3x09_3x10

If only I believed in random overzealous patenting. Until then, here is a suggestion for RSA...

1. Take a SecurID SID800, add a bigger chunk of flash memory to it
2. Make a model that is bootable and maybe one that has a VM on it
3. In that bootable environment or VM include Terminal Server, SSH/X, and NX clients
4. Make it so the device will only pass the OTP while within the boot or VM
5. And don't forget step two.five to add a VPN client or three
6. Advertise it as a malware proof enhanced RAS solution and partner with MS, Red Hat, Citrix, etc. to enhance integration for remote printing, etc.
7. Make loads of dough (whole grains please)
8. Press out some pasta (I suggest adding basil like my lovely wife does)
9. Enjoy your meal as the money rolls in

In a later revision develop a system whereby the core OS on the device can be updated live after confirming the OTP and some enterprise provided management code.

Oh, and for step ten you can give me some money. And have it all done by morning. Thanks, -Ali

It's depressing to me how I can be so scattered while other people can create pentesting trees for the masses. Available in a poster too. I think I'll make it a homework assignment for myself to spend time contributing to that tree soon.

One completely disorganized and random thought is to include scoping out the closest airport and coffee shops that employees of a given organization frequent. I have found it's much easier to footprint a typical client or passively gather information about a network by utilizing an employee's off-site asset as a proxy. Provide an 'open access point' near them and voila! Cheers, -Ali

Over the past eight years I've toyed with various software updaters that range from hose-the-system-bad to hose-the-system accuracy and quality. In the past week I've had better luck on my extended-family systems using Secunia PSI. Give it a try on your family use Wintel machines and save yourself a few phone calls in the future.

Where are the single-quotes and *boggles* and misplaced apostrophes? It's been a long morning. -Ali

In no particular order:

• Mobile malware will be responsible for toll call fraud. Somebody, somewhere, is working on a mobile network botnet infrastructure to disrupt services. Somebody else, who owns the building the first somebody pays rent to live in, is working on a mobile network botnet to accommodate organized crime telephone fraud.
• The end of the ITSec independents. We'll see the end of the smaller shops as they're absorbed into larger companies, private management firms, and other shops that have many more lawyers, proposal writers, and Government contacts for contracts. Either that or In-Q-Tel will expand their operations significantly to make sure some of the smaller innovators get the appropriate guidance without getting lost in the mix of old timers. Remember 2006? I think 2008 will be at least twice as big as companies start seeing new regulations and cyber panics squeeze out from under the doors of Industry and Government.
• The 'Great Firewall of New Hampshire' goes online. While I doubt New Hampshire, being the Free State and all, will be the first but I expect State legislatures to start going down the naive road of more ISP filtering and monitoring. This will lead to a lot of other genius initiatives like State control over IDS, DRM, QoS, etc. Actually, I'm being naive, this will almost certainly come down from the Federal level first. And, mark my words, part of the justification will be to defend against foreign adversaries whose networks are more closed to us therefore to protect ourselves we need to close our networks. Sound familiar?
• Power usage will become a competitive factor. Expect to see vendors start advertising their battery friendliness, low overhead, small footprint, and operating costs including power usage. Some already do but I think 2008, with continued pressure in the Energy sector, will cause most customers to seriously look at all computer asset overhead. An AV that uses 10% less power will get scored higher in corporate reviews. Don't ask me how they'll prove it but you know they will.

The tenants of MAD still apply mostly to the Nuclear world but I've often wondered when MAD will become synonymous with a series of botnet deployments. And at what point does a botnet become the next Cuban Missile Crisis? When do Kaspersky and Symantec become Blackwater?

I found some reading from Schneier and John Robb on the topic (be sure to read the comments). Cheers, -Ali

It’s hard not to show at least the smallest amount of admiration for whoever decided to pull this compromise off. The social aspect alone is hilarious as some of the visitors to the site are likely either already on the road or about to head to Miami. I hope, for their sake, they turn off their computers before they head to the airport.

Da Bears! Cheers, -Ali

“We contacted the boat owner and gained access, quickly determining that the emitter was a commercially available VHF/UHF television antenna with built-in preamplifier. The antenna was powered by an AC/DC adapter plugged into boat AC power. The preamplifier was thus powered all the time, even when the TV was not on. In fact, the TV was seldom on, and most of the time the TV antenna was in a paint locker inside the locked boat. From this interior location, its emissions jammed all of Moss Landing Harbor and an area at least 1 kilometer out to sea.”

*boggles* -Ali

I was going over a few old escape reports I wrote and concluded that I needed a good psychologist more than I need another security architect or engineer. I can’t, for the life of me, figure out what most end-users are thinking when they click-through warning dialogs, answer sensitive questions to complete strangers, put sensitive documents on unsecured media, and get involved with Swallows. Even in my daily life I sometimes pause just ~after~ clicking something or answering a question. We’re all prone to it........

I decided to search some job sites and see if anybody was recruiting psychologists for security related positions. I didn’t find much of anything but I’m sure defense and intelligence shops must have people on-staff. Determined not to be empty-handed I decided to search for evidence that IT security penetration testing services and firms used psychologists for more enhanced customer recommendations. What I mean is not just the social engineering norms but finding out what particularly unique aspects of a given organization may be leading users to insecure behavior not normally noticed. See what I mean?

In the process of my searching I thought about “Security and Usability” (which I highly recommend) and then came across some good old posts by Tom Vogt (one, two). If you take his security aspect mindset and combine it with the technical goals of the Jericho Forum you have a pretty complete picture of what’s to come in IT security.

Along with a few good psychologists. -Ali

UPDATE 02012007: Looks like Schneier is on the case too.

Intel isn’t frequently thought of when trying to solve problems other than number crunching. It’s easy to forget they’re a huge organization with all the same problems any of ‘us’ have in other industries. Thankfully they’re not selfish and have shared a great article on layered security and another article on mobility and securing the mobile workforce. Neither article is technical but they are filled with clear language and crisp diagrams perfect for management. And if you’re like me you lust over anything that helps you communicate upstream easier. Take a gander and print a copy for your boss. -Ali

I love it when the web reads my needs and provides a solution. Just hours ago I was talking SCADA and a few hours later I trip and fall face-first into SCADA Honeynet. Poking and prodding it now… for best results, avoid doing something stupid. -Ali