I'm a big Sun Tzu fan. I've got a small collection of different translations and interpretations of his work, as well as a few other similar texts. I've also long harbored a secret desire to do an updated infosec interpretation of The Art of War, so when I saw this link, of course I was immediately interested.
Overall, I like this paper. Though I don't agree with all of Mr. Toderick's points, it's well worth a read.
Are Chinese cyberspies massively hacking US government and military networks? Perhaps. Read this. Then read Richard Bejtlich's take on it.
The theory that the Chinese government is behind this campaign seems very plausible. China has a well documented history of espionage, going back more than 2,000 to the time of Sun Tzu. If you're interested, I'd recommend The Seven Military Classics of Ancient China, Including The Art of War and (far more recently), The Tao of Spycraft: Intelligence Theory and Practice in Traditional China.
I enjoyed this short piece on what it's like to be part of the F-Secure response team during a global worm outbreak. Glad I'm not them!
PS: 100th post!
If you're going to be at LinuxWorld next week in San Francisco, why not drop by and say hi?
This is hillarious. People, if you go to a hacker conference, make sure you practice safe computing. I would have thought this was just common sense.
Reuters (and many other sources) are reporting that astronomers at CalTech may have been pressured by hackers to reveal their discovery before they had completed their analysis.
I must have missed this statement when I first read about the planet, but I think this is pretty interesting. Apparently attackers had compromised a "secure server" and determined that the astronomers had made this discovery, and threatened to make the information public if the researchers didn't do it themselves. It makes me wonder what they got access to. I'm betting it was email, because I'm not sure I'd buy the idea that they'd be able to make sense of the scientific data itself. Anyone know?
In case you haven't heard, there's a big controversy over one of yesterday's Black Hat presentations. I frankly don't see what all the fuss is about.
According to Cisco, Lynn reverse engineered parts of IOS while working for ISS. This allowed him to discover methods to make use of existing vulnerabilities to gain shell access or execute arbitrary code on a Cisco router.
People, this is a big technical step forward, but it's just not news. First, Mr. Lynn has not created or publicized new Cisco vulnerabilities, he's merely come up with some more creative ways to make use of existing vulnerabilities. Second, I don't think any security professional should be surprised that it's possible to use a stack or heap vulnerability to execute code. It's been done to death on every other platform, why not IOS too? My hat's off to Mr. Lynn for what is definitely some masterful coding on his part, but we've seen this before elsewhere.
What really puzzles me, though, is why anyone is surprised that he's apparently going to be sued by both Cisco and ISS. I'm not privy to the agreements he may have signed with ISS when he was employed there, nor do I know any details about any NDAs that might be in place between ISS and Cisco. However, if he was paid by ISS to work on this project, the work belongs to ISS and not to Mr. Lynn. That alone could be sufficient grounds for ISS to complain, especially because by outing the work, he has also probably opened ISS itself to lawsuits from Cisco.
So please everyone, let's get over this teacup imbroglio. This just isn't the story everyone thinks it is.
Yes, this article's conclusions are a little obvious. An anonymizing network protects the privacy of normal users and evildoers alike. That was just about my second thought on hearing about Tor (the first was, "Cool!").
I like this article, though, because it has a step-by-step guide to running some simple Nessus scans through Tor. I haven't been using Tor in my penetration tests, partly because being anonymous isn't much of an issue, but mostly because I don't know that I trust it to work well for all the various Nessus tests. I might give this guy's method a try, though, and see how it goes.
This announcement has been getting a fair amount of press recently. I think it's great that a major hard drive manufacturer is getting on the hardware encryption bandwagon, but I have a couple of questions.
First off, it seems as though the user must enter a password to unlock the encryption key before the OS will even boot. Does this imply that you need a special BIOS to handle this functionality?
Also, are there any brute force countermeasures in place to defeat password guessing attacks? It seems as though forensic analysts are going to have a tough time with these, but since most users choose sucky passwords, maybe it's not all bad news for the good guys. On the other hand, good lockout or data destruction features could really come in handy with these units.
If anyone know more about this, I'd appreciate it if you could drop a comment here to clarify things.
I'll be flying out tomorrow for InfoSeCon in Dubrovnik, Croatia. I'll be speaking and teaching, but I plan to attend a bunch of the sessions as well. Keep your eyes on the blog for updates throughout next week.
This story is a little light on technical details, but interesting nonetheless. Short form: an attacker encrypts important business documents, then leaves a $200 ransom note for the encryption keys. I'm sure this sort of thing happens all the time, but it rarely makes the mainstream media (especially not for a measly $200 ransom).
Have you backed up your files lately?
Business Week has an article with some interesting details on last October's Shadow Crew bust. Pretty interesting, especially for a non-tech publication.
In a rather unlooked-for but extremely welcome turn of events, I've been scheduled to speak at next month's InfoSeCon in Dubrovnik, Croatia (June 6 - 9). I will be presenting a talk on Network Security Monitoring (NSM) with the open source Sguil software. I'll also be teaching a more advanced master class on NSM based on Richard Bejtlich's The Tao of Network Security Monitoring.
And let me just say that the location looks to be a stunning seaside resort on the shores of the crystal blue Adriatic. Even if you don't care to hear me talk, come for the junket value!
This is just too cool. You can download and run this on your own Windows system, but although the documentation says you can tinker with the security policies, worm characteristics and other simulation variables, the software doesn't seem to allow you to do this. I guess Symantec doesn't want to give undue advantage to it's competitors (or the worm creators), which I suppose is understandable. Still, if we could at least edit the network security policies and such, this would be a great tool to show your users & management the importance of good security controls!
The UK's National Infrastructure Security Coordination Centre has published an advisory about vulnerabilities in certain IPSec configurations that could allow an active attacker to recover the plaintext of the encrypted communication.
If you're using IPSec, you need to read the advisory, but I can tell you briefly that the attack involves twiddling the bits of the encrypted payload such that the IP headers of the tunneled packet are modified in various ways, which should generate ICMP diagnostic messages on one side of the tunnel. ICMP packets typically include the header and payload information from the packet which generated the error condition, in this case the unencrypted IP packet.
The advisory claims that this attack can be fully automated and can potentially recover entire encrypted sessions. The best workaround seems to be to configure ESP's integrity protection as well as it's encryption, though blocking ICMP error messages would also be effective in some circumstances.
This is pretty creative. I admit to having wondered myself how secure some of these bluetooth-enabled car computers were. When a friend of mine got a new 2004 Prius last year, we actually went out and tried to see if we could somehow access it with my PDA, but we didn't go to nearly the trouble these guys did!
ZDNet UK is running an article about some attackers providing counterfeit wireless access to attendees. According to the story, the crackers strolled around the conference with access points running on their laptops and advertising well-known SSIDs (like tmobile). When a victim associated with the access point, the software generated
randomly-mutated malware (to bypass antivirus scanners) and attempted to download it onto the client.
None of these features are new, but the combination is. This is a very nasty (and probably quite effective) use of existing off-the-shelf technology.
This is how you think about everything in your life if you're in the security field. Check out Bruce Schneier's analysis on Hacking the Papal Election.
Richard Bejtlich (analyst, author and blogger extraordinaire) has a good point in his latest blog entry. The Honeynet Project's Scan of the Month collects a whole lot of data, but how much time will it take a good analyst to complete the challenge? Properly applied NSM certainly would make this sort of thing much easier. Go sguil!
