The jury is still out on Twitter. Micro-Blogging is for the times between face to face meetings, major blog posts, emails, instant messages, and phone calls. As if we don't have enough ways to communicate already, it appears as if we needed a way to publish every 10 seconds "what we are doing".
My first thought is "why?!". Do we really need to update everyone out there every time we eat a meal or take a shower? I'm doing my best to keep an open mind and I'm trying to give it a fair go, but I'm just not ready to see the benefit of this new technology. At best Twitter can be used to update people with regards to your current location so they can meet up with you at a local pub. To me it seems like a broadcast based IM system with mappings to SMS phone technologies. Maybe I'm just missing the point of it all.
I'm not even going to get into the privacy issues that are apparent with technologies like this. If people don't keep in mind what they are posting about they are likely to give away far too much information to the world. This is a much bigger problem than just Twitter (Facebook, Myspace, blogs in general, etc).
If you use and actually like micro-blogging technologies like Twitter, please leave a comment and explain why. Help me get into the year 2008.
This just in from the land of "Beenthere", a city in the great state of "Donethat". Scrawlr is a new tool that can "detect" SQL injection flaws in web sites. Well... sort of. It doesn't detect blind injection points, it doesn't support authentication, it has a limitation on the number of pages it will crawl, and it won't even execute POSTS. That's about as useless as a no armed man playing basketball. Unless his name is Pele, he's pretty worthless.
While I can't fault HP and the SpiDynamics team for releasing the tool for free, I can certainly say it's all been done before, and done better by others. I just did a quick Google search for "SQL Injection Tools" and the very first link contains no less than 10 tools that claim to both find and exploit SQL injection flaws. I know for a fact that at least one of these tools exploits blind injections and supports most authentication and POSTs (I helped debug it, so I speak first hand).
To summarize, this tool release just sounds like a half-assed attempt to capitalize on the recent "Mass SQL Injection" attacks that have occurred on the Internet. Come on HP, get your stuff together. This is at best a marketing effort wrapped in technical freebie clothing. Everyone should feel free to use the tool if it will help them, but know that there are better free solutions out there.
Dan Geer, one of the foremost leaders in the field of security metrics and security economics recently gave a keynote address at the Source Boston Information Security Conference. Sadly I was not able to attend the conference due to prior commitments, however I did take the time to read the transcript of they keynote. Now I'm not generally one for discussing the theoretical merits of the information security field, instead I tend to find myself a bit more grounded in the practical research areas of our specific area of study. Because of this particular sentiment I read the keynote with much trepidation. To the average person, Dr. Geer is most known for his publishing of the paper "Cyberinsecurity: The Cost of Monopoly" that got him fired by his (and my at the time) employer. In this paper he discusses the monoculture of today's enterprise computing infrastructures and the dangers of a monoculture as evidenced by biological demonstration. The keynote takes a much higher level point of view than the paper, however many of the same points are reinforced from his previous work.
The keynote contained many quoteable moments that make even the most casual reader say "Wow, that's cool".
"On this basis and others, bot-nets are a life form."
"Patching behavior is precisely like radioactive decay -- in each succeeding interval, half of the then unpatched machines are patched and, in any case, 80% of exploits appear within the first half-life of patch-announced vulnerability and wreak 85% of their damage in the first fortnight.
And my favorite of the quotes (that I will most likely use myself in the future):
"defense in depth is simply a referendum on your willingness to spend money for layers; it is rarely, if at all, a research-grade problem.
In this speech, Dr. Geer asserts the growth of security as a service, analyzes the virulance of malware using empirical evidence of the last decade, equates computer monocultures to beehives, and indirectly discusses the transition of the attacking class from hobbyists to pay for play professionals. Only in a few cases did I disagree with the text, but I'll leave those spots for you to pick out. Now go and read the transcript.
I know that this is old news to most of you. But I finally got around to viewing "The Last Lecture". This was a lecture given by Randy Pausch who is a computer science professor at Carnegie Mellon University. Randy is dying from pancreatic cancer and was asked by CMU to give a talk at their last lecture series. I had been avoiding it due to the fact that I generally consider myself a rather non emotional person and I didn't think I would really enjoy a talk such as this. I was completely wrong, this talk is PHENOMENAL. Everyone should watch this talk at least once and really try to understand the points he is making. Please give it a watch, I'm fairly certain you will enjoy it too.
So I whined in a silc channel today that I haven't posted on any cool topics in quite a while and this interesting link was pointed out to me (Thanks Chris for the pointer to the site and Ben Laurie for writing it up originally). The basis of the posting is how it's possible to remotely modify the firmware on some wired network cards and essentially create and deploy a piece of firmware level malware without having to ever take control of higher layers of the system. This is huge.
Once exploits are written for these issues we could see attacks that never really hit the OS and won't be detectable by current anti-virus and OS level security mechanisms. Detection should be relatively straight forward by looking at a hash of the firmware of the NIC and comparing that against known acceptable hash values. This could be done in hardware or software, however this isn't being done currently and is a somewhat new thought process.
Using this attack technique, the quoted author of the post was able to create a "Jedi Packet Trick" that would allow him to bypass CheckPoint FW-1 and Strongwall based firewall systems. This is really just the tip of the firmware rootkit iceberg. Using similar techniques it should be fairly straight forward to effect higher layers of the system and essentially create a very dangerous subversive system.
I am so behind in my reading at this point, that I feel really out of touch from the rest of the information security world. So I'm not going to post anything interesting today. Just a picture of me from graduation, mostly because I know how you all love it when I post stupid pictures on my blog!
I have finally decided to release the paper I wrote last fall entitled "Survey of Rootkit Technologies and Their Impact on Digital Forensics". I was considering submitting the paper to a bunch of academic journals, but I just don't want to take the time right now. So I've just decided to make it available to anyone who is interested in downloading it. I've also included a slide deck that I used for a conference a month or so ago on the same topic. Here is the abstract:
A rootkit is code that is used by an attacker to keep the legitimate users and administrators of a system unaware of the code, and thus the attackers, presence on the compromised system. This paper will discuss the history of rootkits specifically focusing on the evolution of the rootkit from the basic modification of system binaries to the cutting edge research being conducted today. A discussion of each type of rootkit will be followed by an overview of rootkit detection techniques and how to know when a rootkit has been deployed. Finally we will analyze the impact that rootkits have on the digital forensics process. From live state evidence acquisition to using the rootkit data as a source of evidence itself, the impact on the digital forensic realm is important to understanding the potential pitfalls when conducting an incident response or presenting evidence in a court of law."Please give me feedback via email or in the comments section if you find any errors or have any thoughts on the content.
I will be graduating with a Masters Degree in Computer Science/Information Security from James Madison University this Saturday. It's been a long and difficult 2.5 years, but I'm finally done and very happy with the program. I highly recommend it to anyone who is serious about the information security field. And to think.. this is where it all started (notice the CODE that is on the screen).
The Race To Zero contest at this years Defcon conference is going to be very interesting. The public at large is generally not aware how easy it really is to obfuscate a piece of malware to the point that common anti-virus engines will not be able to detect it. The AV vendors are generally pissed off about this content, however I'm not sure they have a legal leg to stand on (I'm no lawyer so take this with a grain of salt)
One interesting comment in the PCWorld article above is:
"It will do more harm than good," said Paul Ferguson, a researcher with anti-virus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."
If Paul is referring to the risk involved by demonstrating that AV solutions are not a panacea, I disagree with him completely. The real risk here isn't a contest that demonstrates how easy it is to bypass AV solution, we already know how to do that and we can do it VERY effectively. The real risk is the management of the new strains of virus that the contest is liable to produce. Working with malware in an unsafe environment is very dangerous and we could see a deluge of new variants being publicly released into the wild stemming from this event. I'm sure Paul meant to say that handling the new strains would be the hard part.. right Paul? *cough* *cough*.
Anyhow, I'm half tempted to create a new binary obfuscation algorithm just for this contents and pwn the whole thing. Somehow I think my current employer wouldn't be too happy with me. Anyone want to team up?
Holy crap! It just occured to me that DonkeyOnAWaffle has been up an entire YEAR! In that year I managed to do 71 posts, which beats my original hope of averaging one post a week. I don't think I have ever had a blog last as long as this one and it just goes to show you what reader feedback can do to help encourage a person... oh wait.. scratch that last line. Either way, happy one year birthday DOAW! Let's shoot for two a week in 2008! (yeah right).
And now for content that is relative to the site. Microsoft has opened their protocols up for public use. The specifications for a large number of previously proprietary protocols can be found HERE. I'm sure we will see some vulnerabilities released in short order giving thanks to this link. And now I command all of you to "go forth and PWN!".
Page 1 of 9 [Next]
