Yes, DOS trends are changing. CERT-FI‘s release of the “Sockstress” details yesterday has a few people confused. Outpost24 discovered some new TCP state abuse technique which can cause a range of issue on a TCP stack (see CERT-FI’s release details). It is a serious issue. But, if it is serious, why is there not a Read More
The “Cyberwar” Dialog can be easily polluted …..
Watching discussions about cyberwar is a humorous diversion in the day. Take this New York Times article, “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk.” It starts interesting, talking about a battle plan that was considered as a lead into the 2003 attack on Iraq. Good News! War planning is good. Evaluating collateral Read More
Beware, Security Liability does roll down hill
In a working “risk” system, security liability would roll “downhill” to an accountable party. Who wrote the code? Who did the audit? Who certified the system as “secure? In my own work, I mention to my peers how everything has changed in today’s Converged Internet/Global Telecommunications world. Liability and accountability roll downhill. If something happens Read More
US Military “BOTNETs” UnConstitutional?
Are US Military “BOTNETs” Unconstitutional? Every other month we get someone in the US Military ranting about how “we need to go on the offensive,” “we need to build our own BOTNETs,” we need to be better than our enemies.” This expression of anxiety is understandable. It is an expression of frustration, where the people Read More
Is the “Full Disclosure” vs “Non-Disclosure” Debate Dead? NOT
I was watching Matthew Watchinski walk through the events and activities behind our Adobe vulnerability this past Feb (see US CERT’s “Adobe Acrobat and Reader Vulnerability TA09-051A“). What struck me about Matt’s talk is a statement he made near the end: “… Full Disclosure vs Non-Disclosure debate is dead. I learned this because my E-mail Read More
Reflections on “X.805” Certification?
While walking through E-mail, doing my morning [[SITREP]], and sipping coffee I was surprise to see a request from a peer asking about X.805 Certification info. What is “X.805 Certification?” For those who have never run into [[X.805]], it is a [[ITU]] security reference model submitted by Lucent from their security practices team. As seen Read More
Understanding “DDOS”
In the operational security community, Distributed Denial of Service (DDOS) is the “gun” used in extortion. Extortion is a human crime – where one group (or individual) preys on another. We mitigate extortion through civic society’s rules (laws) and enforcement (justice system). This dual system of laws and enforcement is further reinforced with education – Read More
Highlights of Mobile World Congress 2009
With about 47,000 attendees to the exhibition and conference in Barcelona, Mobile World Congress was quite a vibrant experienced indeed. What was of particular interest to me, was the Internet revolution on mobile- finally! How bringing the Internet (and its related applications such as social networking) has brought a brave new frontier for the mobile Read More
Pulling Practices and Techniques from Experience – “Pathetic DDoS vs Security Sites”
Read through Metasploit’s blog titled Pathetic DDoS vs Security Sites. It documents several key steps that many companies do not know with how to mitigate some of the impacts of a DDOS attack. In this case, we have a DDOS targeting a specific domain – metasploit.com. Step 1 is to classify the attack. Traffic analysis Read More
Black Hats, White Hats, Grey Hats, and now Red Hats
We all know about White Hats (Cyber Good Guys), Black Hats (Cyber Bad Guys), and Grey Hats (White Hats who skirt the edge of legality). We’re missing a group. The three defined groups are all easily described by their economic motivations for doing what they do. But we have another group who are not easily Read More