Posts by FrancisT 13 publicly visible posts • joined 4 Jun 2010
At this year's RSA conference in San Francisco I reached into my bag on day two and pulled out last year's badge by mistake*. I wore it all the time. No one noticed except the marketing droids who wanted to scan my badge to send me spam.
The Badge was a different color. The strap was a different color. The badge said RSA 2012 on it.
No one noticed.
*AT A SECURITY CONFERENCE*
* I just stuffed it in the side pocket of my bag when I left the last time and forgot about it, then this year I stuffed this year's badge into the same pocket when I wanted to go out drinking and not be identified as a security nerd
Security issues aren't going to go away. In fact in a cloudy, BYOD sort of world they are even more important. I think many sas admins (and particulalry network admins) could usefully move sideways into network security. Exactly how you position yourself (as a MSSP? consultant? in house expert? other...) will vary but there's a crying need for people with clue about security issues and many of the security problems are ones that a regular admin has been handling for years in an intranet/local server environment
I just started using Google+ this weekend. I prefer it to FB so far. No it isn't perfect but the circles concept looks like a winner and there's a bunch of other things to like in it. I expect google will implement integration with many other google services (e.g. reader) and the combo will almost certainly be better than FB. I have no loyalty to FB and will almost certainly leave when (if) enough of my FB contacts have moved across. So far about a quarter of my FB friends are on google plus. Most of them are saying the same
If FB loses 25% of its userbase to google+ then that's going to put a hole in the valuation
I can think of at least two reasons why the creators of Stuxnet did not bother with more obfuscation etc.
1) They wanted it to be found because they expected that the Iranians would then form a circular firing squad and/or demoralizing witch hunt. Either of which would drastically hinder the recovery from the outbreak. There is evidence that, combined with a couple of assassinations this has indeed been the case
2) It is misdirection because there is also Stuxnet2 which has not been found and which continues to wreak havoc but that havoc is believed to be caused by Stuxnet. Thus the recovery is hindered because such computer techs as the Iranian nuclear industry has waste their time hunting for the original Stuxnet instead of looking for Stuxnet2
I've got no idea whether either of these reasons are valid but both seem quite plausible, and in the process of thinking through the arguments for those two I've come up with some others. Now I don't say these reasons are correct but I do think the argument isn't as clear cut as the original article suggests.
Your shadowserver link lists a few of the domains/IPs that should be blocked. Based on that research and some passive DNS work we've done, we can now block the ip addresses of most of the botnet and we're automating the update process so that the blocklist remains current
See my blog post http://threatstop.wordpress.com/2011/01/04/threatstop-blocks-new-waledacstorm-worm-dns/ for more details
The problem with blackholing DNS is that many cyber-crooks know about it and they therefore change the domain/subdomain they use frequently. Thus if you just block certain domains - even if you update the domains from malwaredomains.com frequently - you will fail to block the malware for long. A far better approach is to block the IP addresses of the malware providing hosts because typically the crooks use the same host with the same ip address, they just change/add new dns links to it.
As we mentioned on our blog (er yes this is a commercial plug) a few months back - http://threatstop.wordpress.com/2010/05/10/iframe-droppers-and-other-drive-bys-how-threatstop-protects-you/ - we provide our subscribers with frequently updated lists of known bad ip addresses that may be quickly and automatically plugged into the firewall and which block many malware sources. I'd love to say we block all but then you'd know I was a lying marketing droid instead, I believe we stop most of them though but since the crooks unaccountably refuse to give us a list of compromised hosts for us to check against I can't prove it.
MichaelC above would certainly benefit from our system since stats we have analyzed from DShield indicate that about a third of all threat sources change in a week (and about a quarter in less thna 24 hours). Thus by uploading new data once a week he will be missing a significant portion of the threats he thinks he is protecting against.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
