It is 6am and I am hanging around the department waiting for everyone else to get here so we can drive off into the sunrise for another year of ISSA.
This year will only be a short trip compared to the mission of last year. A whack of Rhodes students are presenting: Russell, Yusuf, Bradley, Jo, Jock and myself.
SecurityFocus has an interview up with Marcus J. Ranum. Attention seems to come in pairs. I really enjoyed what he has to say, on standards, the security industry, and how to make it better. I found his point on approaching security with whitelists rather than blacklists (e.g. antivirus is a blacklist, while this is a whitelist) quite interesting.
Here are a few choice quotations:
Continue reading "Interview with Marcus Ranum"
In the demonstration the MS05-025 patch is dissasembled and the vulnerability that was patched was discovered in less than 20 minutes. Reverse engineering patches isn't a new idea, I first mentioned it here last year and have even done it myself.
Continue reading "Reverse Engineering Microsoft Patches"
UPDATE: This is probally, a silly, hoax. See don't believe everything you read on the internet. The hardware keylogger mitigation strategies are still valid however :)
This is a bit tin foil hat, but I wouldn't put it past the merkin government. Dell laptops seem to have network enabled hardware keyloggers installed. The guy who wrote the story tried to find out why but Miniluv (the Department for Homeland Security) said he wasn't allowed to know. Anyone else have a laptop they would like to open up?
Now, this is only one laptop and one unconfirmed story, but if it is true then my likening the DHS to the Ministry of Love from Orwell's 1984 is no longer just a humorous inter-textual reference.
On the security side of things, possible mitigation factors are:
- Block the suckers communication. Fire up tcpdump or ethereal and see how it is sending packets, then firewall it. Alternativley look for the wire connecting it to the ethernet card and cut it. If it is using the network Russell doubts if it will be doing anything sneaky without knowing gateway details and probally without its own TCP/IP stack.
- Use an external keyboard, preferrably USB (I wouldn't put it past them to have another keylogger on the PS2 port). Similarly another network card i.e. PCMCIA might help.
- Use non-standard keymaps i.e. not qwerty or dvorak (not nice).
- Exausting the keyloggers memory: stick a key down when you aren't using the machine, this won't work if the keylogger is using compression or dumping to the network regularly (kludge).
- Run software that does not suck
- Absolutely minimize Internet-facing services
My response to his article is simply: it isn't a dichotomy. The entire point of defense in depth is using multiple strategies. All his advice is great, but it can, and must be done in conjuction with patching. I agree that the hoopla over patching has been over-hyped, but whatever software you run, there will always be holes that need patching. Sure, you can minimise those holes with careful mitigation strategies of which (my rewrite of Marcus' list):
- Run mature, standard software
- Minimise exposed services
- Use the right tool for the job
all are, but you can't hope to get away with never patching a system. Marcus talks about how he runs an OpenBSD and Solaris server he never needs to patch. Lets have a look shall we:
Even if your mitigation strategies ensure that all of those vulnerabilities don't affect you, you still need to carefully review each new vulnerability to see if it does, because there is no guarantee that it won't. If it does affect you badley enough and there are no appropriate workarounds, then you need to patch it: test the patch and deploy it. That sounds like a patch management policy to me, we are just arguing about how often you will end up at the last steps.Continue reading "Future Crew"
A few days ago I did a pseudo-scientific personality test. The results scared the crap out of me even though it was just an internet test (who believes those?), and doesn't have the same scientific rigour as 'What Star Wars character are you?' or 'What Romantic Poet are you?'. After I have gotten many others to do the test, and even publish the results online, I feel safe in the warm nest of nut jobs I call my friends.
And finally me: (although, in all fairness I took the test twice as I didn't think very hard about it the first time)Continue reading "Are you a wack job? I am."
The project would like to provide a zone file for the DNS blackhole project that would point lookups to listening posts instead of localhost. This would allow the project to get a list of URLs and domain names that spyware is trying to use.
Then to quote Matt:
"Why you ask? Because we would like to learn more about the spyware, and see when it changes. We currently do a good job of finding the spyware in snort sigs because they use, in many cases, static url's, predictable binary names, etc. This surely won't last forever. If we can skim off the information they're changing through a project like this we can continue to learn as they adapt in both normal evolution and efforts to avoid detection.
What we'd do with this information is learn about new domains if we can, find new user agent string to add to that project, and find new url's and new binaries that we can write new snort signatures with."
UPDATE: The first stats have been released. The summary is here, and the full list is here.
The other event that makes WSUS' release less interesting is the release of Debian sarge. Let me tell you why with the help of a table:
Continue reading "WSUS Released Today, want packet captures?"
Yay, after three years of constant work Debian Sarge has been released as stable. This probally makes Debian sarge the most up to date and stable Linux out there. This stability coupled with mature community models, an uncompromising dedication to quality and an excellent package management system makes Debian an excellent server operating system. With the release of sarge and the shiny new desktop packages like KDE 3.3 and GNOME 2.8 make it just as good on the desktop too.
Continue reading "Debian Sarge Released"