Wednesday, July 6, 2011

late spring-cleaning mash-up ramblings

.:[Contemporary Attack & Defense: Lulz Teez Peez]:.

If you can not be kind, at least have the decency to be vague
By 渍 (stains)


soooo, The-State-Run-Attack-Group-That-Shall-Not-Be-Named is pwning all over... and so are plenty of other attack groups... prolly even the most nimble and motivated orgs are working hard to keep up.

some industry statements are so WTF!?!... it can be tough to tell FUD vs ignorance...?

afaik, there isn't a wealth of sharing when it comes to effective defense tactics/techniques/procedures. it is arguably important to protecting some effective defensive TTPs, but certain norms are common and fatal and not often dealt with:

  • admin rights
  • pervasive broad access which often isn't auditable, much less monitored in near real time
  • feeble patching policies
  • laughable vendor-"driven" "remediation" via "anti-virus" "quarantine"
  • virtually non-existent internal segmentation
  • weak controls and non-existent near-real-time visibility on egress flows
  • virtually no control or integrity concerning the processes and executables on systems across environments large and small

imho, lulzsec gets a +1 for doing the world the service of unignorably highlighting the fact that 'dedicated attackers' can kick a lot of our asses in no time flat. some might be uncomfortable w/ that fact, but how can you ignore it? that hackolution was just tweetivized... ;)


.:[Balance in the Waves of Attack & Defense: Frivolous Musings]:.

It may be that your sole purpose in life is simply to serve as a warning to others
By 士松 (Shisong)



improvement in attack has been exponential while defense has been linear...

attack:
  • tons of excellent education opportunities
  • glamorous pen-test consultant lifestyle
  • top-tier exploit r&d shops for ninja
  • howto? take your pick: app attacks, social eng, os attacks, rented attacks, etc
  • multiple state & independent movements w/ differing and/or overlapping agendas/motivations
  • wide variety of white/grey/black profit opportunities

defense:
  • vendor hell
  • academic & CEH/CISSP ivory towers
  • individual security controls have limited effectiveness and are generally "expensive"
  • some reversing crews understanding and/or combating modern malware
  • a few outspoken 'mainstream' (?) voices (Herzog, Kaminsky, Potter, etc) continue to press to improve on the status-quo clusterfuck known as "defense-in-depth"
  • listening to environments and effectively processing data quickly into simple relevant information is arguably a key weakness


defense needs improving if just because it is significant commitment and work to try to effectively secure a small simple environment...

my shameless but short-winded manifesto(*) on maybe improving defense:
  • K.I.S.S.
  • intimate knowledge of what/why you permit & deny the rest
  • work w/ what you have (free-ish) first
  • push security roles and accountability to existing accountable admins, not to security orgs that shadow the IT org
  • get good at effectively parsing vast datasets into actionable and relevant information

(*): please note that the author does not claim to implement any of this effectively

as for long term improvement, gotta say +1 to mudge for highlighting the need for simpler execution environments in his shmoo keynote.


.:[Future IRL Attack & Defense: Reflections & Predictions]:.

所有的資產,在不被諒解時,都成了負債
(All assets, when misunderstood, become liabilities)
By 欣侑欣侑欣侑欣侑 (Xinyou/Urges Joyful)



.:[+]:. years ago while reading "Secrets & Lies", i was struck at the insight that inet crime mimics many aspects of IRL crime but w/ certain restrictions removed (geographic proximity, repeatability, etc)... so if IRL crime influenced inet crime, could the inverse happen? perhaps the pervasive access to knoweldge as well as the ability to acquire virtually any required component may someday empower independent sophisticated IRL attack groups in accomplishing awe-inspiring feats of IRL crime... and/or vigilantes?

.:[+]:. the deep integration of technology into the fabric of society will inevitably breed and empower a somewhat anarchist element which will not respect borders, governments, and various bothersome restrictions... a class in society which picks and chooses whether or not to follow certain norms and rules, and could perhaps literally open doors which are closed to the average person...


.:[EOF+n]:.

幸福不是一切,人還有責任。
(Happiness is not everything, people have a responsibility)
By 文佩齊華 (Wen Peiqi China)


.:[+]:. doing stuff beats talking about it... so hopefully you all will hear less from me ;)

.:[+]:. to sslvis users: legit or malicious, you keep killing my terrible inefficient kludge back-end "app"... by... using the app :) i'm honored to have so much participation!!! tons of features could improve the app, i will try to make some progess after the next major milestone on the current project... yes, i know it's been over a year since the craptastic alpha was released, sry i am full of the suck :-\

.:[+]:. greetz & respect to all the amazing attackers & defenders i've been honored to share proximity with in the aether... i'm trying to keep up w/ school, but there's ppl setting a wicked pace on all sides!

.:[+]:. and thanks for reading along, and also for the comments... was getting a lot for a while, but they almost all included sketchy links so i mostly managed to keep them un-posted despite a few that slipped through ;) but i enjoyed reading them, so super belated greetz (in no specific order) to the peeps published and/or quoted as well as: 欣侑欣侑欣侑欣侑, 王辛江淑萍康, 楊愛惟, 色情成人卡通漫畫圖, MinB2139, 惠邱邱邱邱雯, 靜錢錢錢怡錢錢錢錢, 阮艳, 文佩齊華, 敬周喜, 嘉王偉, 陳佑發, 佳皓佳皓, 盈廖生家秀蔡, 吳婷婷, 雅莊王edgd春2蕙婷余惠其, 筱婷筱婷, 峻龍, 怡潔怡潔, 慶天慶天, burtong, 林尹, & 秀葉 :D



天下沒有走不通的路,沒有克服不了的困難,沒有打不敗的敵人。
(There is no dead-end road, there are no insurmountable difficulties, there is no enemy to fight who is undefeated)
By 楊宜婷俊嘉 (Yang Yi Ting handsome fine)