Thursday, September 13, 2007

Blocking Port 53 TCP

I just read Experimental Storm Worm DNS Blocklist at SANS. The result of such a scheme looks something like this:

richard@neely:~$ host basic1.threatstop.com
;; Truncated, retrying in TCP mode.
basic1.threatstop.com has address 221.208.208.28
basic1.threatstop.com has address 221.208.208.27
basic1.threatstop.com has address 221.208.208.26
basic1.threatstop.com has address 221.208.208.25
basic1.threatstop.com has address 221.208.208.24
basic1.threatstop.com has address 221.208.208.23
basic1.threatstop.com has address 221.208.208.22
basic1.threatstop.com has address 221.208.208.21
basic1.threatstop.com has address 221.208.208.20
basic1.threatstop.com has address 221.208.208.19
basic1.threatstop.com has address 221.208.208.18
basic1.threatstop.com has address 221.208.208.17
basic1.threatstop.com has address 221.208.208.16
basic1.threatstop.com has address 221.208.208.15
basic1.threatstop.com has address 221.208.208.14
basic1.threatstop.com has address 221.208.208.13
basic1.threatstop.com has address 221.208.208.12
basic1.threatstop.com has address 221.208.208.11
basic1.threatstop.com has address 221.208.208.10
basic1.threatstop.com has address 221.208.208.9
basic1.threatstop.com has address 221.208.208.8
basic1.threatstop.com has address 221.208.208.7
basic1.threatstop.com has address 221.208.208.6
basic1.threatstop.com has address 221.208.208.5
basic1.threatstop.com has address 221.208.208.4
basic1.threatstop.com has address 221.208.208.3
basic1.threatstop.com has address 221.208.208.2
basic1.threatstop.com has address 221.208.208.1
basic1.threatstop.com has address 221.208.208.0

These IPs are supposed to be Storm Trojan infected hosts.

As soon as I saw that many records I knew TCP would be involved -- not UDP. Sure enough:



Basically, because so many records are returned, TCP is used. If you maintain a policy that blocks all port 53 TCP traffic because you heard that in a class somewhere, you might not be able to resolve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se IPs. I wrote about this in my first book when I provided case studies on normal, suspicious, and malicious traffic using port 53 UDP and TCP.

Wednesday, September 12, 2007

NSA IAM and IEM Summary

Two years ago I wrote Thoughts on NSA IAM Course. That post is still in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top ten Google search results for NSA IAM, which is sad because that means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re isn't much about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program online. IAM stands for INFOSEC Assessment Methodology. (Ugh, I hate "INFOSEC".)

The only real material about IAM (beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public slides used to teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 classes appears in Security Assessment: Case Studies for Implementing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA IAM by Russ Rogers, Greg Miles, Ed Fuller, Ted Dykstra. The Syngress sample chapter nicely summarizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM purpose and compares it to alternatives.

The National Security Agency (NSA) Information Security (INFOSEC) Assessment Methodology (IAM) is a detailed and systematic method for examining security vulnerabilities from an organizational perspective as opposed to a only a technical perspective. Often overlooked are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processes, procedures, documentation, and informal activities that directly impact an organization’s overall security posture but that might not necessarily be technical in nature. The IAM was developed by experienced NSA and commercial INFOSEC assessors and has been in practice within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. government since 1997. It was made available commercially in 2001.

NSA developed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM to give organizations that provide INFOSEC assessments a repeatable framework for conducting organizational types of assessments as well as provide assessment consumers appropriate information on what to look for in an assessment provider. The IAM is also intended to raise awareness of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for organizational types of assessment versus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purely technical type of assessment. In addition to assisting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government and private sectors, an important result of supplying baseline standards for INFOSEC assessments is fostering a commitment to improve an organization’s security posture.


The following chart from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample chapter explains how NSA differentiates security activities:



So what are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general steps proposed by NSA IAM? There are three general phases:

  1. Pre-Assessment


    • Determine and manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer’s expectations

    • Gain an understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization’s information criticality

    • Determine customer’s goals and objectives

    • Determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system boundaries

    • Coordinate with customer

    • Request documentation


  2. On-Site Assessment


    • Conduct opening meeting

    • Gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and validate system information (via interview, system demonstration, and document review)

    • Analyze assessment information

    • Develop initial recommendations

    • Present out-brief


  3. Post-Assessment


    • Additional review of documentation

    • Additional expertise (get help understanding what you learned)

    • Report coordination (and writing)



NSA IAM emphasizes creating a Technical Assessment Plan (TAP) which includes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  • Point of Contact

  • Mission

  • Organizational Information Criticality

  • System Information Criticality

  • Customer Concerns and Constraints

  • System Configuration

  • Interviews

  • Documents

  • Timeline of Events


In brief, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA IAM is a giant interview, demonstration, and documentation review that preceeds any kind of technical review. The IAM spends a good chunk of time determining Organizational Information Criticality and System Information Criticality via brainstorming and customer interviews. The idea is to narrow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assessment to something that customers care about. IAM (and IEM) sources clearly point out that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir methodologies are not audits, inspections, or risk assessments. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course slides provides this (sort of) summary:



That's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM. What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM [INFOSEC Evaluation Methodology]? Again, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best resource is a Syngress book -- Network Security Evaluation Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA IEM by Russ Rogers, Ed Fuller, Greg Miles, Matcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365w Hoagberg, Travis Schack, Chuck Little, Ted Dykstra, and Bryan Cunningham. Quoting from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first chapter:

The IEM is a follow-on methodology to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA IAM. It provides cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical evaluation processes that were intentionally missing from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM. The IEM is a hands-on methodology, meaning you'll be actively interacting with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer's technical environment. As such, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA intended for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM and IEM processes to work hand in hand...

Whereas cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM provides us with an understanding of organizational security as it relates to policies and procedures, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM offers a comprehensive look into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual technical security at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization.


The IEM is divided into phases as well:

  1. Pre-Evaluation Phase


    • Pull information from IAM Pre-Assessment

    • Coordination with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer to determine acceptable Rules of Engagement (ROE)

    • Give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team an understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perceived system components

    • Define customer expectations

    • Define customer constraints or concerns

    • Legal Requirements

    • Develop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Technical Evaluation Plan (TEP)


  2. On-Site Evaluation Phases


    • Evaluation In-Brief

    • Tool Introduction and System Evaluation


      • Port Scanning

      • SNMP Scanning

      • Enumeration & Banner Grabbing

      • Wireless Enumeration

      • Vulnerability Scanning

      • Host Evaluation

      • Network Device Analysis

      • Password Compliance Testing

      • Application Specific Scanning

      • Network Sniffing


    • Evaluation Out Brief


  3. Post Evaluation Phase


    • Analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evaluation raw data

    • Conduct additional vulnerability research

    • If necessary, seek additional expertise

    • Develop recommendations

    • Coordinate final report authoring with team members

    • Deliver final report to customer



Like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM's TAP, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM directs creation of a Technical Evaluation Plan, or TEP:
  1. Points of Contact

  2. Methodology Overview


    • Purpose of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM

    • Description of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM

    • Evaluation Tools to Be Used


  3. Criticality Information (Organizational Criticality Matrices and System Criticality Information)

  4. Detailed Network Information

  5. Customer Concerns

  6. Customer Constraints

  7. Rules of Engagement

  8. Coordination Agreements


    • Level of Detail of Recommendations

    • List of Agreed-On Deliverables

    • The Coordination Agreements Section: A Catchall


  9. Letter of Authorization

  10. Timeline of Events


There's more to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM but those are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parts I want to have available for personal reference.

The following shows how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM and IEM can work togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.



Is this rocket science? Of course not. Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10 "evaluation" activities naive and incomplete? Yes. The idea is you can build on this sort of methodology with your own approaches. I actually liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM class and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 structure of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM TEP, but I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM class itself laughable.

If you want more details on really conducting evaluations, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n a review of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest Open Source Security Testing Methodology Manual (OSSTMM) is probably worthwhile.

Max Ray Butler in Trouble Again

In my first book I wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following on p 170:

WHO WROTE PRIVMSG?

The author of Privmsg served one year in prison after pleading guilty in a U.S. District Court to a single count of computer intrusion. In May 1998 he compromised numerous government, military, and academic servers running BIND and installed back doors on those systems. He was caught thanks to skillful use of session data by analysts at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT and by Vern Paxson from Lawrence Berkeley Labs. See http://www.lbl.gov/Science-Articles/Archive/bro-cyber.html for more information on Paxson’s use of Bro and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “boastful and self-justifying” e-mail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder sent to Paxson. For details on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder, see Wired’s account at http://www.wired.com/news/culture/0,1284,54838,00.html. Kevin Poulsen’s story at http://www.securityfocus.com/news/203 has more details.

The bottom line is it does not pay to infiltrate government machines -- especially Air Force servers or computers monitored by IDS researchers.


I didn't name Max Ray Butler (aka "Max Vision") as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of Privmsg, but if you followed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stories you would have figured that out yourself.

I also didn't publicize this August 2002 post by Max to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurityFocus Jobs mailing list, subject line bay area security professional, $6.75/hr... Please read below!:

Greetings security employers:

I have an unusual situation that I would like to describe to you, and in doing so I am asking that anyone who can immediately employ me in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 San Fransisco Bay Area, please read this email and consider taking advantage of my availablity and temporarily low cost.

I am...
o a seasoned professional with extensive security skills and experience
o a once convicted hacker (DOD, 1998)
o local to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 San Fransisco Bay Area, I live in Oakland
o willing to work for mimimum wage (for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next two months)
o eager to work 60 hour weeks; I don't mind nights/weekends/holidays...

My Conviction (why I am desperate)

I am not proud of being convicted of a felony, but it is important that a potential employer know of my status. Apparently if you have FDIC insurance cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a clause stating that you cannot hire a convicted hacker on your projects. It is also because of my status that I am desperate for security-related or even internet-related work.

The truth is, I am living in a federal halfway house transitioning out of prison back into society. I have to find local work to meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir requirements, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y haven't approved any telecommute offers I have had so far. The director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 facility told me that if I don't find a job in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next week or so he will send me back to prison (my sentence actually ends October 12th)...

Sincerely,

Max Vision


That's one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 saddest and most pacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365tic posts I've ever read.

So where are we now, five years later? Check out Max Vision charged with hacking -- again:

In a five-count indictment unsealed on Tuesday, federal prosecutors allege that Butler ran a scheme to hack into computers at financial institutions and credit-card processing centers, stealing account information and selling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs. Butler also ran cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 online carders' forum, CardersMarket, under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name "Iceman" and "Aphex" as a way to coordinate illegal activities and meet people with similar interests, according to an affidavit penned by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Secret Service, which spearheaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigation...

During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 16-month investigation, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Secret Service maintained two confidential informants, one of which was an administrator on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CardersMarket forum. The informants gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigators an eye-opening view of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inner workings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 carders' world, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 affidavit stated.

Butler purportedly used at least five different handles -- including "Iceman," "Aphex," and "Digits" -- in an attempt to confuse law enforcement and keep his administrative activities on CardersMarket separate from his outright illegal activities, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 affidavit maintains...

A federal grand jury indicted Butler on charges of wire fraud and identity cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft. If Butler is found guilty of all five charges, he could face up to 70 years in prison and a fine of $1.5 million, according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Attorney's Office in Pittsburgh. Butler is currently being held in San Francisco until he appears in court on Monday.


I know Mr Butler is innocent until proven guilty in US courts, but human evidence gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red by informants is going to be tough to beat.

Show this post to your kids if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y think "[malicious] hacking is cool." If you think "[malicious] hacking is cool," remember Mr Butler's fate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next time you break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 law.

Tuesday, September 11, 2007

Example of Security Product Introducing Vulnerabilities

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons I blog is to record concrete events so I can more easily reference cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exact details in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future. In Black Hat USA 2007 Round Up Part 2 I said:

Modern countermeasures applied to reduce vulnerability and/or exposure in many cases increase both vulnerability and exposure. This is certainly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case with so many agents (see Matasano is Right About Agents.)

Sometimes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se vulnerabilities are present in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agent itself, such that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agent can be directly attacked. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cases (like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one I cite today), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agent appears to re-introduce a vulnerability that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 underlying system fixed years ago. From Haxdoors of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Kaspersky Antivirus 6/7:

Kaspesky [sic] and System Service Descriptor Table

Very long time is known that this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weakest part of this antivirus. The weakest, because it contains number of elementary bugs.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r example of poorly coded so-called Proactive Defense. On Windows XP Kaspersky AV adds additional services in SSDT table...

And now surprise. Any of this unknown SSDT entries can be EXPLOITED and can crash system into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BSOD even from Guest account with MINIMAL PRIVILEGES. We coded simple program. Its generates invalid system calls with invalid parameters for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se unknown SSDT entries. The code is very simple but efficient. Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same on clean Windows will lead to nothing, because Windows handles such situation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right manner.
(emphasis added)

Please excuse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 English; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speaker is Russian. (How is your Russian?)

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, normal Windows without Kaspersky is immune. Windows plus Kaspersky (supposedly equalling "defense in depth") is vulnerable.

Please remember this whenever you write (horror) or read a policy that requires anti-virus on all systems, regardless of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost-benefit equation.

Monday, September 10, 2007

Comment on NetWitness Article

About a year ago I wrote Network Forensics with NetWitness. Today NetWitness is an independent company (again, congratulations) and is launching a new product suite. I was already a fan of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir product last year but I will be taking anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r look at it in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coming weeks. If you want to know why please see last year's post.

I'm writing this post in reaction to
Startup Led by Ex-DHS Cyberchief Rolls Out Forensics Tool
. Specifically, I take issue with this excerpt:

[A] security and risk management analyst... says NetWitness's technology is basically immune from anti-forensic tools that attackers increasingly are using to deter investigations of breaches, for instance. "NetWitness allows organizations to investigate user activities at a level that neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r attackers nor most users will be able to tamper with."

When I read that comment I immediately remembered The Eavesdropper's Dilemma, first mentioned in Latest Plane Reading from May 2007.

Network forensics can be attacked just like host forensics can be attacked. (If someone can please point me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original citations for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se, I would be grateful. I remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms but I can't remember who originally demonstrated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 differences.)

I am sure NetWitness suffers both types of problems just by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of its operation, like any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r network forensics application.

Perhaps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comment was inspired by thoughts like Hardware-Assisted Virtual Machine Rootkit or TaoSecurity Enterprise Trust Pyramid, where I defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 notion that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network doesn't lie like a compromised host does. However, like I mentioned in Marcus Ranum Highlights from USENIX:

At a certain point cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 complexity [of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall/filter] makes you just as likely to be insecure as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original application.

This is true for protocol-aware analysis tools as well as firewalls/filters.

Update: If you check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Dark Reading article again you'll see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word "resistant" replacing "immune". Please check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comments to see a post by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 person who Dark Reading "quoted" to learn what can happen when you speak to reporters!

Saturday, September 08, 2007

France v China

In United Kingdom v China I asked who would be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next country to announce it's been 0wned by China. Thanks to Benny Ketelslegers I hear it's France. He cites Maarten Van Horenbeeck who read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original French to say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

Agence France Presse has reported that France is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most recent nation to be targeted by what are probably cyber attacks of Chinese origin. The news came from Mr Francis Delon, secretary general of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Secrétariat général de la défense nationale (SGDN). He notes: Chinese origin, not necessarily indicating involvement of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese military.

It's a veritable "who's who" of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industrialized world -- US, Germany, UK, Japan, and now France. When will we hear from Canada, Italy... anyone else?

TaoSecurity 2000th Post

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2000th TaoSecurity Blog post. The 1000th Post appeared roughly two years ago. I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog on 8 January 2003, so in four months it will be five years old.

For roughly five years I've used this blog as a personal yet technical forum, but intentionally did not write about my workplace. I've blogged while working as an incident response consultant for Foundstone, a technical director for ManTech's Computer Forensics and Intrusion Analysis division, an independent consultant with TaoSecurity, and now director of incident response for General Electric.

I plan to continue blogging as a way for me to record my thoughts on various security subjects. I detest bookmarks since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y quickly become unmanageable, lack context, and do not include my reaction or syncá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365sis of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject at hand. Since opening cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog to comments several years ago I've enjoyed hearing from blog regulars and plan to continue reading your replies to my posts.

Please note that I hardly ever engage in back-channel discussions regarding anything I post here. If you would like to interact with me regarding a post, please leave a comment with your thoughts, or a comment with a link to your own post on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject. If you send me a question that requires any sort of thoughtful reply, I am most likely going to turn it into a blog post (with your permission to treat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matter anonymously). It's helpful to also remember my Personal LinkedIn Policy.

The only ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r forum in which I might engage in a running discussion is a mailing list. I mainly use email as a means of communication with family or coordination with colleagues. I do not debate over email.

The only blog-related issue you may notice in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coming months involves a review of old blog posts. I am considering revisiting all of my old posts for several reasons, so those of you who subscribe via RSS might see old posts republished. First, I'd like to remove or fix links to missing images. Second, I'd like to replace images hosted on my infrastructure with images posted at Blogger. Third, I'd like to add proper titles to old blog entries that lack that feature.

Thank you to those who have been reading for a while, and welcome to those who are newcomers. If you are not yet blogging, I highly recommend starting.