I’m not one for predictions, mostly because everyone else does them and I’m not necessarily an analyst. But I thought I would spit out what’s on my mind. And no, I’ll refrain from the obvious and take some more ballsy moves.

1. Efficiency is the name of the game with technology, not only in business but in criminality as well. Think of all the scams and attacks that have been performed for decades (plagiarism, fraud, identity theft, data theft, credit card skimming, phone phreaking, spam/junk mail, music/movie bootlegging/copying…). If there are some out there still untapped as a technological attack, they will start getting tapped. As phones and VoIP converge and cross international lines, so to will we start to feel the return of phone scams and telemarketers as call prices plummet and laws are unable to cross borders.

2. Several people made headlines this year, and maybe you could say they broke out. HDM, LMH, Jeremiah Grossman, and RSnake are the memorable names. The first two are pushing fuzzing; the latter two are abusing web attacks. That foursome and their lesser-known buddies and pals are the nucleus of active white hat hacking and disclosure. None of them are done yet, and I think 2007 will see a lot more activity and revelations from all four. What ports do people open on firewalls? BitTorrent and P2P. Fuzz those apps and we might find another worm for home systems.

3. With the widespread dismissal at how potentially dangerous wireless driver attacks can be, I still expect to see this minorly erupt. Granted, we won’t see huge wormable activity, but damn is it nice that drivers are rarely updated and they are insecure still. I expect more news here and maybe a few landmark incidents in the wild. I wouldn’t be surprised if governments and corporations are not already abusing this front in more targeted attacks.

4. You can’t predict something in 2007 without thinking about botnets. Nothing scales better right now in the threat landscape than botnets. From DDoS to extrortion to DNS attacks to just taking your 20,000 infected hosts and stealing host information; It’s going to be worth money to someone. I expect these to get more sophisticated as botherders realize the true power they have. I wouldn’t be surprised to see some of the compromised systems get special attention as a stepping-stone into behind-the-firewall recon and attacks. A .gov bot? Cha-ching! We have no real counter to botnets right now, and this war can only escalate. How about that SNMP worm that people think won’t come? Release that via the bots and you can have a lot of fucked up networks despite strong firewalls.

5. Regulations and standards will start to be questioned as data disclosures and high-profile attacks won’t go away. Just like government report cards being useless, so too will standards compliance checkmarks. Just like “Hacker Safe” meant nothing to some websites that were still full of holes, so too will “XYC 21300 compliant” mean nothing. Organizations are too different and complex and the threats too different for standards to really be effective. Mgmt won’t understand that for a few years yet. (On a similar note, as security moves into unified super-applications that try to do everything from one mgmt console, the skills of admins to understand the underlying technology and do things with free lower-level tools will become dangerously low in many organizations…maybe not in 2007, but ongoing.)

6. Lastly, da bears will finally win another Super Bowl.

I’m not an author like Bejtlich, but I do appreciate when he reviews books. I like reading reviews just so I can quickly weed out the bad apples and the good apples before buying something I’ll wish I could take back. For my part, here are a couple of Ubuntu books. Just as background, I’ve run various Linux distros in the past for small periods of time, and I’ve supported Slackware boxes in a previous job, but I still consider myself a fairly new *nix user. Currently I dual-boot Ubuntu and WinXP on my main laptop, but I use Ubuntu 99% of the time lately.

Ubuntu Hacks is part of the really cool O’Reilly series of Hacks books. I’ve long enjoyed them because they take a specific question and answer it very succinctly and quickly. The authors don’t spend a chapter or 15 pages over specific topics and thus don’t get into much detail, but they get the hacks done. Ubuntu Hacks is no different and is really excellent to have for an Ubuntu newbie. I would recommend it for anyone with at least some familiarity with the Linux world. It might be worthy of being the only Ubuntu reference you need other than Google. Don’t wait too long to get this though; like other Hacks books (and many “how to” geek books anyway) it will get outdated quickly.

Ubuntu Unleashed is a much thicker book that covers far more topics with far more depth than Hacks. Sadly, the authors seem to have just taken their Fedora Core Unleashed book and repackaged it as Ubuntu with some spotty word replacements and some Ubuntu specifics. It sucks to read about using Yum or Ubuntu Core in an Ubuntu book. Still, the book works for a newer Linux user like myself, but I wouldn’t really recommend it due to the copied nature. In some places Hacks does in 2 pages what Unleashed barely gets correct in 10. With Ubuntu books dominating the Linux shelves at the bookstores, there are better Ubuntu books available than this one.

One piece of marketing schwag I like to get are various small USB drives. I have a handful of Dell 64 MB keys that I use regularly, especially when with buds offsite. I wonder how hard it would be to order some USB keys printed with another company’s logo, and then give them away at a tradeshow. Oh, I should mention that they can then be loaded with some malicious apps to infect any system they are plugged into and then call home after a few weeks. Or try to delete all files on the network the vitim has access to. I wonder what kind of lashback that might send to the company whose logo is on those drives? We’ve had Sony putting rootkits on cds and some ipods delivering trojans, so when are we going to see the first high-profile case of USB exploitation? And I’m not talking a pen-test effort, but an actual criminal case.

Somehow this site slipped through my RSS feeds net, but the Security Catalyst has had a few interesting updates in the past month.

First, David Stern talks about VPN not being a security device. I think this can be confusing because I think I was linked to this post via someone saying VPNs offer no security and citing David. VPNs do provide security by encrypting traffic over a public network. Although I do understand what David is trying to say. Typically, VPNs do not use more sophisticated authentication than other remote access methods, nor provide any further traffic protection beyond the VPN endpoint. If you let me VPN into your network, you’ll have to deal with the fact that I might make connection attempts to Gmail or spew out Slammer traffic. Point made, but I think his point can be far too easily mistaken. At least the post made me sit back with a screwy look on my face for a few minutes! I tend to be a natural skeptic.

Second, is a post about explaining SSL security. This made me giggle: get a group of nearby people together and go over the security that SSL provides. Now, yes, I can explain SSL accurately, but I gotta be honest, even at work about zero of those people are going to give a shit about the details, even if spoken in elementary terms. I’ve worked at web-tech companies where I filled requests from people (developers and managers) for SSL certs, who themselves couldn’t care less about the technical reasons. “The client requires SSL and Sysadmins get annoyed when we don’t put them on,” was the only real care; just a checkmark to filling the client’s needs. Again, though, I see the point: education. But I doubt many people truly care what SSL is and how it truly works.

Here is a case in point. Go to MySpace.com and log in with your username (come on, everyone has one). Notice there is no https/SSL transaction? Yup, that’s how much people truly care about SSL: MySpace.com’s popularity doesn’t seem so affected. (I discovered this one over a year ago at a wireless hotspot whose traffic I was snooping on…) Yes, perhaps it is not a banking site…

The Chaos Communication Congress, now in its 23rd year, has always been one of those conferences that gives me goosebumps to think about the innovation, creativity, and genius all packed into one place for a short amount of time. I enjoy watching many of the presentations after the fact as they are quite open about distributing them. They feature some amazing ideas and technologies and tend to be a bit more open about challenging governments than US cons. One of this year’s bigger attractions is RFID tracking. I think it will be interesting to see tracking being brought more and more into our mainstream thinking. Much like the ipod+Nike revelation recently.

Also, DNS should be propogated by now for wiki.terminal23.net. Mediawiki freaked out last night when I changed the URL and Virtualhost for the site, but a quick reinstall made it happy again. I don’t have much there and it will just be intended as a resource for me to track tools and tutorials, but I have started moving down that road enough to link it up from here.

KListon over at the SANS Handler Diary recently posted about worms and how we won’t see an SNMP-borne “Slammer-like” Internet worm, or maybe even any worms like Slammer, despite the opening given by MS06-074.

I think he is somewhat correct. The Slammer worm exploited SQL instances and caused a huge amount of havoc because of the unintended effect of flooding most networks with packets, to the point that they were unusable. From worms like this, authors have learned that if they want to have a good worm, you don’t want to overload your own pipelines. Rabbits may multiply like nothing else, but once you get 5,673 of them stampeding over a bridge to get to new food sources, the bridge will collapse and they’re all dead in the water, so to speak.

I think kliston’s best point was the oddity of tons of tcp 1434 ports open to the world. This defies the common sense that administrators of today have, where databases are (should!) be nestled deeply inside the network behind a few layers of protection between it and incoming Internet traffic. Firewalls have been built up quite a lot over the years, and I think many networks are much more resilient to network-borne worms coming from a public network. Unless something is able to pop apps on commonly opened ports (we’re probably looking at IIS/Apache, sendmail/IIS, SSH/telnet, BIND…) that are widely used, I don’t see any major outbreaks on the horizon. What we’re then left with would be widespread apps running on IIS/Apache (Web 2.0 or common packages like phpBB) or perhaps IM propogation should something in a message be able to pop the app. And of course, some discovery in Cisco equipment could be catastrophic as they make up more of the bricks in our perimeters.

Now, that may nicely cover Internet-borne worms attacking over the dangerous public networks, but that is not to say there won’t be pockets (sometimes LARGE pockets) of an SNMP worm. Even beyond the heyday of the Slammer worm there were still terrible outbreaks as laptops took hold and developers moved offsite with Slammer-susceptible MSDE instances. Once back into the comforts of the home network, such instances gobbled up any unpatched systems and vomited out onto the network wires. Similarly, an SNMP worm can piggy-back inside a network as well, or be delivered via email or other means. Once loose inside a network, it can still have a catastrophic effect for locally.

I have heard often that the network perimeter has disappeared. I disagree with that. Our networks have simply become more ephemeral, kind of like the kids starting to play outside the house and getting dirty by dinnertime. The house is still there; the perimeter is still there. I imagine as ipv6 starts to get realized (someday?) the calls will arise to do away with NAT and the perimeter once public address-space is again limitless. But, of course, that would pave the way for worms to come out of hibernation, so I hope that the perimeter is going nowhere even with ipv6.

Kliston’s third leg mentions something lots of people have repeated all year long: malware authors have become more interested in profit than notoriety. Well, how about being paid to disrupt a competitor’s network? And you just happen to have the ability to create an SNMP worm? And what if that competitor has poor network design and utilizes SNMP on his internal servers, and has a long cycle before those servers get patched? You might be able to realize this financial gain by sending your worm packaged into an attachment over email or perhaps scatter some USB flash drives in the parking lot (with eye-catching glitter-bits painted on to attract attention) with the worm autorunnable. All it might take is one execution and bam, their servers go from the same ol’ grind to being tickled lightly to flat out all raising a new flag of ownership. Dramatic, yes.

Or, hang out at a local wireless hotspot that the employees frequent. With their laptops. Once away from the hardened corporate network, those devices may be ripe for the picking…and planting of a worm. Maybe corporate epionage is already here, but I suspect it will continue to get worse, whether the media picks up on it or not.

Maybe I am a bit old-school already, but I like the sound of this news post:

Due to an increased network threat condition, the Defense Department is
blocking all HTML-based e-mail messages…

The JTF-GNO mandated use of plain text e-mail because HTML messages pose
a threat to DOD because HTML text can be infected with spyware and, in
some cases, executable code that could enable intruders to gain access
to DOD networks, the JTF-GNO spokesman said.

In an e-mail to Federal Computer Week, a Navy user said that any HTML
messages sent to his account are automatically converted to plain text.

This is one of those battles I resoundly lost in my last job: forcing Outlook to display emails as plain text. I’m one of those people who sees absolutely no need to make emails look pretty with embedded pictures. Marketing and sales think otherwise, of course. As far as my own emailing habits go, I’m pretty strict about making my outgoing emails all plain text, and most incoming mail plain text as well. You eliminate huge swaths of attacks by turning off HTML rendering in email programs…enough that really you’re left with sheer stupidity in going to links or running attachments, and you avoid all that hidden junk with javascript, remote calls, and misleading links.

If something needs to look pretty, put it in an attachment or link to the website inside the email body.

I read Bruce Schneier’s weblog on a pretty much daily basis, and I truly appreciate what he brings to security punditry, especially things outside of strictly network and computer security.

But the more I read from Bruce, the more I am convinced that stories he points out will be forever and universal. There will never be any type of security that relies on people that cannot be circumvented, even if by accident, one time out of 1,000,000. It fuels people like this because the stories will never go away. People will always make mistakes and someone somewhere will point it out and make everyone else cry that we should have 100% perfect security and spend more money to get that last .01% failure rate removed. That’s just not always realistic. The effort is nice and I do appreciate his efforts to keep people from being blissfully ignorant about what security really is versus the perception, but he is like sugar to me. Take samples of it, not heaping spoonfulls, for best enjoyment.

(note: I will be removing these as I read them.) update: I’ve decided not to remove some, as they as “classics” and I’d like to keep the link for my future possible reference

This GIAC practical paper is a massive look at the firewall stance of a fictitious company’s complicated network. Very detailed paper and I really look forward to reading it someday soon.

A paper on discovering wireless discovery tools like Stumbler.

A paper on detecting wireless lan mac spoofing. A bit dated, but still a nice little bit of knowledge to have when looking into wireless forensics and traffic.

A fictional Red Team Assessment paper. This paper is a practical for a GIAC certification. Interestingly enough, it is actually a response/engagement to a previous GIAC practical paper submitted by another certifyee.

A short paper from Joatblog on fingerprinting, but also contains a nice list of resource links at the bottom.

And this is why you block ICMP (or at least monitor it closely): ICMP tunneling. This is a vein of project I’ve been wanting to do for some time now, along with an SSH tunnel that I can set up from anywhere and use things like an wireless hotspot and still maintain a good measure of privacy.

A paper on how to install a secure Linux web/mail/dns server. Requires .pdf viewer.

Part 1 of a series of papers on Linux Security. Tons of links to other resources at the bottom.

NSA’s 60-Minute Network Security Guide. A nice little overview type of read that covers as much as some network security books cover. Nice little inspiration and start to getting into a mindset.

An article on understanding tcp reset attacks. Have yet to read this one.

Univeristy of Washington course on modern cryptography has been placed online. Might be some good material to read on a rainy day.

One author has dubbed 2006 the year of the breach. I disagree. I think this year is the year when the blanket of ignorance has started sliding off. We’ve not had more data disclosures or identity thefts. We’ve just heard about them more than in previous years. Laptops have always been lost and data has always been on them that should either not have been or at least encrypted. This is not new. But our talking about it in mainstream circles and media is new, especially in light of erected regulations forcing such disclosures.

In addition, drivers, particular wireless ones were outed throughout the year, and all those quiet little problems with their code quality have come to light in quite dramatic fashion. This is still a fairly quiet problem, however, probably because unless you’re installing a new system or a gamer, no one really regularly updates drivers. People still want to just ignore the problem.

Web 2.0 started getting beaten around a bit as application developers are still pounding out insecure code, but several researchers showed us that this is all deeper than we thought. Javascript and HTML are capable of very similar attacks and recon exploits. We all feel a bit less safe on the web as a whole. The Month of Kernel Bugs has opened eyes to kernel issues, full disclosure, and software patching processes in open and closed source projects.

While few of these issues are truly new, and nearly as many are still not really solved, at least we’re talking about them in public and they are getting attention. We can no longer live with self-inflicted ignorance in management who would rather not think about a lost laptop and be even less inclined to admit to anyone that one was lost when it does happen.

The Open Relay Database service has called it quits finally. ORDB provided a blacklist of known and/or suspected spamming SMTP services based largely on IP addresses.

This was always a bad idea. I dislike lame workarounds for a problem inherent in the protocol itself: lack of authentication. Trying to tack on security just won’t work here. You might be able to shun a large swath of spam, but you also catch a lot of dolphins in the net as well. Take me for instance. My home mail server is on a DSL or cable line. The ORDB labeled my connection as a home-based system or even “dynamic IP” and thus anyone using their blacklist dropped any email I sent. Most companies that used this blacklist also did not accept free mail services like Gmail and Hushmail. It truly made communicating with some companies extremely problematic. I never did get a response from ORDB about my reservations (to put it lightly). You can drop 100,000 spam messages and no one will care. If you drop 1 extremely important email from a VP, heads roll. This does affect most any spam protections, but shunning by IP is not the solution.

Likewise, I’ve heard tales of legitimate companies being placed onto the blacklist, and having a huge hell of a time trying to get off the list. There is no real definitive threshhold or line drawn where, when complaints cross it, the site is put on the blacklist. This means that the larger the institution, the more likely a few clueless people will report legitimate mail that they requested, as spam, and screw up the company. Not a cool model.

So, rather than just complain, what do I recommend? Honestly, I’m not sure. There must be signature-based detections, but that relies on someone keeping the signatures updated (outside service). This should be accompanied by automatic denial of certain types of emails, such as emails with .com attachments and so on. There should be some measure of bayesian/subjective analysis, but that can’t be terribly draconian otherwise legitimate emails will be dropped. When it comes to my home network, I’d rather delete a few rogue emails than lose a few mis-categorized emails. I also believe in layered defenses, so this network-based detection can be augmented by utilizing any client-side “junk” filters. Most email programs today include some sort of manually-configurable junk filter that can “learn” as you use it. Utilize that for anything that gets through the initial procedures.

The rules change a bit when you talk about corporate email systems, however. No one wants their users to get even any spam mail, let alone something offensive or not appropriate. In a corporation, I really believe either the company needs to accept some measure of spam (typically smaller companies with less budgets, who also may be more needing to see emails from servers like mine) or spend the money to fully outsource it to a professional spam blocker. For comprehensive and intelligent and highly accurate spam blocking, I feel no company can do this alone. We use Postini at work, and I have to say I’ve been quite happy with it. Basically get a service upstream, filter emails, and then receive only the good stuff. This helps take pressure of corporate IT to become spam experts 24/7. That’s just not practical.

Ultimately, I’ll have more opinion on this after I play with SpamAssassin some more. I really do believe SMTP is a good protocol, but the Internet has grown larger and more depended-upon than SMTP was designed for. I consider it an already-dead technology that will linger for many, many more years simply because of the low cost and ease of usage. It will eventually be replaced with voice services or SMS and messaging services. The only effective difference between email and IM is the ability for mail to be held on the server until the user logs in and retrieves it. Yahoo does this in IM and has done it for years, and Google continues to make Gmail and GoogleTalk features more and more overlapped to achieve that switchover.