To be honest I have never struggled so hard to write something. I can write a fairly decent quality ten page conference paper (having done the research) in two to three days. Writing this seems to be far slower. I keep finding other projects to which I can meaningfully contribute to make myself feel competent. We affectionately call this WABing for Work Avoidance Behavior. I will get around to blogging some of the great, completely non-thesis related ideas I have implemented. In the past I have pushed myself to the point of requiring medical intervention, most notably while on the SRC last year. At the moment however, I struggle writing for more than a couple of hours and end up feeling absolutely awful about myself. I find with a confusing mix of inadequacy, a need for perfection and feelings that the task is too big. Worse still, I am stuck in our quiet university town with nobody here and will be missing out on new year celebrations.
Luckily I have some great friends, a wonderful girlfriend and a supportive family.
I found a kindred spirit in the thesis writing blog and some great advice in Stop Procrastinating and Complete your Dissertation (also see Procrastination & Time Management). Then there is always the great PhD (Piled High and Deeper) comics. However, the best advice by far is in Dr. Tucker-Ladd's chapter on Procrastination, it spoke to me.
As an aside, congratulations to Yusuf who has handed in his completed thesis already.
Aaw, I'm just whining, some people have real problems.
UPDATE: Serendipity went mad on the HTML for this one, it managed to break my atom feed. All fixed.
I have been writing my thesis and am trying to come up with some a priori reasons as to why vendors releasing patches in certain ways will have certain effects.
The bit of research I have just cooked up seems to indicate that for software which has a large community of users likely to get involved in the testing of patches, it makes more sense to release a detailed advisory and patch as soon as possible, instead of keeping it to yourself and releasing a patch when it is ready. This is still a very early version and is changing rapidly, please treat it as such.
I don't want to flood things with large images, so click on the graphs for a larger version.
Continue reading "Responsible Disclosure and Patching"
It seems attacks are maturing. Instead of wide-scale mass penetrations, attackers appear to be going for targeted and specific penetrations. This is backed up by several sources. Sophos' 2005 Report, Message Labs 2005 Report(1) and a warning from holy_father, author of the Hacker Defender rootkit.
There are several advantages to a targeted hack:
- The intrusion is less obvious. Attack detection is pretty poor, especially amoung home users, there is less chance of the attack being noticed.
- The results are more manageable. Attackers don't need a million credit card numbers when several hundred will do.
- General information about the attack is less useful. Sharing information about the attack with the wider community is less useful. This is most obvious with signature based products such as IDS and anti-virus, which are less likely to get a sample of the attack to create a signature, and the resulting signature is too specific.
Both Sophos and MessageLabs reports indicate that these sorts of attacks are on the risk. While, holy_father's tool indicates how easy it is to make anti-virus researchers run a loosing signature creation race. Given the large number of variations of existing malware; Netsky, Sober and Bagle in particular, just creating signatures for each variant seems silly. The old whitelist vs blacklist debate. Hacker Defender's premium solutions demonstrate this, you pay for a customised rootkit, thus on the off chance it is detected the resulting signature is only effective against the one customised version.
This isn't a new type of attack. Skilled attackers generally use a very targeted attack. This indicated that the threat's attack methods are maturing and getting better as a general trend. Pretty scary. This also means that threat monitoring with services such as DSHIELD and Snort become less useful, so we know even less about potential threats.
I have believed for a while, that there is too much of a focus on script kiddie attacks, mostly because they are visible. There is no public research into skilled threats. The little there is, is mostly sensationalised e.g. Titan Rain.
1If anyone can find me a copy of the actual report I would be most grateful.A worm exploiting the MS05-051 Windows Distributed Transaction Coordinator vulnerability has been released. The first variant was crippled, but it appears a fixed one has been released. F-Secure has done the footwork on this with the help of malware samples from the ISC. Both worms are using the exploit code released by Swan on Dec 1st. They are calling it Dasher. The ISC thinks this is what has been responsible for the spike in port 1025 activity.
The now-typical rapid variation of malware is occuring. Dasher.C is out with an anti-anti-malware payload, probally more to come.
Patch, firewall port 1025, update anti-virus, monitor (snort sigs).
update: added link to snort rules
update: added link to dasher.c
While a monthly patch schedule helps overworked administrators in general. An on the ball administrator has to rely on additional defenses to prevent exploitation from skilled attackers. Given the general increase in net security and additional testing Microsoft gets to put in to ensure a quality patch. Is network security monitoring the future?
Well then, Bleeding snort has the latest signatures.
Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes.
The story appears to have re-broken. Allan Paller from the SANS institute seems to be echoing Carpenters words:
"These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization," Paller said. The perpetrators "were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?"
In addition to intrusions at Lockheed Martin and Sandia mentioned in Carpenter's interview, Paller claims flight planning software from the US military's Redstone Arsenal were stolen.
Bruce Schneier who also wrote about this in August claims to know people involved who confirm that the attacks are "very well organised."
Continue reading "Titan Rain since 2003"
Yay. I just accepted the offer of employment from Deloitte (Touche Tohmatsu) South Africa. I will be an entry level information security consultant working within the Systems Security Group of Enterprise Risk Services. I will be reporting to Kris Budnik.
I am chuffed. During the interview with Deloitte I had a monologue in my head along the lines of "Yes, yes, that's what I want to do!" The interview process was a bit torturous, mostly the psychometrics, although I was impressed with how organised they were.
This will be my first permanent job and I am pretty excited. Now I just need to finish this blasted thesis.
CorpWatch has a list of the 14 most evil corporations. Their crimes make a very long and varied list. Also worth a read is the 10 Worst Corporations list, although they haven't posted an updated for 2005. Some people have asked why company X or Y isn't on the list; don't think of this as a comprehensive list, this is just CorpWatch's ideas of the worst of them. The 14 corporates, in alphabetical order are:
- Caterpillar
- Chevron
- Coca-Cola
- Dow Chemical
- DynCorp
- Ford Motor Company
- KBR (Kellogg, Brown and Root): A Subsidiary of Halliburton Corporation
- Lockheed Martin
- Monsanto
- Nestle USA
- Philip Morris USA and Philip Morris International (a.k.a. The Altria Group Inc.)
- Pfizer
- Suez-Lyonnaise Des Eaux (SLDE) (also know as Ondeo, SITA, Aguas de Illimani)
- Wal-Mart
Continue reading "The 14 Worst Corporations"
Nessus 3.0.0 is out, there is a full announcement at Bleeding Snort and Nessus.org. Sounds like there are some great improvements, anyone want to pay for a direct plugin feed subscription for me?
Nessus 3 is a complete rewrite of the Nessus engine, designed for speed and efficency -- as a result Nessus 3 is on average twice as fast as Nessus 2 (with spikes as high as five times faster) and is less resource intensive.
The Nessus 3 major enhancements are the following :
- New NASL3 engine
- Improved plugin storage for faster startup time
- Improved networking functions
- New scanner architecture to be both efficient and robust
- The Nessus daemon fetches the plugins automatically when registered (this can be disabled in nessusd.conf)
- Improved error handling
It's up to each and every one of us to turn loose of just some of the greed, the hatred, the envy, and yes, the insecurities, because that is the central mode of control: make us feel pathetic, small, so we'll willingly give up our sovereignty, our liberty, our destiny. We have got to realize that we're being conditioned on a mass scale. Start challenging this corporate slave state.
The 21st Century's gonna be a new century; not the century of slavery, not the century of lies and issues of no significance, and classism and statism, and all the rest of the modes of control. It's gonna be the age of human kind, standing up for something pure, and something right.
What a bunch of garbage: liberal, Democrat, conservative, Republican. It's all there to control you: two sides of the same coin. Two management teams bidding for control of the CEO job of Slavery, Incorporated. The truth is out there in front of you, but they lay out this buffet of lies. I'm sick of it, and I'm not going to take a bite out of it. Do you got me?
Resistance is not futile. We're gonna win this thing. Human kind is too good. We're not a bunch of underachievers. We're gonna stand up and we're gonna be human beings. We're gonna get fired up about the real things, the things that matter: Creativity and the dynamic human spirit that refuses to submit.
Well that's it. That's all I've got to say. It's in your court."
-Alex Jones, from the movie "Waking Life"
Sound clip
I haven't talked about the woman I love for ages, and this is a blog after all, not some news service :) To make up for my sins, and also in an attempt to get more visitors, I have included a picture of the beautiful Daniela. Good morning my love *wave*
The field of research you are talking about is called survivability or 'time to live'.
The Internet Storm Center has a frequently updated page on it here [sans.org]. Currently they have survival time for an unpatched machine is at:
| Category | % | Adjusted Survival Time |
|---|---|---|
| Windows | 24.5000 | 133 min |
| Unix | 1.0000 | 3159 min |
| Application | 4.5000 | 720 min |
| P2P | 2.5000 | 1295 min |
| Backdoor | 0.0000 | 6307 min |
Continue reading "Time to Live on the Network and Survivability"
"When you see a terrorist, put your fear aside and shoot to kill, son, shoot to kill."
It seems like someone with a mental disorder ran off a plane in the US and got shot to death for it. Some claimed he was shouting about a bomb, although this is not corroborated by eye-witnesses as yet. There was no bomb. Jean Charles de Menezes didn't have a bomb either.
"Daddy, I saw the terrorist and I shot him. I shot him good. You didn't tell me about the blood, all the bloody Daddy."
The most interesting tidbit is that attackers seem to be moving away from mass compromise attempts and focusing on targeted trojan installs. This allows them to have a more manageable user base, particularly for phishing scams (spear phishing), they don't need 2 million accounts. This also makes it more difficult to detect as the compromises are smaller and don't involve self-propagating code. Seems like we will have even less of an idea about threats in 2006.