Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Tuesday, February 07, 2006

Security Awareness Posters

Security is all about awareness at the bottom line. The better you understand it, the higher your chance of "survival", and hopefully progress!

Enjoy the following collections of witty and amusing security awareness posters :

1, 2, 3 (you may also be interested in going through my talk on security policies and awareness with K Rudolph from Native Intelligence as well), 4, 5, 6, 7, 8.

Technorati tags:

security, information security, security training, security education

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Hacktivism tensions

It was about time the freedom of the press and the democratic nature of joking with politicians takes its hit. But why with spiritual leaders? The contradictive Muhammad cartoons sparkled a lot of anger, and with the recent tentions in France all we needed was a hacktivism activity from angry muslims. Remember how the China vs U.S cyberwar was sparkled due to the death of a Chinese pilot crashing into an AWACS that was sort of "keeping it quiet"?

Zone-H is reporting on massive defacements of Danish sites, and if you take the time to go through the reported reasons you'll find out that :

"political reasons"

"just for fun"

"I just want to be the best defacer"

"revenge against that web site"

"patriotism"

tend to dominate. As far as defacements as concerned, in one of my previous posts "FBI's 2005 Computer Crime Survey - what's to consider?" you can see that according to the report, organizations lost approximately $10,395M due to web site defacements. Moreover, in some of my previous research on Cyberterrorism I've indicated the use of script kiddies for PSYOPS and how such defacements have a favorable psychologic effect on future initiatives.

And while they have the motivation to deface, I wonder would someone strike back and under what justification?

Technorati tags:

security, information security, defacement, Zone-H, hacktivism, cyberterrorism, Muhammad cartoons, hacking, Denmark

Dancho Danchev

Monday, February 06, 2006

The current state of IP spoofing

A week ago, I came across a great and distributed initiative to map the distribution of spoofable clients and networks - the ANA Spoofer Project, whose modest sample of 1100 clients, 500 networks and 450 ASes can still be used to make informed judgements on the overall state of IP Spoofing. I once posted some thoughts on "How to secure the Internet" where I was basically trying to emphasize on the fact that securing critical infrastructure by evaluating how hardened to attacks it really is, can be greatly improved as a concept. What if that infrastructure is secured, but the majority of Internet communications remain in plain-text, and are easily spoofable, which I find as one of the biggest current weaknesses. If you can spoof there's no accountability, and you can even get DDoSed by gary7.nsa.gov, isn't it? (in the original Star Trek series, Gary Seven was the covert operative who returned from the future to fix sabotage to the United States' first manned rocket to the moon moments before lift off).

On the other hand, according to Gartner IPSec will be dead by 2008, but I feel this is where its peak and maturity would actually be reached. IPv4 will evolve to IPv6, therefore IPSec will hopefully be an inseparable of the Internet.

So what's the bottom line so far?

- 366 million spoofable IP addresses out of 1.78 billion
- 43,430 spoofable netblocks
- 4700 spoofable ASes out of 18450
- NAT's and XP SP2's make their impact

The higher the population the scarier the numbers for sure! I have always believed in distributed computing and the power of the collective intelligence of thousands of people out there. Be it integrating powerful features whose results are freely available to the public through OEM agreements or whatsoever, I feel in the future more vendors will start taking advantage of their customers' base for

How you can contribute? Pick up your client, start spoofing, but make sure your actions don't raise someone's eyebrows, even though you simply wanted to contribute, that's just a couple of packets to a university's server that's looking forward to receiving them this time :)

Dshield.org - the Distributed Intrusion Detection System is a very handy and useful OSINT tool that is obviously being used by the NSA as well (check out the Internet Storm Center's post on this, and the photo itself) UPDATE : Cryptome also featured fancy pictures from the NSA's Threat Operations Wizardy.

What is your opinion on the current state of IP Spoofing on the web and the fact how handy this insecurity comes to DDoS attacks? What should be done from your point of view to tackle the problem on a large scale?

You can also consider going through many other distributed concepts :

The original DES Cracker Project
DJohn - Distributed John
Bob the Butcher distributed password cracker
Seti at Home
ForNet : A Distributed Forensics Network
Pandora - Distributed Multirole Monitoring System
FLoP - distributed Snort sensor
DNSA - DNS auditing tool
Despoof - anti packet spoofing

As well as read more info on IP Spoofing, Distributed concepts and related tools :

IP Spoofing - An Introduction
Distributed Tracing of Intruders
Distributed Phishing Attacks
MAC Distributed Security
IPv6 Distributed Security(draft)
Distributed Firewalls
Web Spoofing
The threats of distributed cracking

Technorati tags:

security, information security, spoofing, IPSec, IPv6, distributed

Dancho Danchev

Friday, February 03, 2006

What search engines know, or may find out about us?

Today, CNET's staff did an outstanding job of finding out what major search companies retain about their users. AOL, Google, Microsoft and Yahoo! respond on very well researched questions!

Whatever you do, just don't sacrifice innovation and trust in the current services for misjudged requests at the first place from my point of view.

At the bottom line, differentiate your Private Searches Versus Personally Identifiable Searches, consider visiting Root.net, and control your Clickstream. You can also go through Eric Goldman's comments on the issue and his open letter regarding Search Engines and China.

As a matter of fact, I have just came across a very disturbing fact that I compare with initiatives to mine blogs for marketing research, EPIC has the details on its front page. It was about time a private entity comes up with the idea given the potential and usability of the idea. Could such a concept spot, or actually seek for cyber dissidents in restrictive regimes with the idea to actually reach them, besides mining for extremists' data? I really hope so!

Technorati tags:

Privacy, search engine, Google, Yahoo, MSN, AOL

Dancho Danchev

Thursday, February 02, 2006

CME - 24 aka Nyxem, and who's infected?

Today, the F-Secure's team released a neat world map with the Nyxem.E infections. As you can see the U.S and Europe have been most successfully targeted, but I wonder would it be the same given the author started localizing the subject/body messages found within the worm to other languages? Who seeks to cause damage instead of controlling information and network assets these days? A pissed off commodities trader? :) or on request, as the original version of the worm "can perform a Denial of Service (DoS) attack on the New York Mercantile Exchange website (www.nymex.com)", still that's 2 years ago.

Tomorrow is the day when the worm should originally start deleting all all *.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd and *.dmp on an infected PC's, supposedly network drives as well, what I also expect is more devastation on the 3rd of March given the same happens every month. And while I doubt there's still someone out there unaware of this, perhaps, released under "revenge mode" malware, check out Internet Storm Center's summary, and know know your enemy, hopefully not until next month again! UPDATE : You can actually go through another post in order to update yourself with some recent malware developments.

Technorati tags : malware, Nyxem

Dancho Danchev

Suri Pluma - a satellite image processing tool and visualizer

I just came across a great satellite image processing software and decided to share it with my blog readers. Perhaps that's a good moment to spread the word about my RSS compatible feed, so consider syndicating it. To sum up :

"Suri Pluma is a satellite image processing tool and visualizer. It can open the most common image formats without importing to an internal format and minimizing the memory required for visualization. It is designed to be modular and extensible. It has a meassurement tool (distance and areas with error estimation) and geographical and map coordinate information."

Check out the screenshots and consider downloading it in case you're interested. Meanwhile, you can also go through a previous post that's again related to visualization.

Technorati tags :

satellites, visualization, Suri Pluma

Dancho Danchev