Chinese Internet Censorship efforts and the outbreak

February 24, 2006
In some of my January's Security Streams, I did some extensive blogging expressing my point of view on the current Internet censorship activities, and tried to emphasize on the country whose Internet population is about to outpace the U.S one - China. In my posts "China - the biggest black spot on the Internet’s map", "2006 = 1984?", "Twisted Reality", you can quickly update yourself on some of the recent developments related to the topic, but what has changed ever since?


Government bodies such as the DoJ seem to favour the amount of data the most popular and advanced search engine Google holds and tried to obtain information for the purpose of "social responsibility". What's more to consider are some of the weak statements made, namely :



"House Government Reform Committee Chairman Tom Davis (R-VA) has criticized Google for refusing to hand search records over to the US Justice Department while cooperating with China in censoring certain topics. Justice sought the records to bolster its case against a challenge to online anti-pornography laws, but Google refuses to submit the records on privacy grounds. Davis does not expect a standoff between Google and the government, but hopes an agreement can be reached, allowing Google to supply the records without frightening users that their searches may be examined."



and in case you're interested, some of my comments, :



"Is it just me or that must be sort of a black humour political blackmail given the situation?! First, and most of all, the idea of using search engines to bolster the online anti-pornography laws created enough debate for years of commentaries and news stories, and was wrong from the very beginning. Even if Google provide the data requested it doesn’t necessarily solve the problem, so instead of blowing the whistle without any point, sample the top 100 portals and see how they enforce these policies, if they do. As far as China is concerned, or actually used as a point of discussion, remember the different between modern communism, and democracy as a concept, the first is an excuse for the second, still, I feel it’s one thing to censor, another to report actual activity to law enforcement. I feel alternative methods should be used, and porn “to go” is a more realistic threat to minors than the Net is to a certain extend, yet the Net remains the king of content as always."



Google indeed issued a statement, sort of excusing the censorship under the statement of "the time has come to open ourselves to the Chinese market", and while their intentions make business sense, the outbreak had very positive consequences from my point of view - build more awareness and have the world's eyes on the Chinese enforcement of censorship practices, but is it just China to blame given "Western" countries do censor as well, or is it China's huge ambitions of maintaining a modern communism in the 21st century that seem to be the root of the problem?



In an article "A day in the life of a Chinese Internet Police Officer" I read some time ago, you can clearly see the motivation, but also come across the facts themselves : you cannot easily censor such a huge Internet population, instead, guidance instead of blocking, and self-regulation(that is limiting yourself with fear of prosecution) seem to be the current practice, besides jailing journalists! And while sometimes, you really need to come up with a creative topic worth writing about, free speech is among the most important human rights at the bottom line.



Chris Smith, Chairman of the House subcommittee that oversees Global Human Rights, proposed a discussion draft "The Global Online Freedom Act of 2006" "to promote freedom of expression on the internet [and] to protect United States businesses from coercion to participate in repression by authoritarian foreign governments". It is so "surprising" to find out that they are so interested in locating cyber-dissidents : "U.S. search engine providers must transparently share with the U.S. Office of Global Internet freedom details of terms or parameters submitted by Internet-restricting countries." exactly the same way I mentioned in my previous "Anonymity or Privacy on the Internet?" post.



Meanwhile, the OpenNetInitiative also released a bulletin analyzing Chinese non-commercial website registration regulation, giving even further details on the recent "you're being watched" culture that tries to cost-effectively deal with the issue of self-regulation :



"In a report published last year, “Internet Filtering in China: 2004-2005,” ONI shared its research findings that China’s filtering regime is the most extensive, technologically sophisticated, and broad-reaching Internet filtering system in the world. This new regulation does not rely on sophisticated filtering technology, but uses the threat of surveillance and legal sanction to pressure bloggers and website owners into self-censorship. While savvy website owners might thwart the registration requirement with relative ease, the regulation puts the vast majority of Chinese Internet users on notice that their online behaviour is being monitored and adds another layer of control to China’s already expansive and successful Internet filtering regime."



Yet another recent research I came across is a university study that finds out that "60% Oppose Search Engines Storing Search Behaviours", you can also consider the "alternatives" if you're interested :) A lots to happen for sure, but it is my opinion that personalized search is the worst privacy time bomb a leading search engine should not be responsible for, besides open-topic data retention policies and not communicating an event such as the DoJ's one, but complying with it right away, bad Yahoo!, bad MSN!



At the bottom line, Google's notifications of censored content(as of March, 2005 only, excluding the period before!), the general public's common sense on easily evaluating what's blocked and what isn't, and the powerful digital rights fighting organizations that simultaneously increased their efforts to gain the maximum out of the momentum seemed to have done a great job of building awareness on the problem. Still, having to live with the booming wanna be "free market" Chinese economy, and the country's steadily climbing position as a major economic partner, economic sanctions, quotas, or real-life scenarios would remain science fiction.



Technorati tags :
, , , , Continue reading →

DVD of the weekend - The Lone Gunmen

February 17, 2006
The Lone Gunmen on two double-sided discs, pure classic! In one of my chats with Roman Polesek, from Hakin9, he was wise enough to state the you cannot be a prophet in your own industry, simple, but powerful statement you should take into consideration.

Initiatives such as The Lone Gunmen, the X-files, and The Outer Limits have already proven useful, given someone listens! For instance :



"In a foreshadowing of the September 11, 2001 attacks, subsequent conspiracy theories, and the 2003 invasion of Iraq, the plot of the March 4, 2001 pilot episode of the series depicts a secret U.S. government agency plotting to crash a Boeing 727 into the World Trade Center via remote control for the purpose of increasing the military defence budget and blaming the attack on foreign "tin-pot dictators" who are "begging to be smart-bombed." This episode aired in Australia less than two weeks before the 9/11 attacks, on August 30."



Conspiracy theorists do have a lot to say, so don't ignore them, find the balance, and enjoy the series :)



You can also browse through some transcripts as well.



Technorati tags :
conspiracy Continue reading →

Smoking emails

February 17, 2006
I just came across this, "Morgan Stanley offers $15M fine for e-mail violations" - from the article :





"US investment bank Morgan Stanley will offer a settlement to the Securities and Exchange Commission (SEC), agreeing in principle to pay a $15 million fine for failing to preserve e-mail messages. The e-mail messages could have provided useful evidence in several cases brought against the company. In one case, resulting in a $1.58 billion judgement against the bank, a judge turned the burden of proof on Morgan Stanley after learning they had deleted e-mails related to the case. However, Morgan Stanley has not yet presented the offer to the SEC nor is there a guarantee the SEC will accept. The investment bank says it is fixing the problems that led to the erasure and is pleading for leniency."



He, He, He!





You see, the email archiving market is about to top $310M for 2005 according to the IDC, still one of the world's most powerful investment banks cannot seem to be able to comply with the requirements.




Lack of financial power - nope, lack of incentives - yep! The case reminds me of KPMG's tax shelters, McAfee's fine for accounting scam between 1998-2000, and the "Smoking Emails" Admissible In $1 Billion Enron-Related Chase Case".





Quit smoking emails, and take advantage of MailArchiva - Open Source Email Archiving and Compliance.





Techorati tags :
smoking gun, investment banking, compliance, mailarchiva Continue reading →

How to win 10,000 bucks until the end of March?

February 17, 2006
I feel that, in response to the recent event of how the WMF vulnerability got purchased/sold for $4000 (an interesting timeframe as well), iDefense are actively working on strengthening their market positioning - that is the maintain their pioneering position as a perhaps the first company to start paying vulnerability researchers for their discoveries.


The company recently offered $10,000 for the submission or a vulnerability that gets categorized as critical in any of Microsoft's Security Bulletins. In the long-term, would vulnerability researchers be able to handle the pressure put on them through such financial incentives, and keep their clear vision instead of sell their souls/skills? What if someone naturally offers more, would money be the incentive that can truly close the deal, and is it just me realizing how bad is it to commercialize the not so mature vuln research market, namely how this would leak all of its current weaknesses?



Consider going through some of my previous thoughts on the emerging market for software/0day vulnerabilities as well and stay tuned for another recent discovery a dude tipped me on, thanks as a matter of fact!



Technorati tags:
, Continue reading →

The end of passwords - for sure, but when?

February 16, 2006
My first blog post "How to create better passwords - why bother?!" back in December, 2005, tried to briefly summarize my thoughts and comments I've been making on the most commonly accepted way of identifying yourself - passwords.

Bill Gates did a commentary on the issue, note where, at the RSA Conference, perhaps the company that's most actively building awareness on the potential/need for two-factor authentication, or anything else but using static passwords for various access control purposes. Moreover, it was again Bill Gates who wanted to integrate the Belgian eID card with MSN Messenger (Anonymity or Privacy on the Internet?) Microsoft are always reinventing the wheel, be it with antivirus, or their Passport service, and while they have the financial obligations to any of their stakeholders, I feel it's a wrong approach on the majority of occasions.

What I wonder is, are they forgetting the fact that over 95% of the PCs out there, run Microsoft Windows, and not Vista, and how many would continue to do so polluting the Internet at the bottom line. My point is that MS's constant rush towards "the next big thing" doesn't actually provides them with the resources to tackle some of the current problems, at least in a timely manner. What do you think? What could Microsoft do to actually influence the acceptance of two-factor authentication, and moreover, how feasible is the concept at the bottom line?

Technorati tags :
security, microsoft, authentication, passwords Continue reading →

A timeframe on the purchased/sold WMF vulnerability

February 15, 2006
The WMF vulnerability and how it got purchased/sold for $4000 was a major event during January, at least for me as for quite some time the industry was in the twilight zone by not going through a recently released report. But does this fact matters next to figuring out how to safeguard the security of your network/PC given the time it took the vendor to first, realize that it's real, than to actually patch it? Something else that made me an impression is that compared to the media articles and my post, was I the only one interested in who bought, instead of who sold it?

So here's a short timeframe on how it made it to to the mainstream media :
January 27 - Kaspersky are the first to mention the "purchase" in their research
January 30 I've started blowing the whistle and friends picked it up (even the guy that got so upset about it!)
January 31 Meanwhile, someone eventually breached AMD's forums and started infecting its visitors!
February 2 Microsoft Switzerland's Security blog featured it
February 2 LinuxSecurity.com republished it
February 2 DSLReports.com picked it up
February 2 Appeared at Slashdot
February 3 OSIS.gov(an unclassified network serving the intelligence community with open source intelligence) picked it up :)

What's the conclusion? Take your time and read the reports thoroughly, cheer Kaspersky's team for their research? For sure, but keep an eye on the Blogosphere as well!

Technorati tags :
Continue reading →

Detecting intruders and where to look for

February 15, 2006
CERT, just released their "Windows Intruder Detection Checklist" from the article :

"This document outlines suggested steps for determining whether your Windows system has been compromised. System administrators can use this information to look for several types of break-ins. We also encourage you to review all sections of this document and modify your systems to address potential weaknesses."

I find it a well summarized checklist, perhaps the first thing that I looked up when going through it was the rootkits section given the topic. It does provide links to free tools, but I feel they could have extended to topic a little bit. Overall, consider going through it. Another checklist I recently came across is the "11 things to do after a hack" and another quick summary on "10 threats you probably didn't make plans for".

Rootkits are gaining popularity, and with a reason -- it takes more efforts to infect new victims instead of keeping the current ones, at least from the way I see it. In one of my previous post "Personal Data Security Breaches - 2000/2005" I mentioned about a rootkit placed on a server at the University of Connecticut on October 26, 2003, but wasn't detected until July 20, 2005, enough for auditing, detecting attackers and forensics? Well, not exactly, still something else worth mentioning is the interaction between auditing, rootkits and forensics. There's also been another reported event of using rootkit technologies for DRM(Digital Right Management) purposes, not on CDs, but DVDs this time, so it's not enough that malware authors are utilizing the rootkit concept, but flawed approaches from companies where we purchase our CDs and DVDs from, are resulting in more threats to deal with!

Check CERT's "Windows Intruder Detection Checklist" and if interested, also go though the following resources on rootkits and digital forensics :

Windows rootkits of 2005, part one
Windows rootkits of 2005, part two
Windows rootkits of 2005, part three
Malware Profiling and Rootkit Detection on Windows
Timing Rootkits
Shadow Walker - Raising The Bar For Windows Rootkit Detection - slides
When Malware Meets Rootkits
Leave no trace - book excerpt
Database Rootkits
Rootkits and how to combat them
Rootkits Analysis and Detection
Concepts for the Stealth Windows Rootkit
Avoiding Windows Rootkit Detection
Checking Microsoft Windows Systems for Signs of Compromise
Implementing and Detecting Implementing and Detecting an ACPI BIOS Rootkit

Host-based Intrusion Detection Systems
Forensics Tools and Processes for Windows XP Clients
F.I.R.E - Forensic and Incident Response Environment Bootable CD
Forensic Acquisition Utilities
FCCU GNU/Linux Forensic Bootable CD 10.0
iPod Forensics :)
Forensics of a Windows system
First Responders Guide to Computer Forensics
Computer Forensics for Lawyers

Technorati tags:
, , , , , Continue reading →

Look who's gonna cash for evaluating the maliciousness of the Web?

February 14, 2006
Two days ago, SecurityFocus ran an article "Startup tries to spin a safer Web" introducing SiteAdvisor :

"A group of graduates from the Massachusetts Institute of Technology (MIT) aim to change that by crawling the Web with hundreds, and soon thousands, of virtual computers that detect which Web sites attempt to download software to a visitor's computer and whether giving out an e-mail address during registration can lead to an avalanche of spam.

The goal is to create a service that lets the average Internet user know what a Web site actually does with any information collected or what a download will do to a computer, Tom Pinckney, vice president of engineering and co-founder of the start-up SiteAdvisor, said during a presentation at the CodeCon conference here."

The concept is simply amazing, and while it's been around for ages, it stills needs more acceptance from decision makers that tend to stereotype on perimeter and antivirus defense only. Let's start from the basics, it is my opinion that users do more surfing than downloading, that is, the Web and its insecurities represent a greater threat than users receiving malware in their mailboxes or IMs. And not that they don't receive any, but I see a major shift towards URL droppers, and while defacement groups are more than willing to share these with phishers etc., a URL dropper is easily getting replaced by an IP one, so you end up having infected PCs infecting others through hosting and distributing the malware, so sneaky, isn't it? My point is that initiatives such as crawling the web for malicious sites, listing, categorizing and updating their status is a great, both security, and business sound opportunity. The way you know the bad neighbourhoods around your town, in that very same way you need a visualization to assist in research, or act as a security measure, and while its hard to map the Web and keep it up to date, I find the idea great!

So what is SiteAdvisor up to? Another build-to-flip startup? I doubt so as I can almost feel the smell of quality entrepreneurship from MIT's graduates, of course, given they assign a CEO with business background :) APIs, plugins, already tested the majority of popular sites according to them, and it's for free, at least to the average Internet user who's virtual "word of mouth" will help this project get the scale and popularity necessary to see it licensed and included within current security solutions. They simply cannot test the entire Web, and I feel the shouldn't even set it as an objective, instead map the most trafficked web sites or do so on-the-fly with the top 20 results from Google. I wonder how are downloads tested, are they run through VirusTotal for instance, and how significant could a "push" approach from the end users, thus submitting direct links to malicious files found within to domain for automatic analysis, sound in here?

I think the usefulness of their idea could only be achieved with the cooperation/acquisition of a leading search engine, my point is that some of the project's downsizes are the lack of on-the-fly ability(that would be like v2.0 and a major breakthrough in respect to performance), how it's lacking the resources to catch up with Google on the known web (25,270,000,000 according to them recently), how IP droppers instead of URL based ones totally ruin the idea in real-life situations(it takes more efforts to register and maintain a domain, compared to using a zombie host's capabilities to do the same, doesn't it?)

In one of my previous posts on why you should aim higher than antivirus signatures protection only I mentioned some of my ideas on "Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"?

Crawling for malicious content and making sense of the approaches used in order to provide an effective solutions is very exciting topic. As a matter of fact in one of my previous posts "What search engines know, or may find about us?" I mentioned about the existence of a project to mine the Web for terrorist sites dating back to 2001. And I'm curious on its progress in respect to the current threat of Cyberterrorism, I feel both, crawling for malicious content and terrorist propaganda have a lot in common. Find the bad neighbourhoods, and have your spiders do whatever you instruct them to do, but I still feel quality and in-depth overview would inevitably be sacrificed for automation.

What do you think is its potential of web crawling for malicious content, and by malicious I also include harmful in respect to Cyberterrorism PSYOPS (I once came across a comic PSYOPS worth reading!) techniques that I come across on a daily basis? Feel free to test any site you want, or browse through their catalogue as well.

You can also find more info on the topic, and alternative crawling solutions, projects and Cyberterrorism activities online here :

A Crawler-based Study of Spyware on the Web
Covert Crawling: A Wolf Among Lambs
IP cloaking and competitive intelligence/disinformation
Automated Web Patrol with HoneyMonkeys Finding Web Sites That Exploit Browser Vulnerabilities
The Strider HoneyMonkey Project
STRIDER : A Black-box, State-based Approach to Change and Configuration Management and Support
Webroot's Phileas Malware Crawler
Methoden und Verfahren zur Optimierung der Analyse von Netzstrukturen am Beispiel des AGN-Malware Crawlers (in German)

Jihad Online : Islamic Terrorists and the Internet
Right-wing Extremism on the Internet
Terrorist web sites courtesy of the SITE Institute
The HATE Directory November 2005 update (very rich content!)
Recruitment by Extremist Groups on the Internet

Technorati tags:
, , , , ,
Continue reading →

Recent Malware developments

February 13, 2006
In some of my February's streams :) "The War against botnets and DDoS attacks" and "CME - 24 aka Nyxem, and who's infected?" I covered some of the recent events related to malware trends in the first months of 2006. This is perhaps the perfect time to say a big thanks to everyone who's been expressing ideas, remarks and thoughts on my malware research. While conducting the reseach itself I realized that I simply cannot include everything I want it, as I didn't wanted to release a book to have its content outdated in less than an year, but a "stick to the big picture" representation of the things to come. The best part is that while keeping daily track of the trends and trying to compile a summary to be released at the end of the year, many more concepts that I didn't include come to my mind, so I feel I'll have enough material for a quality summary and justification of my statements. So what are some of the recent developments to keep in mind?

A lot of buzz on the CME-24 front, and I feel quite a lot of time was spent on speculating on the infected population out of a web counter whose results weren't that very accurate as originally though. And as vendors closely cooperated to build awareness on the destructive payload, I think that's the first victory for 2006, no windows of opportunity The best is that CAIDA patiently waited until the buzz is over to actually come up with reliable statistics on Nyxem.

It's rather quiet on the AV radars' from the way I see it, and quickly going through F-Secure's, Kaspersky's (seem to be busy analyzing code, great real-time stats!), Symantec's I came across the similarities you can feel for yourself in "the wild" :) Symantec's ThreatCon is normal, what's interesting to note is VirusTotal's flood of detected WMF's, which is perhaps a consequence of the *known* second vulnerability.

James Ancheta's case was perhaps the first known and so nicely documented on botnet power on demand. Recently, a botnet, or the participation in such shut down a hospital's network, more over I think StormPay didn't comply with a DDoS extortion attempt during the weekend?

Joanna Rutkowska provided more insights on stealth malware in her research (slides, demo) about "about new generation of stealth malware, so called Stealth by Design (SbD) malware, which doesn't use any of the classic rootkit technology tricks, but still offers full stealth. The presentation also focuses on limitations of the current anti-rootkit technology and why it’s not useful in fighting SbD malware. Consequently, alternative method for compromise detection is advocated in this presentation, Explicit Compromise Detection (ECD), as well as the challenges which Independent Software Vendors encounter when trying to implement ECD for Windows systems – I call it Memory Reading Problem (MRP). "

How sound is the possibility of malware heading towards the BIOS anyway? An "Intelligent P2P worm's activity" that I just across to also deserves to be mentioned, the concept is great, still the authors have to figure out how to come up with legitimate file sizes for multimedia files if they really want to fake its existence, what do you think on this?

Some recent research and articles worth mentioning are, Kaspersky's Malware - Evolution : October - December 2005 outlines the possibilities for cryptoviral extortion attacks, 0days vulnerabilities, and how the WMF bug got purchased/sold for $4000. There's also been quite a lot of new trojans analyzed by third-party researchers, and among the many recent articles that made me an impression are "Malicious Malware: attacking the attackers, part 1" and part 2, from the article :

"This article explores measures to attack those malicious attackers who seek to harm our legitimate systems. The proactive use of exploits and bot networks that fight other bot networks, along with social engineering and attacker techniques are all discussed in an ethical manner."

Internet worms and IPv6 has nice points, still I wish there were only network based worms to bother about. Besides all I've missed important concepts in various commentaries, did you? Malware is still vulnerabilities/social engineering attacks split at least for the last several months, still the increased corporate and home IM usage will inevitable lead to many more security threats to worry about. Web platform worms such as MySpace and Google's AdSense Trojan, are slowly gaining grounds as a Web 2.0 concept, so virus or IDS signatures are to look for, try both!

During January, David Aitel reopened the subject of beneficial worms out of Vesselin Bontchev's research on "good worms". While I have my reservations on such a concept that would have to do with patching mostly the way I see it, could exploiting a vulnerability in a piece of malware by considered useful some day, or could a network mapping worm launched in the wild act as an early response system on mapped targets that could end up in a malware's "hitlist"? And I also think the alternative to such an approach going beyond the network level is Johnny Long's (recent chat with him) Google Dorks Hacking Database, you won't need to try to map the unlimited IPv6 address space looking for preys. Someone will either do the job for you, or with the time, transparancy in IPv6, one necessary for segmented and targeted attacks will be achieved as well.

Several days ago, Kaspersky released their summary for 2005, nothing ground breaking in here compared to previous research on how the WMF vulnerability was purchased/sold for $4000 :) but still, it's a very comprehensive and in-depth summary of 2005 in respect to the variables of a malware they keep track of. I recommend you to go through it. What made me an impression? 
- on average, 6368 malicious programs detected by month

- +272% Trojan-Downloaders 2005 vs 2004

- +212% Trojan-Dropper 2005 vs 2004

- +413% Rootkit 2005 vs 2004

- During 2005, on average 28 new rootkits a month

- IM worms 32 modifications per month

- IRC worms are on -31%

- P2P worms are on -43%, the best thing is that Kaspersky labs also shares my opinion on the reason for the decline, P2P busts and general prosecutions for file-sharing. What's also interesting is to mention is the recent ruling in a district court in Paris on the "legality of P2P" in France and the charge of 5 EUR per month for access to P2P, but for how long? :) P2P filesharing isn't illegal and if you cannot come up with a way to release your multimedia content online, don't bother doing at all. In previous chats I had with Eric Goldman, he also makes some very good points on the topic.

- +68% Exploit, that is software vulnerabilities and the use of exploits both known or 0day's with the idea to easily exploit targeted PC, though I'm expecting the actual percentage to be much higher

- Internet banking malware reached a record 402% growth rate by the end of 2005 The Trojan.Passwd is a very good example, it clearly indicates that it is written for financial gains. E-banking can indeed prove dangerous sometimes, and while I'm not being a paranoid in here, I'd would recommend you go through Candid's well written "Threats to Consider when doing E-banking" paper

- A modest growth from 22 programs per month in 2004 to 31 in 2005 on the Linux malware front

I feel today's malware scene is so vibrant that it's getting more and more complex to keep track of possible propagation vectors, ecosystem here and there, and mostly communicating what's going on to the general public(actually this one isn't). 
What's to come and what drives the current growth of malware?
- money!
- the commercialization of the market for software vulnerabilities, where we have the first underground purchase of the WMF exploit, so have software vulnerabilities always been the currency of trade in the security world or they've started getting the necessary attention recently?
- is stealth malware more than an issue compared to utilizing 0day vulnerabilities, and is retaining current zombie PCs a bigger priority than to infecting new ones?
- business competitors, enemies, unethical individuals are actively seeking for undetected pieces of malware coded especially for their needs, these definitely go beneath the sensors
- Ancheta's case is a clear indication of a working Ecosystem from my point of view, that goes as high as to provide after-sale services such as DDoS strength consultations and 0day malware on demand

To sum up, malware tends to look so sneaky when spreading and zoomed out :) I originally came across the VisualComplexity project in one of my previous posts on visualization. Feel I've missed something that's worth mentioning during the last two months? Than consider expanding the discussion!
You can also consider going through the following resources related to malware :
Continue reading →

Who needs nuclear weapons anymore?

February 09, 2006
Excluding Iran and the potential of its nuclear program (no country that bans music should have such a power!), perhaps I should rephrase - who can actually use them nowadays, are they just a statement of power, does flexibility and beneath the radar concepts matter? I feel they do.

I just came across a news article from January on a new EMP warhead test, and while there have been speculations/or movie plots that Electromagnetic Pulse Weapons could be used by terrorists, I find this a bit of exaggerated statement that actually seeks further investment in current development of the concept I guess. I feel that compared to symmetric warfare, asymmetric warfare as a concept has greatly evolved during the years, and in today's interconnected society, military powers could be easily balanced. What's else to mention is the "cooperation" between the parties on which I came across in a report on Nuclear Electromagnetic Pulse, as of June 9, 2005, namely :

 "If we really wanted to hurt you with no fear of retaliation, we would launch an SLBM,'' which if it was launched in a submarine at sea, we really would not know for certain where it came from. ``We would launch an SLBM, we would detonate a nuclear weapon high above your country, and we would shut down your power grid and your communications for 6 months or so.'' The third-ranking communist was there in the country. His name is Alexander Shurbanov, and he smiled and said, ``And if one weapon would not do it, we have some spares.'' I think the number of those spares now is something like 6,000 weapons." 

 "the Russians had developed weapons that produced 200 kilovolts per meter. Remember, the effects in Hawaii were judged to be the result of five kilovolts per meter. So this is a force about 200 times higher. The Russian generals said that they believed that to be several times higher than the hardening that we had provided for our military platforms that they could resist EMP."

 ``Chinese military writings described EMP as the key to victory and described scenarios where EMP is used against U.S. aircraft carriers in the conflict over Taiwan.'' So it is not like our potential enemies do not know that this exists. The Soviets had very wide experience with this, and there is a lot of information in the public domain relative to this. ``A survey of worldwide military and scientific literature sponsored by the commission,'' that is the commission that wrote this report, ``found widespread knowledge about EMP and its potential military utility including in Taiwan, Israel, Egypt, India, Pakistan, Iran, and North Korea."

Still there's hope for preserving the global state of security instead of fuelling its insecurity :
"In 2004, the EMP Commission met with very senior Russian officers, and we showed that on the sign. They warned that the knowledge and technology to develop what they called super EMP weapons had been transferred to North Korea and that North Korea could probably develop these weapons in the near future, within a few years. The Russian officers said that the threat that would be posed to global security by a North Korean armed with super EMP weapons was, in their view, and I am sure, Mr. Speaker, in your view and mine, unacceptable."  

Foreign views of Electromagnetic Pulse (EMP) Attack reveals further details on other nations' ambitions etc. Perhaps one of the most famous commitments towards EMP is the The Trestle Electromagnetic Pulse Simulator that can also be seen at Google Maps, still, in my opinion it's a defensive initiative for an offensive purpose :(

Extending the topic even further, The Space Warfare arms race has been an active policy of key world's leaders for decades, and that's not good. The U.S, Russia and China as the main players are fuelling the growth in one way or other due to believing in perhaps :

- that the other sides are actively developing such capabilities, and they are, because they think the opposite => arms race
- growing trend towards asymmetric warfare
- cost-effectiveness compared to building a multimillion nuclear submarine as a statement of power?
In my opinion space warfare would directly influence everyone down here on Earth, and scenarios such as :
- hijacking?
- destroying

could become normal. Space is already getting crowded, if I were to forget one of my favourite quotes "But I guess I'd say if it is just us... seems like an awful waste of space". On the other, and in respect to securing critical infrastructure on Earth :) I find recent initiatives such as the Cyber Storm exercise more PR, than relevance oriented, my point is that how come you expect to have the critical infrastructure secured, when a global overload in traffic would again deny service, a critical one. 

My point is that, the Internet as the most pervasive and cost effective tool is often utilized for sensitive both, commercial, government and military operations, attacking the Internet affects pretty much everyone. Excluding the overall shift towards network-centric warfare and you've got a problem given commercial and public IP networks are used to handle the enormous bandwidth needed for sensitive operations.

To sum up, go through the following War Quotes, and perhaps consider how major problems on Earth stop major innovations in Space. I feel War is not a solution, but an excuse that should never be said! I know this post tried to combine several different issues, but I think given IP is at the bottom line, my readers wouldn't mind :) What's your attitude on Space Warfare arms race? Is it real, and how do you picture the future developments in here?

More resources on Electromagnetic Pulse Weapons, Space Warfare and Network-Centric Warfare are also available at :
Continue reading →

The War against botnets and DDoS attacks

February 09, 2006
In one of my previous posts talking about botnet herders I pointed out how experiments tend to dominate, and while botnets protection is still a buzz word, major security vendors are actively working on product line extensions. DDoS attacks are the result of successful botnet, and so are the root of the problem besides the distributed concept. Techworld is reporting that McAfee is launching a "bot-killing system", from the article :

"Unlike conventional DDoS detection systems based on the statistical analysis of traffic, the first layer of the new Advanced Botnet Protection (ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependent on whether or not it is “complete”. "

The best thing is that it's free, the bad thing is that it may give their customers a "false sense of security", that is, while the company is actively working on retaining its current customers, I feel "SYN cookies" and their concept has been around for years. Moreover, using a service provided by a company whose core competencies have nothing to do with DDoS defense can be tricky. Companies worth mentioning are Arbor Networks, and Cisco's solutions, besides the many other alternative and flexible ways of dealing with DDoS attacks.

In my research research on the Future trends of Malware, I pointed out some of the trends related to botnets and DDoS attacks, namely, DDoS extortion, DDoS on demand/hire, and with the first legally prosecuted case of offering botnet access on demand, it's a clear indication that of where things are going. Defense against frontal attacks isn't cost-effective given that at the bottom line the costs to maintain the site outpace the revenues generated for the time, hard dollars disappear, soft ones as reputation remain the same.

My advice is to take into consideration the possibility to outsource your problem, and stay away from product line extensions, and I think it's that very simple. A differentiated service on fighting infected nodes is being offered by Sophos, namely the Zombie Alert, which makes me wonder why the majority of AV vendors besides them haven't come up with an alternative given the data their sensor networks are able to collect? Moreover, should such as service be free, would it end up as a licensed extensions to be included within the majority of security solutions, and can a motivated system administrators successfully detect, block, and isolate zombie traffic going out of the network(I think yes!)? 

As far as botnets are concerned, there were even speculations on using "Skype to control botnets", now who would want to do that, and under what reason given the current approaches for controlling botnets, isn't the use of cryptography or security through obscurity("talkative bots", stripping IRCds) the logical "evolution" in here?

Something else worth mentioning is the trend of how DoS attacks got totally replaced by DDoS ones, my point is that the first can be a much more sneaky one and easily go beneath the radar, compared to a large scale DDoS attack. A single packet can be worth more than an entire botnets population, isn't it?

How do you think DDoS attacks should be prevented, active defense such as the solutions mentioned, or proactive solutions? What do you think?

You can also go though other resources dealing with DDoS attacks and possible solutions to the problem :
Technorati tags :
, , , , , , , Continue reading →

A top level espionage case in Greece

February 08, 2006
Starting shortly after the Olympic games in 2004 and up to March 2005, the mobile phones of : Prime Minister Costas Caramanlis, minister of foreign affairs, defense, public order and justice, top military officials, a number of journalists, and human rights activists (hmm?) have been tapped by an unknown party though the installation of "spy software" (that's too open topic) , mind you, Vodafone's central system, and were diverted to a pay-as-you-go mobile phone.

At the bottom line, who's behind it? Interested parties within the Greek government, or external ones? To me this is the job of a dead insider's job or someone who had the incentive to Vodafone's security, which I doubt. Though, it is disturbing how easily these mobile numbers could be obtained as the majority of media representitives already have them! My point is that you should count them as the weakest link, besides accessing a mobile provider's database and other sources. UPDATE : Vodafone's statement UPDATE 2 : Cryptome featured more info on the The Greek illegal wiretapping scandal: some translations and resources.

Another recent spy case was the rock transmitter found in a Moscow park and while the Russian president Putin is cheering the discovery and keeping it diplomatic, the FSB (a successor to the KGB) is taking a note on this one. You can actually go through a collection of videos and references on the case.

I guess it's the silence that's most disturbing in the "Silent War".
Technorati tags :
Continue reading →

Security Awareness Posters

February 07, 2006
Security is all about awareness at the bottom line. The better you understand it, the higher your chance of "survival", and hopefully progress!
 
Enjoy the following collections of witty and amusing security awareness posters :
1, 2, 3 (you may also be interested in going through my talk on security policies and awareness with K Rudolph from Native Intelligence as well), 4, 5, 6, 7, 8.
Technorati tags:
, , , Continue reading →

Hacktivism tensions

February 07, 2006
It was about time the freedom of the press and the democratic nature of joking with politicians takes its hit. But why with spiritual leaders? The contradictive Muhammad cartoons sparkled a lot of anger, and with the recent tentions in France all we needed was a hacktivism activity from angry muslims. Remember how the China vs U.S cyberwar was sparkled due to the death of a Chinese pilot crashing into an AWACS that was sort of "keeping it quiet"?

Zone-H is reporting on massive defacements of Danish sites, and if you take the time to go through the reported reasons you'll find out that :

"political reasons"
"just for fun"
"I just want to be the best defacer"
"revenge against that web site"
"patriotism"

tend to dominate. As far as defacements as concerned, in one of my previous posts "FBI's 2005 Computer Crime Survey - what's to consider?" you can see that according to the report, organizations lost approximately $10,395M due to web site defacements. Moreover, in some of my previous research on Cyberterrorism I've indicated the use of script kiddies for PSYOPS and how such defacements have a favorable psychologic effect on future initiatives.

And while they have the motivation to deface, I wonder would someone strike back and under what justification?

Technorati tags:
, , , , , , , , Continue reading →

The current state of IP spoofing

February 06, 2006
A week ago, I came across a great and distributed initiative to map the distribution of spoofable clients and networks - the ANA Spoofer Project, whose modest sample of 1100 clients, 500 networks and 450 ASes can still be used to make informed judgements on the overall state of IP Spoofing. I once posted some thoughts on "How to secure the Internet" where I was basically trying to emphasize on the fact that securing critical infrastructure by evaluating how hardened to attacks it really is, can be greatly improved as a concept. What if that infrastructure is secured, but the majority of Internet communications remain in plain-text, and are easily spoofable, which I find as one of the biggest current weaknesses. If you can spoof there's no accountability, and you can even get DDoSed by gary7.nsa.gov, isn't it? (in the original Star Trek series, Gary Seven was the covert operative who returned from the future to fix sabotage to the United States' first manned rocket to the moon moments before lift off).

On the other hand, according to Gartner IPSec will be dead by 2008, but I feel this is where its peak and maturity would actually be reached. IPv4 will evolve to IPv6, therefore IPSec will hopefully be an inseparable of the Internet.

So what's the bottom line so far?

- 366 million spoofable IP addresses out of 1.78 billion
- 43,430 spoofable netblocks
- 4700 spoofable ASes out of 18450
- NAT's and XP SP2's make their impact

The higher the population the scarier the numbers for sure! I have always believed in distributed computing and the power of the collective intelligence of thousands of people out there. Be it integrating powerful features whose results are freely available to the public through OEM agreements or whatsoever, I feel in the future more vendors will start taking advantage of their customers' base for

How you can contribute? Pick up your client, start spoofing, but make sure your actions don't raise someone's eyebrows, even though you simply wanted to contribute, that's just a couple of packets to a university's server that's looking forward to receiving them this time :)

Dshield.org - the Distributed Intrusion Detection System is a very handy and useful OSINT tool that is obviously being used by the NSA as well (check out the Internet Storm Center's post on this, and the photo itself) UPDATE : Cryptome also featured fancy pictures from the NSA's Threat Operations Wizardy.

What is your opinion on the current state of IP Spoofing on the web and the fact how handy this insecurity comes to DDoS attacks? What should be done from your point of view to tackle the problem on a large scale?

You can also consider going through many other distributed concepts :

The original DES Cracker Project
DJohn - Distributed John
Bob the Butcher distributed password cracker
Seti at Home
ForNet : A Distributed Forensics Network
Pandora - Distributed Multirole Monitoring System
FLoP - distributed Snort sensor
DNSA - DNS auditing tool
Despoof - anti packet spoofing

As well as read more info on IP Spoofing, Distributed concepts and related tools :

IP Spoofing - An Introduction
Distributed Tracing of Intruders
Distributed Phishing Attacks
MAC Distributed Security
IPv6 Distributed Security(draft)
Distributed Firewalls
Web Spoofing
The threats of distributed cracking

Technorati tags:
Continue reading →
Subscribe to: Comments (Atom)