News:

Endorsement from MysticWicks: "The most fatuous, manipulative, and venomous people to be found here are all of the discordian genre."

Main Menu

Security Thread

Started by Triple Zero, August 02, 2009, 01:13:29 PM

Previous topic - Next topic

Triple Zero

Quote from: ☂Faust☂ on August 08, 2009, 01:23:17 PM
Um If I'm not mistaken the heuristic approach is statistical accumulation of of computer processes to watch for abnormal behavior  (not just copying itself or hiding itself but also for making connections to remote machines at set intervals of time).
Some of it is pretty impressive, the college statistical analysis showed how one lecturers computer was being logged into every day despite the college being closed on sundays and from that they found that it had been compromised.

You're confusing Antivirus Software with Intrusion Detection and Prevention Systems here.

http://en.wikipedia.org/wiki/Intrusion-prevention_system
http://en.wikipedia.org/wiki/Intrusion_detection

These are more like upstream intelligent firewall/router combinations and indeed they employ some pretty damn smart algorithms. [According to Wikipedia] Snort is the de facto standard for IDS/IPS used by network security professionals today. Which rhymes with my personal experience, as it's what all my friends talk about :-) The ones that talk about network security, that is.

The difference is IPS tools scan and filter network packets for suspicious data and behaviour, used by security professionals. They were programmed by unix hackers and network admins, as opensource software, and as you can read in Intrusion_detection#Theory they fully admit the NP-hardness of the problem they are trying to tackle. But it works, and the only reason it works is that you simply cannot use a tool like Snort if you don't know what you're doing. It is not a "point and click and install and now you're safe" tool. You need to look at logs and filter rules and shit.

On the other hand, antivirus software is snake-oil sold by slick businessmen to nontechnical Windows users that explicitly want a "point and click and now you're safe" tool.

Heuristics in IPS is a completely different beast than heuristics in antivirus software.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Faust

Ah ok so thats the distinction, then I cant for the life of me figure out what heuristics could go into antivirus, they are all basically glorified look up tables of file signatures aren't they?
Sleepless nights at the chateau

Triple Zero

Well the wikipedia article states a few things that antivirus heuristics could do *in theory* : http://en.wikipedia.org/wiki/Antivirus_software#Heuristics

except that no antivirus software actually does this, because the problem is computationally intractable

unlike IPS, which can easily juggle with false positives and false negatives recognition rates, as the network security dude configuring the program can always check out the logs--kind of in a similar way that we check the forum error logs every now and then, to manually check for suspicious activity, yet in 99% of the cases it's just some misconfiguration or hiccup.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Triple Zero

http://www.freedom-to-tinker.com/blog/paul/anonymization-fail-privacy-law-fail

Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often “reidentify” or “deanonymize” individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

The Johnny

Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?  I only ever read Schneier, Wired's Threat Level and ha.ckers.org/

neworder.box.sk
<<My image in some places, is of a monster of some kind who wants to pull a string and manipulate people. Nothing could be further from the truth. People are manipulated; I just want them to be manipulated more effectively.>>

-B.F. Skinner

Triple Zero

http://isc.sans.org/diary.html?storyid=7108&rss

Possible DDOS on gov.au sites starting tonight?
Published: 2009-09-09,
Last Updated: 2009-09-09 11:45:11 UTC
by Mark Hofman (Version: 2)

The group anonymous, who were reported to be responsible for the attack on scientology sites now have the Australian Government in their sights.  In 2008 the Australian Government decided that the internet should be filtered.  They are running trials with a number of ISPs.  There is within Australia a fair amount of resistance to this practice for a number of reasons.  You can read the government position here (http://www.dbcde.gov.au/online_safety_and_security/cybersafety_plan/internet_service_provider_isp_filtering).   This Wikipedia article has more information on the issue as well (http://en.wikipedia.org/wiki/Internet_censorship_in_Australia)

In addition to opposition to this scheme within Australia it looks like the group anonymous has also become involved.  A web site 09-09-2009.org was set up and it looks like activities are coordinated through another web site.  The crux of their demands is for the senator responsible for the filtering scheme to resign and the plans for filtering to be abandoned, or else.

The or else is a DDOS attack on Australian government sites starting at 9.00 am GMT which is 7.00PM on the east coast.  Fax machines and phone lines may also be targeted.  Some "interesting" activity has been observed on some of the networks, but whether this is related or not is uncertain at this stage.

In preparation, make sure you have your incident handling processes ready, make sure that servers and other perimeter devices are patched so they are better able to resist attack.  You may want to have your ISP's contact details handy just in case you need them to stem the flow of traffic.  If your infrastructure is outsourced, maybe ask the outsourcer what plans they have in place, should anything happen.   But most importantly decide if switching off the site in the face of an attack is an option for you.

Mark H

UPDATE 1

Well the DDOS Started at 7 pm on the dot and has been going on for about an hour or so.   www.pm.gov.au is being kept busy and over the hour it was unavailable from where I am for a few minutes at best.  The attack seems to be mostly multiple web requests on the site which exhausts the threads on the web server causing it to respond with a 503 error.  Once left alone by a few of the attackers the site is again more than happy.  As far as impact goes the net result seems to be zilch.

UPDATE 2

The attack is over.  It achieved some publicity and managed to make the pm's website unavailable for a few minutes.  Otherwise there was no impact. - M   
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Cain

Quote from: JohNyx on August 30, 2009, 11:37:27 AM
Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?  I only ever read Schneier, Wired's Threat Level and ha.ckers.org/

neworder.box.sk

Will check it out, thanks.

Triple Zero

AES explained in a stick figure comic:

http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

starts out simple, with at the end of each "chapter" some students leaving the classroom, as the explanation becomes more in-depth, indicating that one can just read the comic up to the point that you still find the explanation interesting and/or worth reading (which is an original metaphor/storytelling device, btw)
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Shibboleet The Annihilator

Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?  I only ever read Schneier, Wired's Threat Level and ha.ckers.org/

networkworld.com
slashdot.org
http://digg.com/security
ARS Technica can have some decent security stuff too. I generally just keep an eye on most of the decent tech sites.

Triple Zero

http://www.nybooks.com/articles/23231

Who's in Big Brother's Database?
By James Bamford

(book review of The Secret Sentry: The Untold History of the National Security Agency by Matthew M. Aid)

On a remote edge of Utah's dry and arid high desert, where temperatures often zoom past 100 degrees, hard-hatted construction workers with top-secret clearances are preparing to build what may become America's equivalent of Jorge Luis Borges's "Library of Babel," a place where the collection of information is both infinite and at the same time monstrous, where the entire world's knowledge is stored, but not a single word is understood. At a million square feet, the mammoth $2 billion structure will be one-third larger than the US Capitol and will use the same amount of energy as every house in Salt Lake City combined.

Unlike Borges's "labyrinth of letters," this library expects few visitors. It's being built by the ultra-secret National Security Agency—which is primarily responsible for "signals intelligence," the collection and analysis of various forms of communication—to house trillions of phone calls, e-mail messages, and data trails: Web searches, parking receipts, bookstore visits, and other digital "pocket litter." Lacking adequate space and power at its city-sized Fort Meade, Maryland, headquarters, the NSA is also completing work on another data archive, this one in San Antonio, Texas, which will be nearly the size of the Alamodome.

Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report prepared by the MITRE Corporation, a Pentagon think tank. "As the sensors associated with the various surveillance missions improve," says the report, referring to a variety of technical collection methods, "the data volumes are increasing with a projection that sensor data volume could potentially increase to the level of Yottabytes (1024 Bytes) by 2015."[1] Roughly equal to about a septillion (1,000,000,000,000,000,000,000,000) pages of text, numbers beyond Yottabytes haven't yet been named. Once vacuumed up and stored in these near-infinite "libraries," the data are then analyzed by powerful infoweapons, supercomputers running complex algorithmic programs, to determine who among us may be—or may one day become—a terrorist. In the NSA's world of automated surveillance on steroids, every bit has a history and every keystroke tells a story. (...)

(article continues at this link, below the ad)
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Remington

Quote from: Triple Zero on October 22, 2009, 05:56:32 PM
http://www.nybooks.com/articles/23231

Who's in Big Brother's Database?
By James Bamford

(book review of The Secret Sentry: The Untold History of the National Security Agency by Matthew M. Aid)

On a remote edge of Utah's dry and arid high desert, where temperatures often zoom past 100 degrees, hard-hatted construction workers with top-secret clearances are preparing to build what may become America's equivalent of Jorge Luis Borges's "Library of Babel," a place where the collection of information is both infinite and at the same time monstrous, where the entire world's knowledge is stored, but not a single word is understood. At a million square feet, the mammoth $2 billion structure will be one-third larger than the US Capitol and will use the same amount of energy as every house in Salt Lake City combined.

Unlike Borges's "labyrinth of letters," this library expects few visitors. It's being built by the ultra-secret National Security Agency—which is primarily responsible for "signals intelligence," the collection and analysis of various forms of communication—to house trillions of phone calls, e-mail messages, and data trails: Web searches, parking receipts, bookstore visits, and other digital "pocket litter." Lacking adequate space and power at its city-sized Fort Meade, Maryland, headquarters, the NSA is also completing work on another data archive, this one in San Antonio, Texas, which will be nearly the size of the Alamodome.

Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report prepared by the MITRE Corporation, a Pentagon think tank. "As the sensors associated with the various surveillance missions improve," says the report, referring to a variety of technical collection methods, "the data volumes are increasing with a projection that sensor data volume could potentially increase to the level of Yottabytes (1024 Bytes) by 2015."[1] Roughly equal to about a septillion (1,000,000,000,000,000,000,000,000) pages of text, numbers beyond Yottabytes haven't yet been named. Once vacuumed up and stored in these near-infinite "libraries," the data are then analyzed by powerful infoweapons, supercomputers running complex algorithmic programs, to determine who among us may be—or may one day become—a terrorist. In the NSA's world of automated surveillance on steroids, every bit has a history and every keystroke tells a story. (...)

(article continues at this link, below the ad)
Time to cut the phone line and break out the homing pigeons  :eek:
Is it plugged in?

Triple Zero

No but seriously, read the entire article (at the link). I get the impression that the NSA has been a pretty much useless money hog ever since WW2, (just one example)
Quote"The agency first learned of the September 11 attacks on $300 television sets tuned to CNN, not its billion-dollar eavesdropping satellites tuned to al-Qaeda. T
hen there is the pattern by which the NSA was actually right about a warning, but those in power chose to ignore it (...)"

In addition to that, the most often heard thing about the eavesdropping business is that while they might be able to pick up and store yottabytes of info, they don't have the menpower or computing power to actually analyze all this data.

If only that were the biggest problem :)

Turns out that all these harddisks use stupendous ridiculous amounts of electrical power, and severe shortage of electrical power is one of their most urgent problems:

QuoteAid concludes that the biggest problem facing the agency is not the fact that it's drowning in untranslated, indecipherable, and mostly unusable data, problems that the troubled new modernization plan, Turbulence, is supposed to eventually fix. "These problems may, in fact, be the tip of the iceberg," he writes. Instead, what the agency needs most, Aid says, is more power. But the type of power to which he is referring is the kind that comes from electrical substations, not statutes. "As strange as it may sound," he writes, "one of the most urgent problems facing NSA is a severe shortage of electrical power." With supercomputers measured by the acre and estimated $70 million annual electricity bills for its headquarters, the agency has begun browning out, which is the reason for locating its new data centers in Utah and Texas.

Schneier (the security blogger guy) seems to either miss this point or disagree because he still concludes "The problem with all of that data is that there's no time to process it. Think of it as trying to drink from a fire hose.", however one of the comments on his blog article brings up a different, interesting, scary view of the "too much to process" problem:

Quote
Quote
QuoteWe also have to look at the information in terms of how things will likely be in the future. A couple decades ago, back when a KB was considered a lot of memory, no one would have dreamed of using a terabyte, which probably would have required a huge facility. Yet, just today, I rotated one of my TB backup drives to an offsite location. Small too.

Before long, we'll be dealing in Petabyte, then perhaps Exabyte. Zettabyte or Yottabyte may not be in our lifetimes, but people before us never dreamed GB, much less TB would be.

My point is just because something is too much information to process today doesn't mean the technology won't be here in our lifetimes to do so.

The problem is that the data collected is only relevant for a limited time.

If the data cannot be turned into actionable information in that time it is only useful for tracing the steps AFTER something has happened.

Example: you have the data on where Osama bin Laden will be next Tuesday. But you won't be able to process that information for the next 10 years.

Oh, I fully agree. No debate here.

Yet, that is my entire point, though I wasn't clear enough. It can't be used for what would be a relevant reason today. But it may be used for much different reasons in 20 years. Why? We don't know, but i'm guessing it won't be a pleasant use.

Which is why they should not collect it in the first place. I'm not scared of what they'll do with it today, I'm scared of what they can do with this ocean of data in the future, and the day is coming when they can use it with ease.

of course that's all just speculation.

plus it kind of bases upon that somehow our ability to process information will grow faster than our ability to produce it. which I predict will be exactly the other way around. but then, you never know, and even then, they will soon have the power to analyze all that old information, and it's a shit ton of information and you really just don't know what they can do with that.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

rong

is anyone up to speed on the current capabilities of voice recognition softare?  just curious to how well that can/could be applied to all those recorded phone calls.
"a real smart feller, he felt smart"

Triple Zero

that's all a manner of juggling with false positives and false negatives. if you wanna filter phone calls for certain words, and allow a certain percentage of false positives, just so you catch the possible real bomb terrorist, and process the flagged calls manually, that certainly can be done.

but I guess the uselessness of that technique would become apparent rather quickly. (too much false positives, too much manual work)

maybe if they had some real specific keywords to look for, it could be done. like some arabic names or something.

to perform better than that they'd need to recognize phrases and stuff .. once more it becomes a matter of juggling the probabilities. but if a phrase is made up of a string of words, you might actually get better accuracy because what could be a false positive as a single word, would have a lower probability to fit in a complete phrase and be classed negative. it would cost more computing power though.

actually I kind of doubt they can do much with voice recognition on the scale of recording all calls in the US. if they can narrow things down somewhat, there might be a  possibility, but like Schneier said, it's like drinking from a firehose. Even if voice recognition technology was really good, I somehow doubt they can implement it at such incredible data rates.

I could be wrong though.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Triple Zero

Smashing the Ozdok/Mega-D botnet in 24 hours.

http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html

a pretty cool story about how botnets can be battled. but it also teaches me the following:

this botnet has about 200k zombie computers, and it is one of many. there are many differing, yet closely linked criminal hacker groups that are controlling multiple botnets of comparable sizes.

why they only use it for spam and not political purposes truly is beyond me, maybe they just don't care and it pays pretty well? or maybe they really are just clueless.

check out the kind of resources this attempt at takedown cost. and the botnet still has a couple of fallback mechanisms that could get the infected machines to update and make a large part of all the work for nothing.

basically the weak point of a botnet is that the zombies need to get their commands from somewhere, a Command & Control Center. these must be located by IP. so the IPs can be shut down and CnC is gone. so the botnet has a fallback mechanism, instead of listing IPs it uses domain names, which point to the CnC IPs. if the IPs get taken down, the botnet owners will simply make the domain names point to new CnC IPs. but also the domain names can be taken down or bought out. so the last fallback mechanism is that the botnet generates one random domain name per day (such as dfcznu9qx.biz), name generated based on date/time, the botnet owners can reg these domains and regain control of the botnet again. so finally these random domains need to be pre-registered for, say the ones that will be generated in the next week or so (the names can be predicted as they got the source of the bot, so algorithm is known), so the botnet owners cannot use that mechanism either.

wow.

that's some pretty damn sophisticated shit right there.

they managed to hit the bot network pretty hard, but only managed to take down all but 4 of the current CnC IPs, less than half of the active CnC domains, and registered (squatted) all of the inactive domains (which are relatively cheap in operations like this) and the randomly generated ones for the next 3 days (I suppose they will reg more when necessary).

while I applaud their effort, and they might even win this battle, it seems to me like a lost war.

if the CnC chain is the only weak point they can use to hit the botnets, they are fucked. off the top of my head I can think of a few ways to get this data reliably to the botnet zombies via channels that cannot be taken down. I understand all you need to transmit is a list of IPs. an IP is just 32 bits. use a large public network such as Facebook or Twitter. somewhere in the profile will be a bunch of text that is stego-ed to contain a digitally signed message containing the IP(s). it is stego'ed so it looks like a normal profile and cannot be easily filtered like a base64 string would be. it is digitally signed so that the zombies can check authenticity of the message, and only accept one that is signed by the owners (simple GPG signature is enough I think). the zombie bots will semi randomly spider Facebook until they hit a profile that, when un-stego'ed, is signed with the signature, decode it and have a new list of IPs.

or something like that. actually maybe not use Facebook since it is owned by the NSA and they might actually implement filtering for profiles that appear to be signed. better instead use a list of small to medium-popular social networks, they can't all implement that filtering.

or maybe I'm missing something here. either way, I believe that if the botnet owners successfully add GPG / RSA crypto and digital signing into the mix the security corps are truly fucked.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.