimed at picking out useful and actionable information from all network and security devices, rejecting unwanted notifications and false positives which had become a pain in the neck, metaphorically speaking. These were the times when intrusion detection systems had just gained wide-scale acceptability and deployment but they were prone to generating a lot of alerts, and on an individual basis it was hard to make sense on what was going on in the network, thus defeating their whole purpose. But when it came to the actual implementation and tweaking, SIEM could make the client’s espresso-machines run out of coffee powder. Moreover, their visualization and anomaly detection systems didn’t really prove that effective and had a high learning-curve. I remember working for a SIEM vendor on a contract when I came to know about the dreadful effort of installing this gargantuan solution, which could easily take a couple of weeks or even months. So ArcSight being a smarter kid on the block, took a slip road like so many others. During the same time, enterprise security expenditures became more and more justifiable in business terms due to regulatory compliance, cyber-crimes becoming a grim reality and the changing threat landscape. So now, security was not some obscure handy-work limited to network administrators; its need had trickled down towards the pin-striped pants of the management. SIEM vendors like ArcSight, with some magic and lot of rework, were able to provide respectable offerings in compliance monitoring, fraud prevention and identity management. Fast-forward a few years and we got a company sending out positive vibes in a niche market which has drowned itself in pessimism. It would be interesting to see how ArcSight will fare in this industry witnessing some epic shifts and large-scale consolidation.

Some thoughts of this article are derived from: ArcSight Security IPO, Not So Hot

Cross-posted from VentureWoods.org.

Just about an year ago, I started thinking about the last big thing in security. This industry has reached a stage where disruptive technologies have virtually hit the glass ceiling. The market has violently regurgitated from any attempts to shove myopic product solutions down their throat. While industry old-timers sulk at it, I believe it’s a justifiable act. However, there are still a few acid-tripped security startups aiming to sell pure-play product solutions which only solve a part of the problem. I think their belief lies in the fact that there are still a few paranoid clients and pseudo-geek CISOs, who will buy their FUD-mongering and save themselves from the impending security doomsday. I think they are badly mistaken.

On a more calmed down note, customers have realized their mistakes and are suffering from existential angst. They understand the current threat landscape, the actual security risks looming over their business - they see the bigger picture and they know what they want. What customers don’t want are solutions which fragment the security problem into minuscule, mind-numbing, schizoid entities like botnet mitigation, security incident and event management, change control, client-side security, intrusion prevention, virtualization security, spam protection, endpoint protection, network behavioral analysis, identity management, fraud prevention, threat intelligence, compliance management, yada yada yada. Customers have failed to quantify any tangible RoI on such expenditures, they have had a hard-time managing the gamut of deployments over their networks, and above all - they don’t have any god-damn clue on how to gleam actionable information out of these products. They have stopped being carried away by this cryptic industry. So consolidation was a very obvious Darwinian step.

Mind you, the consolidation is happening in two ways. One, the established bigger security vendors are acquiring smaller companies and creating wholesome, turnkey solution offerings which cover everything under the security umbrella (Symantec, McAfee, Cisco). Secondly, enterprise software and solution providers, which are generally exposed to maximum risk are integrating these security technologies right into their very frameworks (EMC, Google, HP, IBM, Microsoft, Oracle, SAP, VMware). Thirdly, the coming innovation will be in the solution offerings and not in the underlying technologies. Fourthly, the security outsourcing industry is lagging by around 5 years.

So now comes the million-dollar question. What about ground root entrepreneurs and Schumpeterian innovators? I think, there are some opportunities on the horizon. The opportunities lie in re-innovating product technologies which failed just due to their higher operational costs and lack of business clarity. A quote from my last post which will help in elucidating this point:

…enterprise security expenditures became more and more justifiable in business terms due to regulatory compliance, cyber-crimes becoming a grim reality and the changing threat landscape. So now, security was not some obscure handy-work limited to network administrators; its need had trickled down towards the pin-striped pants of the management.

Opportunities also lie in security solutions which can leverage the cost-arbitrage. With the ongoing consolidation, security solutions have become more and more service-centric and productized-services is the way to go. When it comes to services, we can definitely exploit the well-proven Indian offshoring model. The case in point being, that although the bigger security players are merrily striving to provide wholesome solutions, integrations of such diverse acquired technologies leads to a lot of quality-loss thus raising the cost of the service offering.

Let me a take a few ideas very specifically. A few months ago when I read this seminal article by David Cowan, my immediate thought was, “Why not try outsourcing+SaaS!!?”. An excerpt from my brief commentary.

Absolutely credible and intuitive assessment of the consolidated and de-productized information security market by David Cowan of Bessemer Venture Partners. David has hit the bullseye here, beautifully explaining the current and underlying bottlenecks ailing the business of information security. Personally, I feel this is a brilliant take on the future of the IT security industry. People have already shunned the idea of another killer security product and information security outsourcing (infrastructure management/MSS - whatever) is going nowhere.

Now, imagine the proven Indian offshoring model combined with SaaS! Companies like Wipro, which has a well-established security consulting services arm, has this whole market for the taking if they can streamline their messy operations. However, this is a tough bet for ground root entrepreneurs as it requires an elaborate operational setup and infrastructure.

And just a few weeks ago, when I read the Challenge to Indian Entrepreneurs posted by Sramana Mitra (written in Feb’07), I became more and more certain.

In the recently concluded Philippe Courtot interview series, we discussed at length the various ways in which India and China could undercut US companies, and Philippe acknowledged that in his business (Qualys is an outsourced managed security service provider, a SaaS play), it is quite possible that an Indian company could come up with a vastly lower cost structure, and customers would switch immediately, if they are convinced about the reliability of the service.

Just to set the economics in perspective, Qualys has invested $65 Million to build an infrastructure that “is at the scale of the planet” to monitor, audit and report network security problems.

Let me throw a challenge in the direction of the Indian entrepreneurs: Go figure out how to build this same business for $30 Million, and I can tell you, you will have an absolute winner in your hands.

There hasn’t been a better time to disrupt the current dystopian order. In fact, a few Indian companies like iViz an Aujas (both backed by IDG Ventures) are trying something similar to Qualys. But they have a long way to go. Their product technologies are in nascent stage, they are trying to re-invent the wheel in solving most of the problems, they lack in technological maturity needed to understand the services model, they don’t have solid sales and marketing channels, and above all, they don’t have the kind of Ãœbermensch team which is needed to pull this off. There are only a handful of people in India which have worked on such intrinsic areas like security product management, so talent is a big scarcity. I think, there is a timeline of about 1.5-3 years - until when the bigger consolidated players fix the rough edges of their offerings - where such startups can still think to leverage this big opportunity.

Okay, one more idea for the taking. I think, service-provider/tier-1/backbone security is one market which is still in the experimental phase. There are some great opportunities lying there. Indian companies like Guavus and others like PacketAnalytics are working on it.

Then, opportunities also lie in capturing the contemporary security services market by transforming them into the fashionable on-demand model combined with offshoring. Example being - Veracode for application security.

That day is not far-off when some Indian entrepreneur will make Sramana and SaaSu-Maa jump with joy. Whad’ya say?

Most of the technology leaders in corporate find tough time in providing secured and efficient IT infrastructure to their customers and to meet this challenge, either they recruit big IT staff to execute smooth operations, or they spent huge funds in making the operations go smooth.

I am not against any costly network devices those burn the pockets to provide expected results. But I am always worried about SMB companies those can’t afford to get their pockets burnt under limited budgets for IT infrastructure. With my old attachment, experience and enjoyment with open source software (OSS), I always like demonstrating the power of OSS to my friends and customers. For this, I have been running a volunteer group on yahoo i.e. linuxtechbiz@yahoogroups.com and this blog also targets similar interest. Where ever I go, OSS follows. Few well known and my fav. OSS are:

Snort - Intrusion detection system, Nessus - Vulnerability Assessment, NTOP - Bandwidth monitoring, Nagios - Network Monitoring, OCS - Inventory Management, OSIRIS - Host Intrusion Detection System, etc.

All these software are used to monitor network from various aspects. But would you mind if some one would provide you with all these software under one console? For this, I like and recommend Security Infrastructure Management (SIM) deployment in network. As the name suggests, it can manage entire security related functions from same console. There are plug-ins written for it those generate and report the alerts to SIM and thereafter, SIM framework collates and co-relate all those alerts to provide you with service level being served by your IT staff.

Vulnerability assessment provide details about found vulnerabilities on a host, OSIRIS tells it about changes in system files, NTOP provides data for bandwidth consumption about that particular host, OCS provides details about change in inventory (software/hardware), Nagios equips it to provide details on up-time or down-time of the host, Snort tell you about attacks coming in or going out to/from host, to go in further details; forward your event/sys log to syslog of SIM and enjoy watching all the system alerts.

So rather chasing your IT staff, deploy SIM and have fun at work! Oops, I talked about open source software and it is freely available.