Security Developments

RobertKaucher

There have been a few interesting security developments in the past week or so. It seems a highly sophisticated, modularized malware that is being called Flame (or sKyWIper) has been uncovered. It looks like there has been some confirmation that Stuxnet (and I would suppose by extension Duqu) have been linked back to a joint US-Israel venture (as if we didn't know that anyway) but the one I found the most interesting was the the researchers who found a way using data leakage common in modern OSes to do an Off-Path TCP Sequnce Number Inference Attack.

I highly suggest reading that white paper if you have a good but not intimate understanding of TCP as it will truly educate you.

tpatt100

Thanks for the info, I downloaded the Off-Path TCP Sequence Number Inference Attack pdf file to read on my tablet later.

the_Grinch

'Super-powerful' Flame worm actually boring BLOATWARE ? The Register

I actually enjoyed this analysis of the malware. Now I won't go so far as to say it is not an impressive piece of malware, but I have to agree that none of what it actually does is new. A lot of the hype came from it not being detected, but no one seems to recall that there are websites setup for testing malware against all the major antivirus companies. Also, this was a fairly targeted attack so the fact that it went undetected for at least two years is no surprise. 1000 machines being infected is quite literally nothing, even when compared to the latest Mac malware (as the article points out).

A great example would be a talk I saw a few years back by a SOC Manager at Northrup. He explained that they had around 30 analyst reviewing various intrusions or supposed intrusions. Now he cited a case where an analyst noticed a single packet that just didn't feel right to the analyst. Said analyst brought it to the team lead and while the lead didn't think it was anything, gave the go ahead to look further. Ultimately, this turned out to be a targeted attack that had been going on for a very long time. When dealing in the grey world of security, it has to be treated like good BBQ....low and slow wins the day

halaakajan

China could be the source of Flame. What do you guys think ?

halaakajan

Is there a program by DARPA,NSA or IETF which is working on a field that would be like a DNA of a packet. IP addresses are spoofed but what we need is a DNA which cant be removed. That would make Internet a safer place.

the_Grinch

NSA was working on a program that could trace attacks with a fair degree of certainty, but there really isn't an effective way to do what you are asking. Any half decent attacker is going to compromise any number of hosts to cover his/her tracks when launching an attack. Code can be written to look like it was done by someone else, as I think you'll find that falsifying a signature to make it look like someone else isn't too difficult. That is what is truly interesting about all the "cyber war" threats. In the event of a true cyber war, the kinetic war will be the deciding factor. With no viable method for confirming who was behind an attack (besides someone out right claiming it) you'd be hard press to launch any form of counter attack.

veritas_libertas

Thanks. I'll have to get to this after my CCNA exam. I have so much I want to read and not enough time...