11 posts • joined 4 Jun 2010
Fun with Badges
At this year's RSA conference in San Francisco I reached into my bag on day two and pulled out last year's badge by mistake*. I wore it all the time. No one noticed except the marketing droids who wanted to scan my badge to send me spam.
The Badge was a different color. The strap was a different color. The badge said RSA 2012 on it.
No one noticed.
*AT A SECURITY CONFERENCE*
* I just stuffed it in the side pocket of my bag when I left the last time and forgot about it, then this year I stuffed this year's badge into the same pocket when I wanted to go out drinking and not be identified as a security nerd
Fun fact. Doesn't work with the new "preview" version of maps - https://www.google.com/maps/preview - which turns out to also have a different image of the spot - there's a guy standing by the lampost in the new one that isn't in the standard version
Move to (network) security
Security issues aren't going to go away. In fact in a cloudy, BYOD sort of world they are even more important. I think many sas admins (and particulalry network admins) could usefully move sideways into network security. Exactly how you position yourself (as a MSSP? consultant? in house expert? other...) will vary but there's a crying need for people with clue about security issues and many of the security problems are ones that a regular admin has been handling for years in an intranet/local server environment
A tool to help network admins
If you are running a network, my company - ThreatSTOP - has a tool to help you figure out which computers on the network are infected with DNS Changer.
Easy to block
the two domains direct to 184.108.40.206 and 220.127.116.11/32 respectively. Easy to add to a firewall as a block - although ThreatSTOP subscribers are already protected automatically because these addresses are in all our blocklists now.
Google+ will spike FB valuation at least
I just started using Google+ this weekend. I prefer it to FB so far. No it isn't perfect but the circles concept looks like a winner and there's a bunch of other things to like in it. I expect google will implement integration with many other google services (e.g. reader) and the combo will almost certainly be better than FB. I have no loyalty to FB and will almost certainly leave when (if) enough of my FB contacts have moved across. So far about a quarter of my FB friends are on google plus. Most of them are saying the same
If FB loses 25% of its userbase to google+ then that's going to put a hole in the valuation
Not a problem for good IP reputation services
There are a bunch of ways to do this. As I just blogged - http://threatstop.wordpress.com/2011/03/08/ipv6-and-ip-reputation/ - our IP reputation system works just fine with IPv6 /64s (or even /48s or whatever other net block size is required).
It could be deliberate
I can think of at least two reasons why the creators of Stuxnet did not bother with more obfuscation etc.
1) They wanted it to be found because they expected that the Iranians would then form a circular firing squad and/or demoralizing witch hunt. Either of which would drastically hinder the recovery from the outbreak. There is evidence that, combined with a couple of assassinations this has indeed been the case
2) It is misdirection because there is also Stuxnet2 which has not been found and which continues to wreak havoc but that havoc is believed to be caused by Stuxnet. Thus the recovery is hindered because such computer techs as the Iranian nuclear industry has waste their time hunting for the original Stuxnet instead of looking for Stuxnet2
I've got no idea whether either of these reasons are valid but both seem quite plausible, and in the process of thinking through the arguments for those two I've come up with some others. Now I don't say these reasons are correct but I do think the argument isn't as clear cut as the original article suggests.
Getting the right blocklist stops this
Your shadowserver link lists a few of the domains/IPs that should be blocked. Based on that research and some passive DNS work we've done, we can now block the ip addresses of most of the botnet and we're automating the update process so that the blocklist remains current
See my blog post http://threatstop.wordpress.com/2011/01/04/threatstop-blocks-new-waledacstorm-worm-dns/ for more details
Better to block the IP address rather than the name
The problem with blackholing DNS is that many cyber-crooks know about it and they therefore change the domain/subdomain they use frequently. Thus if you just block certain domains - even if you update the domains from malwaredomains.com frequently - you will fail to block the malware for long. A far better approach is to block the IP addresses of the malware providing hosts because typically the crooks use the same host with the same ip address, they just change/add new dns links to it.
As we mentioned on our blog (er yes this is a commercial plug) a few months back - http://threatstop.wordpress.com/2010/05/10/iframe-droppers-and-other-drive-bys-how-threatstop-protects-you/ - we provide our subscribers with frequently updated lists of known bad ip addresses that may be quickly and automatically plugged into the firewall and which block many malware sources. I'd love to say we block all but then you'd know I was a lying marketing droid instead, I believe we stop most of them though but since the crooks unaccountably refuse to give us a list of compromised hosts for us to check against I can't prove it.
MichaelC above would certainly benefit from our system since stats we have analyzed from DShield indicate that about a third of all threat sources change in a week (and about a quarter in less thna 24 hours). Thus by uploading new data once a week he will be missing a significant portion of the threats he thinks he is protecting against.
Music not needed
Apart from anything else playing MPs kills the battery life of the reader. Furthermore I don't know about you but I have half a dozen devices that can play music e.g. my phone, a couple of cheapo MP3 players and so on. If I want to listen to music I'll use one of them.
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth