Static in the Ether

As previously mentioned, I’ll be attending t the 8th Annual ISSA Conference Monday, 6 to Wednesday, 8 July 2009, along with some of my postgraduate students

While a relatively small, conference, this year’s programme has a nice blend of topics being covered, and in many ways has refocused on being a more Academic and research centered conference, with much of the industry hype and attendees having migrated to the ITWeb Security Summit.

The Security and Networks Research Group (SNRG) will be presenting five papers:

• Investigating the effect of Genetic Algorithms on filter optimisation within fast packet classifiers. (Alastair Nottingham)
• An examination of the Generic Exploit Prevention Mechanisms on Apple’s Leopard Operating System. (Haroon Meer)
• Automated Firewall Rule Set Generation Through Passive Traffic Inspection. (Georg-Christian Pranschke)
• A Framework for the Rapid Development of Anomaly Detection Algorithms in Network Intrusion Detection Systems. (Richard Barnett)
• Management, Processing and Analysis of Cryptographic Network Protocols (Bradley Cowie) (Work in progress stream)

I’ll post appropriate links to the PDF versions once the conference is over.

Again the conference is being held at the School of Tourism & Hospitality (STH)  University of Johannesburg, which is on Bunting Road, Auckland Park, Johannesburg, which can be found here

My first foray into the tag soup that is  XSL and XSLT has been to turn the XML outputs from the InterNet Barometer System as discussed previously into plain text output which I can use more easily for comparing with some of my other data sources. While A cursory browse cannot find any Terms & conditions for the use of this data, I think I’m on safe ground given that all I’m doing is processing the same xml that is consumed by the flash objects and its not for any kind of commercial use. After hunting around for tools, and wasting a pile of bandwidth on “enterprise editions” I ended up constructing this based on some tutorials at w3c.org  using good old vim. I was very tempted to just revert back to sed & awk, or even try my hand at python’s parsing, but decided that I may as well ‘do it right’. The result of a few hours work this evening while watching a filesystem rebuild is shown below:

<?xml version='1.0'?>
<xsl:stylesheet version="1.0"xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<!-- Barry Irwin bvi@moria.org XSL format for translating XML from interoute Barometer output -->
<xsl:output method="text"/>
<xsl:strip-space elements="*"/>
<xsl:template match="area">
<xsl:value-of select="../../allData/lastUpdated"/>
<xsl:text>,</xsl:text>
<xsl:value-of select="@mc_name"/>
<xsl:text>,</xsl:text>
<xsl:value-of select="@title"/>
<xsl:text>,</xsl:text>
<xsl:value-of select="@value"/>
<xsl:text>,</xsl:text>
<xsl:value-of select="@colour"/>
<xsl:text>
</xsl:text> </xsl:template>
<xsl:template match="allData">
</xsl:template>

This through the magic of xsltproc produces a nice plain text output:

xsltproc map2.xsl asia.xml

given the input from the Asia attack  graph produces:

30-06-2009 05:00:17 GMT,RU,Russia,15387,green
30-06-2009 05:00:17 GMT,TR,Turkey,7137,green
30-06-2009 05:00:17 GMT,CN,China,2468,green
30-06-2009 05:00:17 GMT,MY,Malaysia,4158,green
30-06-2009 05:00:17 GMT,IN,India,2631,green
30-06-2009 05:00:17 GMT,TH,Thailand,1823,green

While not the most elegant code, its gets done what I need, and is easily extensible enough to be able to  transform to other formats suitable for DB import. I’ll need to monitor data over the next couple of days to get an idea as to how the counters used are actually operating. Once that has been established I can star doing some meaningful comparisons.

Interoute has launched a new online Internet Barometer detailing attacks as observed from their 22 monitoring stations across the European portion of the Internet.

The site provides rich graph and chart interfaces, which are nicely interactive.  There are definatley some ideas I want to incorporate form this into my own Network Telescope management console.  It is however worth bearing in mind that his is a Eurocentric view and is only based on their observed traffic. As such the “attacking countries” view seems to be a bit skewed.

Interoute World view 2009-06-30

After digging around with squid and wireshark, its evident that a lot of the data is actually served up as XML files, and as such can potentially be postprocessed. The Adobe AIR Barometer Widget they provide also makes use of these. One issue I had getting this installed is you need Air 1.5.1, and the 1.0.8 version I had wouldn’t auto upgrade correctly.  A little disappointing in that I was expecting a map view, it provides the basics of a total count and cycles through various country stats.

Interoute Barometer Widget

Where the real value  comes form is having another independent source of reporting ( even at the highly granular level) that can be used to correlate observations with my own data sets, and those available form places like dShield and ISC. Maybe I should dust off my old Infocon alert plugin for Firefox and integrate some of this data.

With the year almost half gone,  and Winter Solstice almost a distant memory, its time to catch up with some of the systems related housekeeping. While conficker seems to still be rampaging around from my scan log inspections, the Conficker Working Group has been quite since late April. A far greater threat to civilization is that  coming from North Korea.  Some of the sysadmin type work done include:

• migrating the host for this blog, along with pretty much all my other FreeBSD boxes to FreeBSD 7.2.
• Trying out the new jail(8) features in 7.2 particularly the multip  ip and ipv6 support
• A move to wordpress 2.8, which while the upgrade was pretty painless Ive ruin into some hastles with plugins that break the nice widget selection system  under the admin panel – most notable of the plugins I’ve notice d causing this is wp-recapcha. Along with this has been a migration to somethign alittle more elegant than the boring Kubric Theme.
• A pilot version of my new squid external_acl  filtering software is being tested by two sites, so far with positive results.

Progress on the phd is plodding on with growing collection of rather interesting images and plots generation that I now need to try fathom and write about. with the university now on vac I should be able to make good progress in this direction.

One of the most fascinating and gripping books I have read in a while is Ed Macy’s Apache, which is well worth a read if you are into military biographies.

Eighteen hours into the much hyped first days of Confickers new update cycle (started at 00h00 local time on the 1st of April), and surprisingly the Internet has not melted down.  Masses of FUD have been spread, and probably a LOT of AV product has been sold. What has been a positive spinoff of this is that awareness has been created among the general public.  What has snot been so positive is that people getting they information form the popular press have no way of actually stripping out the facts.

During a break after I presented a talk on Cyber warfare last night, I had a number of questions relating to the proported meltdown today -

• “Should we keep our machines off?”
• “How do we stop this?”
• “How do I stop getting infected?”
• “What antivirus must we buy?”

Here in deepest darkest africa, we have two unintended benefits that come form the general means of network engineering done here. Both stem in reality from the paucity of real bandwidth currently (and historically available).  The first is that most organisations block direct port 80/tcp (http) and related port access to the Internet, forcing the requirements to use proxy servers. This cuts off confickers ability to update. In the resedential SOHO market, theoreticlaly direct end to end port 80 access is possible , but more often than not there is a transparent proxy in the way. I doubt ISPs are doing any domain filtering on these however. What works as a means of self limitation is that fact that should any massive wave of attacks spring forth from the SOHO /Residential type users, it will be cut short as they rappidly burn though their “bandwidth cap” – in most cases 1-3 Gig.

What is interesting is what the actual next move will be.  I think its highly unlikley that this will be used for an all-out offensive and then disposed of. The authors have carefully engineered through four releases of the Hybridised Malware, and in essence have made a fairly substantial investment.   The most likely scenario is that tis is yet another botnet for sale – albeit a potentially massive one.

Botnets themselves are nothign new, we have seen what Storm has done ( and is still doing).

For  now we bunker down and wait…..

This morning I move the last of the services and data off the system I’ve had at LayeredTech since November 2005. This little AMD XP 2400 has given great service over the years, but the hardware got increasingly flaky and the cost of hosting at LT just keeps increasing for old kit. These factors in combination with a change of datacenters prompted me to bid it a fond farewell and relocate much of my offshore stuff to a shiny new host at hetzner.de, along with the chance to move to FreeBSD7.x, and free myself of the cruft that accumulates with 4.x -> 5.x -> 6.x migrations without clean installs.

The Second call for papers ISSA2009, Information Security for South Africa, 6 – 8 July 2009 has been released.

http://www.infosecsa.co.za

Due dates:

• Abstract submission: 23 March 2009 (1 page)
• Notification of abstract acceptance: 31 March 2009
• Full papers submission for review: 18 April 2009
• Notification of acceptance: 26 May 2009
• Submission of final camera-ready papers: 6 June 2009

While trying to follow up on the quite widely publicised Kaspersky website hack I went along to the obvious spot of Zone-h. Having it uncontactable the last two days, I tried again this morning and got the following:

Zone-H defaced

No Details on this as yet. Hackers blog has more on the Kaspersky hack which seems to be good old SQL injection.

Over the last week or so a number of new tools have been release either for the first time or as updated versions:

• tcpreplay is now at version 3.4.0 with a number of significant bugfixes. This staple of packet analysis allows for the replay of captured pcap file back over network interfaces.  Its a great way of having a repeatable test framework, or for explosing yout NIDS system to collected bad traffic.
• picviz 0.5 has been released. I blogged about this before and the project seems to be comming on nicely. Formy own purposes its not much use with my network telescope data, but does produce some pretty pictures for some other work Ive been doing of late. The new version comes with a bumber of new log parsers. A slide deck discussing its use as presented at USENIX 2008 is also available.
• pcapr is the new tool out and describes itself as “web 2.0 meets packets“, and “pcapr does to packets what flickr does to pictures”. If it performs as promised it could make life a lot easier maintinaing libraries of packet captures. The fact its a hosted service does have some distinct disadvantages. Currently there seems to be quote a lot of little snippets. An RSS feed of new content is also available.  Another similar repository s that of openpacket.org
• libtrace while not a new tool as such, is somethign I’ve started workign with recentlyafter comming across it in Dean Pemberton’s MSc Thesis2007 on Internet Background Radiation Arrival Density and Network Telescope Sampling Strategies. The api looks pretty clean and it comes with a couple of nice demo tools which are actually useful.  the URI syntax it uses for accessing files is a little strange but managable.

Robert Auger of Webappsec.org has compiled a good roundup of various security predictions for 2009, as various sites are want to do at this time of year.

• ComputerWorld – Opinion: Security predictions for 2009
• SANS – 2009 Security Predictions
• ITWorld – Security predictions for 2009
• CRN – 10 Security Predictions For 2009
• Gartner – The 2009 Security Prediction Prediction List
• InfoWorld – 2009 security predictions: Deja vu all over again
• ITPro.co.uk – 2009 – my security predictions

I’m sure various individual security bloggers/researchers will start adding their own thoughts in due course.