Wednesday, April 29, 2009

effective selective near real time mass communication?

today i saw the highway being shutdown along a route that some important person would presumably soon be traveling. i was able to observe some interesting operational details, and started pseudo-red-teaming the situation in my head looking for vulns.

i tweeted about the route, and that got me thinking about how much operational real-world security benefits from obscurity.

if someone was paying attention and could act upon the information i tweeted, it could present a significant security exposure. ZOMG!!!1! twitter is a terrorist tool!!! nono, that's not what I'm saying...

the amazonfail hashtagging phenomenon shows us something about it. If a grassroots group of people want to track a topic in near-real time, they can do it. soooo, loopin back to phy sec and operational security issues, hashtagging could be used to track a number of things which traditionally have been effective in-part due to obscurity, such as:

#roadblock
#sobrietycheck
#speedtrap

these are all candidates for multi-tagging with a #city hash to make them more useful.

i guess you could track celebrity locations in near-real time too:

#bradpitt #paparazzi
#clairedanes #stalker

orrrrr how about #flashmob #city.... or #hotclub #city.... or #riot #city... waitwaitwait...

anyway, the point (if there is one) is that no single person can make twitter give them this type of information, but if certain hashtags becomes popular grassroots phenomenons, they can significantly alter the effectiveness of traditional obscurity based physical security measures. even if #roadblock is never picked up, someone looking might be able to infer things using #traffic ;)


*update* - looks like i tweeted the route taken by the presidential motorcade...

Thursday, April 23, 2009

quick misc blurbage

sqlmap: the new version sounds pretty niftified... reading the whitepaper atm.

GreenSQL: on the other side, this tool sounds potentially nifty... a reverse proxy for SQL connections which uses positive and negative security models. perhaps granular proxies like this can be combined with WAFs to provide reasonable app-layer protection, or perhaps you'll just end up with a huge blog of false-negatives and false-positives and an unmanageable nightmare ;)

Joint Strike Fighter theft: so add another tally for china i guess (unverified). the bit that stands out to me is that the volume of information stolen was "several terabytes". gonna take a step back from the hype and just point out that very low-tech things like a human watching network flows and trends based on protocol and destination might've been helpful here. maybe some lost-cost common sense defensive controls will come out of the DoD hiring hackers... it'd be an interesting network to try to defend...

Thursday, April 9, 2009

vapor client sec app, and futher ramblings...

now that it's CFP time, i'll revisit an idea from years past.

everyone pretty much accepts that AV blacklisting fails. modern behavioral AV appears to be hit and miss. imo, whitelisting is the way to go.

a while back i thought it'd be interesting to leverage the features of rootkits into a defensive security device. the crux of it was to have a rootkit that examined every program prior to execution or during execution, and if it isn't an approved and signed app, it can't run.

whitelisting is a challenge on a couple of levels:


  • how do you stay up to date with releases, patches, etc
  • how can you decide programs aren't malicious?
  • surely more...?


staying up to date will require some dedicated cycles or service for evaluating new apps, accepting requests for missing apps, etc. i've been thinking that there might be value in starting an OSS community project to identify and sign non-malicious apps.

that leads into how do you decide an app isn't malicious? the basic idea i had was for a service to run software on VMs for a period of time, and examine the traits of the software and how it has updated, impacted, and utilized the system. using AIDE HIDS style examination of the filesystem changes, watch for network traffic, watch for changes to the OS in memory, etc. you may even be able to write an algorithm to try to take a human analyst out of the picture, but it'd probably be tricky.

if you do this, one other concern is malware which sleeps for a time-delay before becoming overtly malicious. maybe you could do static analysis on the executable and enumerate all the functionality. or you could run it in a vm over time, and instead of reporting something as secure/insecure, maybe you give it a security rating based on the length of time it's been analyzed (say in a VM out in the cloud in some SaaS AV whitelisting business model). the customer gets a portal which lets them see the trust rating of given apps, and can assume the risk of running any given app in their environment.

i found out that a company called fireeye does some really interesting heuristic AV work which does a similar HIDS type analysis of executables. i was pretty impressed with their presentation, if only from the standpoint of doing AV out of the box, but i haven't had a chance to see the product in action yet.

anyway, some people get down on whitelisting because it's too difficult to admin, and isn't perfect, etc etc. personally, looking at enterprise endpoint management, the tradeoffs make sense to me. an imperfect whitelisting solution which has administrative overhead should pay for itself in reduced malware cleanup, os reloads, incidents, etc.

since windows is a reality in enterprise environments, i'm looking forward to spending some time with AppLocker in Windows 7 to see if there's a chance to roll out a whitelisted set of apps along with the OS in the coming future... seems like a huge chance for a security win, if the project can be designed and implemented properly....

that's all, for now...

Tuesday, April 7, 2009

rw sec blurb

the overlaps in rw-sec and infosec tempt me into running astray w/ my blog posts from time to time... here is one of those times...

ran across this article about how obama is using the 'state secrets' bit to block lawsuits fighting the warrantless wiretapping program. rather than delving into any political bs, i want to try to examine motives here...

why would obama, who is generally seen as far opposite of bush, support one of the single most controversial programs and legal positions of the bush administration?


  • lack of moral character: he betrays key asserted ideals once he assumes the throne

  • pressure from hidden powers: intel agencies (et al) force his hand in some political thriller type scenario

  • executive power precedent: now that the executive branch has asserted such broad authority under the premise of national security, it would be moronic to give that power up (i blogged supporting this position earlier)

  • sources & methods: there is significant intel value in this program, or in a related undisclosed program


at the moment i hate to learn towards the 4th option, but i am. i think executive power is still a compelling argument ("oh, i won't use this great power for evil!"), but maybe once he got briefed in he found out that there is value here. no matter if they ID'd Atta or not, it's clear that Abel Danger demonstrated a continued commitment to generate info from data for signals intel... perhaps the next generation programs are bearing fruit...

so pointless to speculate about really... anywho, maybe infosec posts again someday?

Friday, April 3, 2009

quick quotage

wow, it's been a long time since i posted... been really busy w/ work, life, etc... anywho, i was catching up on feeds, and felt like this quote from joanna is worth sharing:

does the fact we can easily compromise the SMM today, and write SMM-based malware, does that mean the sky is falling for the average computer user?

No! The sky has actually fallen many years ago… Default users with admin privileges, monolithic kernels everywhere, most software unsigned and downloadable over plaintext HTTP — these are the main reasons we cannot trust our systems today. And those pathetic attempts to fix it, e.g. via restricting admin users on Vista, but still requiring full admin rights to install any piece of stupid software. Or selling people illusion of security via A/V programs, that cannot even protect themselves properly…


;)