8 posts • joined Friday 4th June 2010 08:05 GMT
A tool to help network admins
If you are running a network, my company - ThreatSTOP - has a tool to help you figure out which computers on the network are infected with DNS Changer.
Easy to block
the two domains direct to 126.96.36.199 and 188.8.131.52/32 respectively. Easy to add to a firewall as a block - although ThreatSTOP subscribers are already protected automatically because these addresses are in all our blocklists now.
Google+ will spike FB valuation at least
I just started using Google+ this weekend. I prefer it to FB so far. No it isn't perfect but the circles concept looks like a winner and there's a bunch of other things to like in it. I expect google will implement integration with many other google services (e.g. reader) and the combo will almost certainly be better than FB. I have no loyalty to FB and will almost certainly leave when (if) enough of my FB contacts have moved across. So far about a quarter of my FB friends are on google plus. Most of them are saying the same
If FB loses 25% of its userbase to google+ then that's going to put a hole in the valuation
Not a problem for good IP reputation services
There are a bunch of ways to do this. As I just blogged - http://threatstop.wordpress.com/2011/03/08/ipv6-and-ip-reputation/ - our IP reputation system works just fine with IPv6 /64s (or even /48s or whatever other net block size is required).
It could be deliberate
I can think of at least two reasons why the creators of Stuxnet did not bother with more obfuscation etc.
1) They wanted it to be found because they expected that the Iranians would then form a circular firing squad and/or demoralizing witch hunt. Either of which would drastically hinder the recovery from the outbreak. There is evidence that, combined with a couple of assassinations this has indeed been the case
2) It is misdirection because there is also Stuxnet2 which has not been found and which continues to wreak havoc but that havoc is believed to be caused by Stuxnet. Thus the recovery is hindered because such computer techs as the Iranian nuclear industry has waste their time hunting for the original Stuxnet instead of looking for Stuxnet2
I've got no idea whether either of these reasons are valid but both seem quite plausible, and in the process of thinking through the arguments for those two I've come up with some others. Now I don't say these reasons are correct but I do think the argument isn't as clear cut as the original article suggests.
Getting the right blocklist stops this
Your shadowserver link lists a few of the domains/IPs that should be blocked. Based on that research and some passive DNS work we've done, we can now block the ip addresses of most of the botnet and we're automating the update process so that the blocklist remains current
See my blog post http://threatstop.wordpress.com/2011/01/04/threatstop-blocks-new-waledacstorm-worm-dns/ for more details
Better to block the IP address rather than the name
The problem with blackholing DNS is that many cyber-crooks know about it and they therefore change the domain/subdomain they use frequently. Thus if you just block certain domains - even if you update the domains from malwaredomains.com frequently - you will fail to block the malware for long. A far better approach is to block the IP addresses of the malware providing hosts because typically the crooks use the same host with the same ip address, they just change/add new dns links to it.
As we mentioned on our blog (er yes this is a commercial plug) a few months back - http://threatstop.wordpress.com/2010/05/10/iframe-droppers-and-other-drive-bys-how-threatstop-protects-you/ - we provide our subscribers with frequently updated lists of known bad ip addresses that may be quickly and automatically plugged into the firewall and which block many malware sources. I'd love to say we block all but then you'd know I was a lying marketing droid instead, I believe we stop most of them though but since the crooks unaccountably refuse to give us a list of compromised hosts for us to check against I can't prove it.
MichaelC above would certainly benefit from our system since stats we have analyzed from DShield indicate that about a third of all threat sources change in a week (and about a quarter in less thna 24 hours). Thus by uploading new data once a week he will be missing a significant portion of the threats he thinks he is protecting against.
Music not needed
Apart from anything else playing MPs kills the battery life of the reader. Furthermore I don't know about you but I have half a dozen devices that can play music e.g. my phone, a couple of cheapo MP3 players and so on. If I want to listen to music I'll use one of them.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire