Friday, September 14, 2007

sec roundup

koo koo, now a scoped down sec post...

so recently there was this article about how MS moving into the Linux space w/ Novell was them subverting *nix and OSS, and how we should all scream that the sky is falling and MS is coming to murder our kids while we're being distracted by the sky...

i don't really buy it. imo, it seems to me that *nix and OSS have been so successful that MS adopts a strategy which consists of purchasing new teams of developers who might write better code which leverages code which is already good and not full of tons o legacy bugs and conventions.

this is merely an extension of a phenomenon we all saw w/ the introduction of competition into the browser market back in the day. successful alternate browsers (such as firefox) forced MS to dust off their IE dev team and start making IE updates post-netscape navigator.

MS trying to make better products that customers want isn't going to "hurt" OSS or linux. Ultimately, this move by MS can only be successful if they produce apps which fill the demands being satisfied by major nix and oss projects today: value, quality, performance, etc. this benefits everyone...

and for what it's worth, i was just at a client site last week where they said that Novell ZENworks endpoint security is nifty and full of cool sec bits... oh yea, and it runs on windows too... lol...

oh yea, looks like spammers are attacking anti-spammers yet again... the article ends on an interesting idea of spamware blocking anti-spam measures on the client... that'd be an interesting evolution of the arms race if it hasn't actually happened already.

you know, if they feel they have to jack things up, instead of degrading bit-torrent downloads (which btw 1: can be legitimate and 2: i actually want) maybe our ISPs could start down the slipperly slope of meddling w/ the internet by degrading things that i _don't_ want, like spam...

[PSYOP Update I]

so now we're gonna have broken out psyop posts, cause there is so much i don't want to mix it in w/ regular sec...

as others have noticed, there is some weird ass stuff going on w/ some US nukes. i am _ashamed_ to say that i saw this on sunday the 9th, and didn't think twice to say anything but "well that sure is a screwup". mb it is b/c i still hold out an underlying hope that no matter how far this thing goes, we won't see the use of even "tactical" nuclear weapons... anywho, this incident is either an ironic and unprecedented (?) mistake, or else it implies bad things to come.

iran is still in the news. looks like they're fighting back, presumably showing that they can dork up our economy... my prediction machine thinks this can be spun as an act of aggression...

in order to reduce the liklihood of some unfortunate precipitating even, we've decided to construct a base right on the iranian border... >cough<>cough<bullshit>cough<... the article notes something that sounds like the last war sales pitch:
[the US has] shifted its focus from Iran's alleged nuclear weapons program to its alleged shipment of IEDs across the Iraq-Iran border as the principal rationale in selling a possible attack

so then this story about insurgents using russian-made armored-piercing (shaped charge) grenades to kill US soldiers... this strikes me as quite similar to the EFP issue, and it sounds like iran is gonna be fingered w/ supplying these weapons...

[tangent]
speaking of russia... been seeing some cold war ish military maneuvers... and disolving govt is always a sign of stability... and the best being a ginormous bomb test... note that it is the 'father of all bombs', which i guess is intented to be more manly than our MOAB?

it may or may not be worth noting that this is a thermobaric weapon... described as inhumane, cruel, etc... also, we've been using smaller versions in afganistan and iraq for some time now ...
[/tangent]

last but not least. so apparently some lady in pennsylvania took a picture of the smoke from the flight 93 crash right after it happened. turns out that she is being harrassed and attacked by random and anonymous people; accused of doctoring the picture or using it in a get-rich scam... even though the FBI openly say they "have no reason to doubt" the legitimacy of the photo. sounds possibly similar to a tactic which seems to have been employed w/ some degree of success by scientologists: dead agenting

Thursday, September 13, 2007

back in town

back from training w/ juniper in dallas... good stuff all around, and good ppl too. here's a bit that helps me continue to believe there are corps that aren't all messed up:



anywho it was a good time. training and lab time and all of that; network focused. the dallas lab is pretty much something of everything from the product line (sometimes two; presumably when ha is expected) and some other interesting boxes. sry for the craptastic pic of part of it:



got some nda info on stuff in the pipe. not earth shattering (you've been hearing rumbles), but the outlined implementation is interesting.

i finally got to play w/ dynamic routing, and think i kinda understand it... ;)

Saturday, September 8, 2007

web2 application attack detection?

sooo, a blog post and the anti-rootkit blurb got me thinking...

i wonder if you could build a security framework based around a browser extension that either shimed itself into the datastream or spawned a sniffer process which watched packets on the wire or both...

can a non-virtual rootkit lie to you about a pcap call, or are you accessing the device directly?

anyway, i don't know enough about web2 attacks to know how you'd go about it, but it seems like there may be a way to do either signature or anomoly detection by watching http(s [if you're an ssl termination point / proxy]?) payloads... maybe through comparing:

  • what a user is doing in the browser vs what the browser is doing out to inet
  • what an os shows as active http connections and what packets are really going out across the wire
  • cached site functionality to new site functionality/script tags/calls

or maybe just keywording simple functionalities and setting up some type of zoning or alerting...

...

ok, i promised myself i wouldn't post about the psyop thing again... but... i lied...



after talkin it up about suitcase bombs and wmd, we move on to:


HANNITY: I believe Iran is fighting a war by proxy. They're funding Hezbollah to the tune of $100 million a year. They're providing the IEDs that are being used to kill American soldiers and providing soldiers as part of the insurgency, battling our soldiers. How do you handle Iran?

THOMPSON: ... They [Iran] are killing our people as we speak ... basically reprocessing that uranium enough to get fissile material ... most experts think well on their way to making a nuclear weapon and, of course, they've threatened Israel ... They are perhaps getting closer to a revolution in Iran. That economy is so bad, the civil oppression is so bad against their own people, we've got some friends among those people there, there are some good things that can happen.

HANNITY: So that means that America must have a plan and prepare for possible military action if they're on the verge of getting nuclear weapons?

THOMPSON: Yes.


tell me this is projection... lol... either that or some weird deja vu-ish thing...

Friday, September 7, 2007

back to reality

i'm gonna cry if i ever unwittingly admin a system w/ a flaw like this...

best quote:

As a result of today's breach, new measures were being added to what he described as a multi-layered security operation.


yea... a multi-layered operation which consists of believing what you're told... these are not the droids you're looking for... nice demo of _simple_ social engineering brutalizing a formidible defense...

in other news, still kicking around the rootkit detection tool ideas... mb got something out of the box to tinker w/...

something completely different... rumor has it a massive psyop is running soonish... don't see it yet, but mb it's subtle and i'm just not paying attn...

Monday, September 3, 2007

taking the scope out a tad...

well, looks like sony produced another solid piece of security enhancing software. imo, (unless i'm not keeping up w/ current events properly) rootkits are ready for easy to deploy automated scanning tools... seems like they are mb taking up some of the slack of buffer overflow defense work... best quote:

When the original Sony rootkit scandal hit, a Sony executive originally dismissed it by saying that "most people, I think, don't even know what a rootkit is, so why should they care about it?"


does this seem like it might produce the type of negativism we've been trying to avoid here at home?

... [they] were consultants working with Marines at Camp Pendleton. They say they were humiliated ...


how do you turn allies into enemies? mb by making them feel like you don't see them as allies based on irational fears? might be a stretch, but one could argue that this real-world issue is analogous to projecting information security into an environment...

speaking of RW security, has anyone else noticed the number of stories talking about things that are normally supposed to be secret...? like details of strategic and tactical military action? for the sources on these stories, are we seeing a minor revolt by the intellegence corps? did anyone else catch the bit about the rove resignation relating to iran? i saw an interview snippit in which he says he's leaving because he was asked to leave....

does the current usa admin team wonder if the tail could be wagging the dog? it seems like there might be other elements in the world looking to manipulate large geographic areas...