The results after the latest updates are:

Windows is significant, although there has been a distinct scew towards this OS due to Conficker propagation, its still worth noting that prior to the last 7 months being imported data though December 2008 showed windows only 0.8% down on the values above, roughly evenly split between positions 2 & 3.. At the bottom end of the scale some interesting artifacts.

xsltproc map2.xsl asia.xml

given the input from the Asia attack  graph produces:

30-06-2009 05:00:17 GMT,RU,Russia,15387,green
30-06-2009 05:00:17 GMT,TR,Turkey,7137,green
30-06-2009 05:00:17 GMT,CN,China,2468,green
30-06-2009 05:00:17 GMT,MY,Malaysia,4158,green
30-06-2009 05:00:17 GMT,IN,India,2631,green
30-06-2009 05:00:17 GMT,TH,Thailand,1823,green

While not the most elegant code, its gets done what I need, and is easily extensible enough to be able to  transform to other formats suitable for DB import. I’ll need to monitor data over the next couple of days to get an idea as to how the counters used are actually operating. Once that has been established I can star doing some meaningful comparisons.

The site provides rich graph and chart interfaces, which are nicely interactive.  There are definatley some ideas I want to incorporate form this into my own Network Telescope management console.  It is however worth bearing in mind that his is a Eurocentric view and is only based on their observed traffic. As such the “attacking countries” view seems to be a bit skewed.

Interoute World view 2009-06-30

After digging around with squid and wireshark, its evident that a lot of the data is actually served up as XML files, and as such can potentially be postprocessed. The Adobe AIR Barometer Widget they provide also makes use of these. One issue I had getting this installed is you need Air 1.5.1, and the 1.0.8 version I had wouldn’t auto upgrade correctly.  A little disappointing in that I was expecting a map view, it provides the basics of a total count and cycles through various country stats.

Interoute Barometer Widget

Where the real value  comes form is having another independent source of reporting ( even at the highly granular level) that can be used to correlate observations with my own data sets, and those available form places like dShield and ISC. Maybe I should dust off my old Infocon alert plugin for Firefox and integrate some of this data.

http://www.infosecsa.co.za

Due dates:

• Abstract submission: 23 March 2009 (1 page)
• Notification of abstract acceptance: 31 March 2009
• Full papers submission for review: 18 April 2009
• Notification of acceptance: 26 May 2009
• Submission of final camera-ready papers: 6 June 2009

Zone-H defaced

No Details on this as yet. Hackers blog has more on the Kaspersky hack which seems to be good old SQL injection.

• ComputerWorld – Opinion: Security predictions for 2009
• SANS – 2009 Security Predictions
• ITWorld – Security predictions for 2009
• CRN – 10 Security Predictions For 2009
• Gartner – The 2009 Security Prediction Prediction List
• InfoWorld – 2009 security predictions: Deja vu all over again
• ITPro.co.uk – 2009 – my security predictions

I’m sure various individual security bloggers/researchers will start adding their own thoughts in due course.

If you ahve novel research and are looking to get the best bang for yourl buck, this list can help you select the right forum to present in.  Particularly interesting is the statistics list showing acceptance rates for some of the major conferences over the last few years.

Also worth noting is the focus on Steampunk [1] [2] [3] including a reference to Steampunk band Abney Park

Is it really this easy, to get people to give up the proverbial crown jewels?

I would assume the person in question either has savvy friends who have not fallen for the ploy, or has no friends ;)

*info redacted to protect the curious*

A more advanced version of the kind of output achievable is also provided showing how with the help of a pre-processing script, the SSH login process can be graphed:

Graphs are produced via an intermediate scripting language which has by design strong similarity to that used by Graphviz.  I’ll definatley be adding this to my toolset and seeing how it handles processing of some of the rather large data sets Ive got.

I’ve been patiently waiting for three years to catch a new worm on my telescopes, so I I’m ready and waiting.

Windows 2000, XP and Server 2003 are all listed as critical targets, with Vista and Server 2008 being vulnerable as well, but potentially able to limit the damage due to their newer some what more modular and layered security design.  For Operating systems other than the latter two, this release also effectively updates MS06-040

Christopher Budd from the Microsoft Security Response Center has a nice little writeup about it, with further details on the Official release notes for MS08-67. Also from a Microsoft Perspective, Michael from the Security Develoment Lifcycle has a nice piece titled MS08-067 and the SDL in which he actually explains the bug itself.

Microsoft have also gone as far as to provide a webcast on the subject.

Update: Infosec blogspace is all a twitter with this.  I’ll add relecant content as I find it.

While content is still a little thin on the ground, it does represent a major step forward in actually providing a point of collation of project information under our own control.  A large task to be performed next term is to actually backfill with old project information as we can get it off CD.

More as content actually develops.

Update: SNAFU n+1  the vhost is being denied access from outside of Rhodes.

Update: All fixed.

My gut feel was that it was the disclaimer being inserted by an intermediary gateway ( one has to love corpmail).  Setting about proving this was the hard part.  The first issue at hand wa to actually extract the certificates so I could play with the verification.  Cert Viewer Plus for Thunderbird made this part a dream. Creating a modified version of the signed message was a little bit more problematic.

Trusting the command line, I started hunting around for details on OpenSSL support for SMIME, which it has.  OpenSSL needs a full CA path for being able to verify SMIME signed messages. One can obtain this from various places ( such as exporting form your browser) but in a case like this where a private hierarchy was being used, its enough to just make used of a somewhat smaller subset contianing only the certificates used in this chain.  These can be extracted using Cert Viewer Plus. Alternately some command line magic can be used to extract the PKCS7 formatted embedded certificates out in standard PEM format., using the following command:

openssl smime -pk7out -in mail.txt | \
openssl pkcs7 -print_certs > extract.crt

Now that we have a certificate chain we can attempt the verify. The extract.crt below can be either from the openssl method above or the Cert Viewer plus PEM dump.
openssl smime -CAfile extract.crt -verify -in mail.txt
Now we actually have a more usable error message. Although I really don’t know why I have such a deep distrust in GUI apps for actually telling me what is wrong.
Verification failure
88175:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_doit.c:808:
88175:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:265:

As suspected the digest filed, which lead to a overall signature failure.  The next step was to see if removing the disclaimer worked.  Repeating on a slightly edited version of the the mail gave the following:

openssl smime -CAfile extract.crt -verify -in mail2.txt
...
mail contents deleted
...
Verification successful

So the original question posed was if the signature system was working correctly which it now was. The differences between the two mail files was checked using diff

diff -u mail.txt mail2.txt
--- mail.txt Mon Aug 25 18:06:33 2008
+++ mail2.txt Mon Aug 25 18:08:10 2008
@@ -61,10 +61,6 @@
South Africa

-Important Notice: This email is subject to important restrictions, qualifications
and disclaimers ("the Disclaimer") ..that all was one very long line that made
up the corporate disclaimer.....
...
------=_NextPart_000_0048_01C906C7.DB6FB700
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"

From the above the only difference shown is that a mail gateway had added in a extra four lines of disclaimer and white space padding.  The question now evolves as to how to provide the now pretty much ubiquitous organizational disclaimer in outgoing mail in such a way that it doesn’t trash any cryptographic operations in which the mail is involved.  Ive gone back over mails from a  couple of other people in corporate South Africa that I know , and the problem seems to be widespread.

The solution may be that the disclaimer as such is encapsulated as a separate MIME component, which is what interestingly one university here does ( although it insists on prepending its mime encapsulated HTML disclaimer, which makes for really ugly mail reading!)

The following a is a shorthand ticklist of the steps required.

1. sign up with cacert.org
2. On the thawte website make sure your notary details include the email address that you have used for the cacert.org signup.  This may involve just editing your details within the WOT console, and waiting for approval/verification, or having to do this and a ping to the mail address.  having the details verified can take 2-5 days, if the info is not already on your notary page.
3. Generate a certificate compatible for use with Internet Explorer.  This is the tricky part, as even Firefox 3 doesn’t support their client based authentication required by the tverify.cacert.org website  this should also be for the email address you are signed up to cacert.org with.
4. Go to the Thawte verification site (tverify.cacert.org), and choose the appropriate certificate to present to the server. make sure to use your IE browser witht he right client cert installed.
5. Fill in your email address, ( grants you 50 points since youare trusted within the Thawte WOT
6. Wait while a manual verification takes place.
7. Once email is received either notifying you of an error or noting you have succeded, either rinse and repeat, or proceed to the next step.
8. You are now ‘Assured’ but need to take the Assurer Challenge in order to prove your basic knowledge about the system, in oorder to be able to actually start Assuring people.  The link above also includes some background material one may need in order to attain the 80% mark required.

The Assurer Challenge is a relaly nice idea, and although anyone familiar with the concepts around the Thawte WOT system and general CA operations should have no problems witht he the majority of the 25 random questions, there are some which trelate closely to the CA specific rulings etc.

So now I have a full 150 assurance points since I was procesed by the Trusted Third Party (TTP ) system ( and it appears this is the maximum one can get as otherwise ones points are rounded down), as opposed to the 100 point maximum one gets for gathering points via the WOT method.

So now I’m able to embed my name in client certificates (50 points minimum), get server certificates for 2 years, and also get code signing bits on my certificates.

For the impatient some instructions are available for getting started. Now to work out what else to order form amazon so that the 40USD specail shipment fee hurts a little less ( thanks to our totally criminal and incompetent post office in South Africa)

Failing that its time to wait till the local places get round to stocking it.

Blackat Media’s decision to open up their archives is to be commended.  If I recall correctly, this content has also been available on iTunes fro a while under podcasts.

Of all the tools release its DAVIX, that makes me happiest, other than it being a relaly slick Compilation of VizSec tools, it also features InetVis, which is a part of the postgraduate research by one of my students (Jean-Pierre van Riel), which I previously posted about.

iKat is the other tool that tickles my fancy.

There are some interesting setf odf Defcon Photos floating around such as these by sits, who has also made available a zip of the of the Defcon 16 CD contents.An 732MB ISO  version is also available that at least has checksums.

I see some fun times ahead!

• http://www.google.com/search?q=rxbcrobh
• http://www.google.com/search?q=frhlrxca
• http://www.google.com/search?q=omihinga

Searching on google with these links, surprisingly turns up nothing. I was expecting to find lists of malware infected sites similar to the SQL injection attacks seen in the last few months. Does anyone have any insight into these ? Sources appear to be geographically dispersed, and scattered across a variety of blog entries, old and new?

Its also worth noting that Halvar Flake has stepped up and stated that hes found the bug as well ( so I assume He will be sharing the stage with Dan at Defcon)

Footnote:

While trawling through logs it was interesting to nitice that this post was noted in E-Securre-it and Team Cymru’s security news links links on the 24th of July 2008

Important dates
Submission of papers: October 20, 2008
Notification to authors:  December 20, 2008
Camera-ready copies:  January 15, 2009