Saturday, August 30, 2008

Bacterial IT Security

Imagine if you will lots of people playing Will Wrights new game SPORE
http://www.ted.com/index.php/talks/will_wright_makes_toys_that_make_worlds.html
. There is no common species to speak of. Everyone who plays uses
COTS(yes off the shelf :) but every organism looks, feels and acts
differently. Sure they move, amble, fly, walk, run, eat, shit,
procreate etc... however we now have many, many unique entities that
interact. They can all be affected by lack of water, food,
temperature, disease, but how exactly? What do we measure and what do
we focus on? Now lets go macro to micro.

How is any system sustainable? Is there a net gain or loss in
energy/entropy? Will it sort itself out if we just sit-back and wait
for certain breeds to die out? What is it that allows some to succeed
and others to become extinct. We don't need to measure *all* factors,
however perhaps just the successful candidates, and what defines
success? Success = survivability and adaptability?

Assume fluid/shifting environment thus mobile, morphing, modular,
ability to react, change, multiply, access to resources.

Erm, again a stream of consciousness... I think you see where I am
going. We fucked up in IT. We thought we were building pyramids and
fort knox's when in actual fact we needed flocks of birds and 'ships
of the desert'....

What is the longest surviving species and why? -> symbiotic virii?
reptiles? co-existant properties for good guys/bad guys?

Ranum: Will the future be more secure? It'll be just as insecure as it
possibly can, while still continuing to function. Just like it is
today.

OMFG-SPAM

I have to opt-out of corporate communication in Australia rather than opt-in, fair nuff'. I have already opted out of all Qantas UCE(Unsolicited Commercial Email) as stated in the junk mail I just received the other day. I will let it speak for itself. Corporates are out of control.




"Dear MR X,

We regularly send exciting offers and news via email. But sadly, we haven't been able to get them to you, because while we have your email address as xxxxxx@xxxxxxx.com.au you have not opted-in to receive any of our email communications."

So they send me physical junk mail... Pure and utter, MADNESS! OMFG!

Taking a leaf out of Wade's book, I have lodged a complaint here http://www.acma.gov.au/WEB/STANDARD/pc=PC_310369 but this might not work based upon a technicality/convergence?

Aside: Click on the screenshot for a somewhat better image, apologies about quality as was taken on camera phone in bad light.

More DNS jiggery!

So here is a brain-fart that prolly' needs cleaning up and is awaiting moderation on Kaminsky's site! Challenge-response mechanism basically. A DNS tunnelled type of CHAP for DNS.. and I know, I know, separate DNS server functions and all that... however ideas are ideas...

http://www.doxpara.com/?p=1237

"I’m afraid it’s always a computational cost or time trade-off. Essentially Penny Black project style challenge or LaBrea tarpitting is required.

What *DO* we own re: logical assets? RRs!!!!!

Could we ask the remote server somehow to lookup a temp record in our own domain, generate one(as we own our own servers hopefully) and then wait for the lookup from the remote NETBLOCK? Kinda like SMTP authentication for websites and mailing lists with an OTP. One would have to be in-path to know the variable or understand some characteristic of the remote network/domain.

Let’s use the attack in reverse to secure the attack? Use the attack to secure ourselves as we can generate an arbitrary RR in our own domain e.g. our resolver talks to our domain NS and tells it to inject a local variable/record… think of it as a magic number, assume the attacker is not in-path.. then force the remote domain to ask our domain about it, before they give us the original new query for a host… haven’t totally thought this through fully :) might be worse re: BW :(

Or maybe debounce but record “IP TTL” tolerance. Sure IP TTL’s can change with backbone routing updates but less likey in the course of lookups for random/new hosts not actually in local cache already.

Firewalls or any policy point invalidates host based rate limiting somewhat."

Thursday, August 21, 2008

Request for flows

Problem Statement/Overview of Initiative:

- information has value though it is subjective to the possessor and the dispersion/dilution of instances of said data
- data at rest and data in motion have differing utilities/values
- shared infrastructures are often abstracted or ignored when in actual fact their intrinsic and aggregate value is a multiple of any individual member system or atomic piece of data
- organisations do not share security or incident data due to perceived reputational issues
- security posture and security spend is predicated upon real/percevied value of presence/absence of data/information but not upon complete systems/networks, fabrics or reachability to said data
- to generate even an interim or arbitrary currency of data value, context of data both at rest and in motion must me known
- fabrics provide connectivity, utility, and add-value services to endpoint/virtual nodes
- foundational values and attributes must be quantified for shared infrastructures/fabrics as a pre-requisite to factoring value of endpoint systems and subsequently data -> otherwise all value propositions are independent, incorrect and removed from their actual interdependency and 'real' cost
- once the concept of value can be assigned to classifications of infrastructure nodes based primarily upon their importance/utility, subsequent paths/flows and interdependencies may be weighted and valued (for example similar to metrics used for routing algorithms at a link, distance metric etc)

- *no large flow datasets are available to the security/network community (as per logs to dshield.org etc) with the exception of the Arbor ATLAS project from which primarily only Arbor benefit directly for such types of research.

Proposition:

To generate metrics for different classifications of nodes based upon a simple taxonomy of flows and weighted relationships to infrastructure services. (also utilising reachability/relationships with numbers of endpoints over time). Reachable endpoints/IPs may be virtual interfaces or physical interfaces and also may be subsets of greater nodes such as clusters/load balancers/virtual endpoints(EHV) etc.

Sample datasets of netflow/IPFIX data are required from a range of organisations over as long a time period as possible. Anonymisation will be applied to protect the innocent.

The author hopes to research the contextual relationships between nodes in an organisation and to weight and attribute value to flows in the hope of arriving at something akin to the ramble @ http://bsdosx.blogspot.com/2006/06/byo-rfc.html , also perhaps using a derivative of 'metcalfes law' based upon reachable/live endpoints to generate a 'total' value of the fabric and services to the business or organisation.

Tuesday, August 19, 2008

Buller08..Snowboarding

A video encoding education! Hope you enjoy, the music is fun!



If you want a really good quality stream click here and select the "Watch in High Quality" link under the "Views" keyword!

Tuesday, August 12, 2008

Enterprise Management and Provisioning

Virtualisation of interfaces between systems and entities will actually provide more robust and persistent characteristics of nodes and resources. It will also allow for dynamic and non-disruptive "adds, moves and changes", but will be a troubleshooting nightmare whereupon convergence of skills and depth of code shall introduce more complexity. A new paradigm of defensible, self monitoring and self diagnosing code will be required. I also believe we need a virtual internet for testing, but that's going to be the next big thing! Donal.




Note:
EHV = End Host Virtualiser
NPV/NPIV = N_Port Virtualisation / N_Port Identifier Virtualisation

This is a pretty good overview on "The Evolving Data Center from Cisco':
http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns783/white_paper_c11-473501.html

Friday, August 08, 2008

Google "You can make money without doing evil." ?
Google acquires Postini.
Postini pass traffic to or route through the US ARMY domestic spying ring INSCOM.
My GMAIL account is blocked when trying to send to a mailing list in the US which discusses security metrics.

Details in previous post. 'NGILBEVSMB002CL.il.ng.ds.army.mil' is effectively re-routing and blocking my emails.

Wired story on AT&T splitting backbone fibres: http://www.wired.com/science/discoveries/news/2006/05/70908

Sunday, August 03, 2008

Service transparency needed in Oz too

”The blunt means was referring to how some Deep Packet Inspection (DPI) platforms manage traffic when placed out of line. If a device is out of line, the only way to control traffic is to directly or indirectly signal the sender to slow down or terminate the communication session.”
“Consumers must be fully informed about the exact nature of the service they are purchasing and any potential limitations associated with that service.”


http://asert.arbornetworks.com/2008/08/lessons-learned-from-the-fcc-decision/

Friday, August 01, 2008

SF-SJ-SF-SFA

So I'm sitting in San Fran International terminal awaiting my flight to Melbourne via Auckland and reflecting on some fun stuff in the USENIX Security Symposium in San Jose I just attended(more specifically a special part of the conference on Security Metrics called Metricon):

a) SF Airport is at "Department of Homeland Security Threat Level ORANGE", who gives a sweet flying f**k.. and what does that mean anyway? Security traffic lights 'go slow' perhaps?
b) My GMAIL (web based email obviously.. AJAX'y port 80) to my securitymetrics.org group didn't get through from either the hotel's wireless nor the free wireless at the conference as the military have me blocked as a 'prohibited sender'... cool huh? Must be that email I sent a while back with as many keywords as possible in it. Nice one Draz! Anyway, see below for more details re: SMTP headers (I'm hoping it's not a redirect or filter by the hosting company of securitymetrics.org but I'm not sure yet) (NGILBEVSMB002CL.il.ng.ds.army.mil is in there somewhere...)
c) Spent an hour listening to the radio in San Fran today whereby a liberal radio station was interviewing Vincent Bugliosi, author of 'The Prosecution of George W. Bush for Murder', which is being blacklisted as such by the weak-ass delusional US media. Rock on Vince... he wants the death penalty for Bush + cronies. The fact that he carries such weight in terms of his background and history is one reason the mainstream invertebrates in the media are side stepping the gent.
d) met some cool amurican Lockheed Martin R&D dudes at the conference, including some peeps from Darpa, CIS(Center for Internet Security) and security bloggers I follow.
e) Met Dan Geer. Mission accomplished. Met Andrew Jaquaith who was like 'ahhhh Donal'..when he saw my name badge.
f) conference was pretty weak on the ground in terms of actual content but I didn't really care as I was just there for a holiday and to say hello to some peeps.
g) ebay security chick was cute, bigfix security chick looked like my mate micanders missus Holly
h) I came up with the idea of temporarily revoking NETBLOCKS as a punitative measure for orgs on the internets
i) Myself and Russell hit the bars twice chasing Asian-American chicks and had our fair share of Coronas and Mojitos, interesting discussions, great food, phone numbers, but didn't seal the deal. What's the story again with 2am closing?
j) I was reminded of the mass delusional insular conscious state most Amuricans live in
k) I was reminded of the smell of 'sewage' that wafts in certain areas of SF, including the abundance of homeless peeps around certain neighbourhoods.
l) I was pleased to see randomers walking around Haight-Ashbury in home made super hero capes, some in wizard hats... ain't it great that I wasn't phased nor were most of the public..
m) I was reminded how beatiful parts of California are and how cool and cooky SF still is.
n) I didn't get to the Green Gulch Zen Center, maybe next time! I seem to have ended up in San Fran every 1.5 to 2 years since around 1998-1999

What follows are the SMTP headers from the f**'ing dopy military, almost like they want to expose their internal MTA's....

Delivered-To: irldexter@gmail.com
Received: by 10.110.39.19 with SMTP id m19cs75264tim;
Tue, 29 Jul 2008 16:29:07 -0700 (PDT)
Received: by 10.100.41.1 with SMTP id o1mr11435736ano.10.1217374144604;
Tue, 29 Jul 2008 16:29:04 -0700 (PDT)
Return-Path:
Received: from mail06.ng.army.mil (mail14.ng.army.mil [132.79.8.26])
by mx.google.com with ESMTP id 6si327532yxg.6.2008.07.29.16.29.03;
Tue, 29 Jul 2008 16:29:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of IL-ExchangeService@ng.army.mil designates 132.79.8.26 as permitted sender) client-ip=132.79.8.26;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of IL-ExchangeService@ng.army.mil designates 132.79.8.26 as permitted sender) smtp.mail=IL-ExchangeService@ng.army.mil
Received: from mail06.ng.army.mil (unknown [127.0.0.1])
by mail06.ng.army.mil (Symantec Mail Security) with ESMTP id 9D2A4520007
for ; Tue, 29 Jul 2008 18:23:31 -0500 (CDT)
X-AuditID: 844f0819-ac13fbb000001122-9a-488fa673712f
Received: from NGIAFESTBH002.ng.ds.army.mil (unknown [132.79.8.28])
by mail06.ng.army.mil (ARNG Mail Security Out) with ESMTP id 880194DC002
for ; Tue, 29 Jul 2008 18:23:31 -0500 (CDT)
Received: from NGILFESTBH002.il.ng.ds.army.mil ([55.70.177.222]) by NGIAFESTBH002.ng.ds.army.mil with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 29 Jul 2008 18:29:02 -0500
Received: from NGILBEVSMB002CL.il.ng.ds.army.mil ([55.70.177.218]) by NGILFESTBH002.il.ng.ds.army.mil with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 29 Jul 2008 18:29:01 -0500
Received: from mail pickup service by NGILBEVSMB002CL.il.ng.ds.army.mil with Microsoft SMTPSVC;
Tue, 29 Jul 2008 18:29:01 -0500
thread-index: Acjx0uGiIpV20940QBOD9qKfljCyIw==
Thread-Topic: Symantec Mail Security detected a prohibited sender in a message sent (SYM:07622397080654417781)
From:
To:
Subject: Symantec Mail Security detected a prohibited sender in a message sent (SYM:07622397080654417781)
Date: Tue, 29 Jul 2008 18:29:01 -0500
Message-ID: <45678D748EE142BB9E065FE101891564@il.ng.ds.army.mil>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
X-OriginalArrivalTime: 29 Jul 2008 23:29:01.0304 (UTC) FILETIME=[E1C17F80:01C8F1D2]
X-Brightmail-Tracker: AAAAAA==

Subject of the message: Re: [securitymetrics] Security awareness metrics
Recipient of the message: "Imran Mushtaq" ;"discuss@securitymetrics.org"

v6 thing-a-me-bobs

So Kevin Kelly follows the 'Internet of Things' and Kurzweil's predictions.