Thursday, August 11, 2005

Speed Cameras and Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Items

Thanks to Bruce Schneier for pointing me toward a story on weaknesses in MD5 killing a case involving speed cameras. Excerpts from this story provide some details:

"Sydney [Australia] magistrate Lawrence Lawson threw out a speeding case after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RTA [Roads and Traffic Authority] said it had no evidence that an image from a camera had not been doctored.

Mr Lawson had adjourned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case in June, giving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RTA eight weeks to produce an expert to prove pictures from a speed camera on Carlingford Rd, Epping, had not been altered after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were taken.

But RTA lawyers yesterday told Hornsby Local Court cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could not find an expert and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case was thrown out...

The case revolved around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 integrity of a macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matical MD5 algorithm published on each picture and used as a security measure to prove pictures have not been doctored after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have been taken.

Mr Miralis argued that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RTA had to prove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 algorithm it used was accurate and could not be tampered with."

Good grief. The prosecution in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case appears to have lost because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y framed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues incorrectly. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 battleground was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lack of collisions in MD5, of course cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RTA would lose. Determining what is required to tamper with speeding camera images is a completely different subject.

This case exemplifies cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between capturing packets and performing network foreniscs. Most people do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former, which opens cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir methodology and network-based "evidence" for questioning should it be scrutinized by a clueful defense attorney. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons I have introduced new material on network forensics in my latest book and training is to elevate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network forensics practice to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where we have a chance of surviving a clueful defense attorney.

Speaking of forensics, those of you who like your forensics of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows host-based variety should check out a new post by Harlan Carvey on his Forensic Server Project.

Those of you who argue with me on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meanings of security terms will enjoy this post at Gunnar Peterson's blog. His Sherlock Holmes post was intriguing as well.

Update: A forensics expert who wishes to remain anonymous sent me a link to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

Computer Records and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal Rules of Evidence

"Computer records can be altered easily, and opposing parties often allege that computer records lack aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticity because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have been tampered with or changed after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were created...

The courts have responded with considerable skepticism to such unsupported claims that computer records have been altered. Absent specific evidence that tampering occurred, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mere possibility of tampering does not affect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticity of a computer record."

Wednesday, August 10, 2005

Review of IPv6 Network Administration

Amazon.com just posted my five-star review of IPv6 Network Administration. Wow, this was a great book. I've added it to my Telecommunications recommended reading list. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"IPv6 Network Administration is an absolutely first-rate technical guide. It is refreshing to read a book that doesn't waste time by assuming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reader has no networking background. IPv6 Network Administration achieves just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right balance between history, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory, and practical application to serve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 needs of administrators and interested readers. If you've been waiting for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right resource from which to learn IPv6, this book is it."

The authors maintain a blog to infrequently post IPv6 issues. I plan to give 6to4 a try. The authors discuss 6PE, which I'd like to understand better. They also mention SEcure Neighbor Discovery (SEND) to mitigate link-layer attacks.

Don't Forget Honeyclients

If you read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent SecurityFocus article Microsoft's "monkeys" find first zero-day exploit, you might notice it did not mention work done on an open source honeyclient project. The HoneyClient.org project is led by Kathy Wang. She provides an open source implementation that you might find interesting.

The idea of both projects is to have vulnerable (and perhaps those presumed not vulnerable) applications connect to various servers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. When visiting some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shadier portions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, those clients (i.e., Web browsers) may be exploited. Analyzing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 method of exploitation advances cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 knowledge of defenders, which is beneficial. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than waiting for intruders to attack vulnerable services or clients, pre-emptively sacrifice vulnerable yet disposable clients for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good of Internet security research.

OpenPacket.org Initial Announcement


I would like to announce that I am working on a project called OpenPacket.org. The mission of OpenPacket.org is to provide quality network traffic traces to researchers, analysts, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r members of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security community. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most difficult problems facing researchers, analysts, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs is understanding traffic carried by networks. At present cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no central repository of traces from which a student of network traffic could draw samples. OpenPacket.org will provide one possible solution to this problem.

Analysts looking for network traffic of a particular type will visit OpenPacket.org, query cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenPacket.org Database for matching traces, and download those packets in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir original format (e.g., Libpcap, etc.). The analyst will be able to process and analyze that traffic using tools of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir choice, like Tcpdump, Snort, Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, and so on.

Analysts who collect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own traffic will be able to submit it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenPacket.org database, assuming it is suitable for public review and meets guidelines to be announced later.

I am currently working with some friends and colleagues on this project. We hope to have OpenPacket.org up and running before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year. At present cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenPacket.org domain name is "parked," and soon it will simply forward to this blog entry. As we enter Alpha and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n Beta status, more will be available through that domain name.

Bleeding Snort Hosts bait-and-switch Snort Enhancement

The Bleeding Snort project announced a new Snort preprocessor called bait-and-switch. It's currently available as a patch to Snort 2.4.0. Snort must be running in inline mode, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current implementation is Linux-specific as it uses SNAT and DNAT features of IPTables.

bait-and-switch lets inline Snort users create rules that redirect traffic when bait-and-switch rules are triggered. The idea is to send suspicious source IPs to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r host (perhaps a honeypot) when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir actions trigger specially designed rules. I think this is a novel idea but I do not see it being used in most production networks. Will Metcalf says his implementation is a rewrite of an idea by Jack Whitsitt (aka jofny) of Violating.us. I expect to see resources like this used in honeynets, research locations, and tightly-controlled, high-value networks where policies are defined well enough to justify triggering redirection.

Update: Here's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original Sourceforge site.

More Mildly Condescending Comments

Pete has responded to my previous post. Pete says:

"I actually believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 REAL threat exists. While everyone else works on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manufactured stuff, I want to protect my assets against true threats.

Regardless of my level of confidence, however, I don't claim to have evidence and I refuse to manufacture it. And I find general 'cloak and dagger' statements that security professionals make to be lacking any impact whatsoever...

If you really do know and can't say, why would you hang cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire Internet out to dry by keeping in-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-wild exploits against undercover vulnerabilities a secret while you encourage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wheel spinning of research and disclosure?"

Many readers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DC metropolitan area will recognize that I am in a delicate position here. All I can really do is point to some publicly available documents to try to change Pete's world view. He can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n make up his own mind. These are all open source, Internet-available documents hosted on completely public .mil sites for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefit of visitors.

That's all I can say on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matter. I'm not trying to be devious, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are lines that cannot be crossed. I hope Pete appreciates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 picture of Gamera I managed to find for him.

Tuesday, August 09, 2005

Ptacek v. Lindstrom

There's a major battle over vulnerability and exploit disclosure occurring between Thomas Ptacek and Pete Lindstrom. I've linked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first post in each side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 debate. I don't know which one should be Godzilla or Mechagodzilla, but I liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 photo at left.

I think each side makes some valid points. I agree with Tom that vulnerability disclosure has resulted in elimination of many security problems. I agree with Pete that, in some sense, nothing has really improved, as victims are still being compromised. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end I would lean more towards Tom; clueful people have a better chance of defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir networks, and at least knowing what is happening if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir preventative measures fail. Remember that ten years ago cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir was no Snort, no Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, no Nessus. Fifteen years ago cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was no Argus, and no FreeBSD! Would you believe that Tcpdump is over eighteen years old though?

Tom does make an excellent point regarding cryptanalysis: why is it ok to analyze and break crypto algorithms, but supposedly not security software? Could it be that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who really need strong crypto, like .gov and .mil types, know that bad guys are always trying to break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good guys' crypto?

If we are to believe Pete, we would not recognize this fact. Because Pete doesn't have first-hand knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of research that occurs "in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shadows," he is quick to poke fun at people like Adam Shostack who say "We've always known that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's lots of exploit code for unannounced vulnerabilities out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re." Pete and friends, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are people who have developed techniques months, and in some cases, years, before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y appear in mailing lists or Black Hat talks.

With regard to discussions on specific new vulnerabilities and exploits, all I can tell you is "those who say don't know, and those who know can't say."