SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by Dave Aitel on Jun 14

Keynotes, unlike normal technical talks, should sometimes cover very
broad areas because your keynote speakers should have broad, interesting
experiences. Chris Eagle's keynote at INFILTRATE 2013 is one of those.
Few people knew that before working with IDA, Chris Eagle was a Naval
Pilot. And yet, an entire talk without OODA loops!

Just as a note: you can buy INFILTRATE 2014 tickets now, and while we
will probably not fill up the conference...

Posted by Moses on Jun 14

Indicators of Compromise or more appropriately those that are Open
Indicators of Compromise. We have had many proprietary solutions that
used 'signature based' indicators for a quite a long time. Some of them
you never could run in an open or customizable fashion like A/V. Can't
have their secret sauce all over the preverbal industry. Others that you
could run in an open fashion on an infrastructure, like Snort, were used...

Posted by Ben Miller on Jun 13

so I think one of the more powerful thing about IOCs is that it is open. To
Havlar's point, this assists in forming communities and establishing
confidence. Incidentally, communities and confidence is not something bad
guys are generally lacking but defenders are.

A stack of IOCs can also better inform a defender on what to expect. For
instance, the sequence of IOCS of an attack may outline a dropper, benign
document, a trojan and 10 minute...

Posted by Vitaly Osipov on Jun 13

… or, Ptolemaic model of the solar system of infosec.

Required reading: https://en.wikipedia.org/wiki/Deferent_and_epicycle

In all enterprise-y security courses they will teach you that there
are several components to defence processes:

10. If you can, try to prevent bad guys getting to you
20. If you cannot, try to detect an attempt to get in before it succeeds
30. If you cannot detect attempts, aim to detect whether you've been...

Posted by Halvar Flake on Jun 12

Posted by Kristian Erik Hermansen on Jun 12

It's the same reason DENTISTS STILL HAVE JOBS. We can -- with nearly
100% certainty -- prevent tooth decay. The fact that we don't shows
that we are human and naturally flawed. Even when 100% of the problem
is within our control, humans still get cavities. Security is far less
in one's control, due to vendor requirements / open source libraries /
etc., so the problem of course will be much worse. How many people on
this list have...

Posted by Brad Andrews on Jun 12

Perhaps everything basically boils down into that, at one form or another. How many new things are really under the
sun?

From: John Strand
Sent: Wednesday, June 12, 2013 9:31 AM
To: Dave Aitel
Cc: dailydave () lists immunityinc com
Subject: Re: [Dailydave] Defeating what's next

Why does it seem we are moving from blacklists to "new and improved" blacklists?

It seems like the industry is caught between choosing between...

Posted by Nick Selby on Jun 12

Great thread. The only thing I would expand on Dave's description of
"indicators of Compromise" is that for us, when we get called in because
the customer doesn't believe it's been compromised but wants to quiet down
Bill in IT Security so he'll shaddup already, our indicators of compromise
are all human and procedural and policy-based. Before we even run an nmap
scan we have put together a fairly accurate prediction...

Posted by security curmudgeon on Jun 12

: Why does it seem we are moving from blacklists to "new and improved"
: blacklists?
:
: It seems like the industry is caught between choosing between things
: that dont work (i.e. blacklists, "better" firewalls) and things which
: are hard to implement (i.e. whitelists, better internal network
: segmentation, baseline monitoring, etc.)

Because we are. You can sell "new signatures" as a subscription model for...

Posted by Arrigo Triulzi on Jun 12

[...]
That way, by the time someone

As painfully learned during my brief startup stint: never speak the truth about the limitations of your security
product as it does not show knowledge of the problem space but loses you sales and VC money.

Arrigo

Posted by Justin Seitz on Jun 12

This is true arguably because the overall skill of the infosec industry
is on the decline. As one of my Canadian counterparts once said: "The
term security researcher or penetration tester really means 'can run
Nessus'". No different for the defense side.

The best bet for any company slogging the new and improved defense
mechanisms is to wrap it in a $100k pretty 2U chassis, and have insanely
stringent trial request...

Posted by John Strand on Jun 12

Why does it seem we are moving from blacklists to "new and improved"
blacklists?

It seems like the industry is caught between choosing between things that
dont work (i.e. blacklists, "better" firewalls) and things which are hard
to implement (i.e. whitelists, better internal network segmentation,
baseline monitoring, etc.)

I think Paul said, "Every time you hit the easy button, God deploys another
trojan on your...

Posted by Dave Aitel on Jun 12

Hackers spend a lot of time looking at what's coming down the technology
road at them. In a sense, this business is about learning how to stare
down the barrel of a gun and not blinking for decades at a time. When
you blink, you end up a CISSP. Richer financially, but poorer in 0days,
the only currency that matters to someone with your particular addiction.

Terminology can reveal a lot, as can business strategies. I spent some
time on the...

Posted by Fyodor on Jun 11

my spelling corrector prompts me that the link should be
https://sites.google.com/site/securitytournament/add-your-team ;)

Posted by Nicolas Waisman on Jun 10

Immunity is excited to announce our fourth annual Hack Cup this year in
Las Vegas! As always, it will be held the day after BlackHat (August
2nd).

Anyone interested in playing indoor soccer is welcome to join!
The rules will be the same as previous years:

o The tournament will go from 9:00-13:00.

o We will have 12 teams of five players each, playing 15-minute matches
in four different groups. We recommend that you have up to 3
substitutes...

Posted by Dave Aitel on Jun 07

Alright, it's Friday, and luckily there's nothing going on in the
security community today!

So for movie day, instead of watching Epic for the third time, you
should watch these:

1. http://partners.immunityinc.com/movies/CANVAS_687_1.mov <--there are
vulns here you've probably never heard of, and the Stuxnet-style
dynamic DLL loading from memory
2. http://immunityinc.com/silica-service-impersonations.shtml <--This...

Posted by Dave Aitel on Jun 03

So things are happening, although we're not sure what.

http://www.nytimes.com/2013/06/02/world/asia/us-and-china-to-hold-talks-on-hacking.html?ref=computersecurity
(amusing, if nothing else, to imagine they'll sit down and be brutally
honest over some fine rum.)

http://www.nytimes.com/2013/06/02/opinion/sunday/the-banality-of-googles-dont-be-evil.html?pagewanted=all&src=ISMR_AP_LO_MST_FB
(Assange is many things, but he's...

Posted by Steve on Jun 03

Hi all,

I don't know if you've seen what's been happening in Turkey, but it's
pretty bad and will get worse. There's not much I can do, but I thought
I'd try to do my bit and built this: http://lahana.dreamcats.org/.

Lahana is an auto-build script designed for the EC2 free tier. Basically
you create an instance, upload the script, run it and you have an IPSEC
PSK VPN that sends all output tunnelled over Tor....

Posted by Dave Aitel on May 31

So people are reading this and commenting on it (because it has nice
graphs!) and I thought it's interesting how he focuses on the client
software people use, and then projects outwards a few years to see what
will happen in the future!

http://www.slideshare.net/bge20/2013-05-bea

Of course, part of the problem with this kind of analysis is how quickly
things are changing in the client market. For example, what if Weibo
launches a phone?...

Posted by Jack Whitsitt on May 31

(In support of the email below, but perhaps a little OT to the
original thread): I don't think you've taken that concept far enough.
The security state of the internet (or any network really) at a given
moment in time is (in my untested opinion) the aggregate result of a
series of decisions made and actions taken by authorized roles in
legitimate capacities somewhere on a timeline. (If there are
illegitimate actions able to be taken by...