Sunday, January 22, 2012

do dont try ~ Ralph Marston - I have to repost this, briliant


The way to achieve is not to try. The way to achieve is to do.

The difference between trying and doing is all in your perspective. That difference makes all the difference in the world.

When you see yourself as trying, you are burdening yourself with the expectation of failure. Instead, put all your energy and focus into doing your very best, and into expecting the best results.

Merely trying is itself an excuse, and it gives you permission to make all sorts of other excuses. Doing, on the other hand, gets results.

If you’re going to make the effort, then make it count. Let go of any thoughts that you’re just trying, and embrace the most positive expectations.

You are absolutely capable of making a real and valuable difference. So forget about trying, and with well-deserved confidence, go ahead and get it done.

— Ralph Marston

Read more:


I'm an expatriate not an ex-patriot

"In 1849 George Bancroft, an American historian and diplomat, said that for a man to have two countries was as intolerable as for him to have two wives."


Saturday, January 21, 2012

Again Max Keiser is right and right and right!


Friday, January 20, 2012

CPE: McAfee AudioParasitic: Episode 10 Top 10 predictions for security threats in 2007

length: 00:21:56

reviewing the top 10 predictions for security threats in 2007 after 6 months - we scored pretty well...

3 things that are puzzling:
1. spam declining
2. number of bot declining
3. no serious mobile threats

However iPhone will be released soon, with full blown OS and full  browser (not the crippled browser) - this will become the target because of the number of deployments
+ apple will provide application to steam youtube - this one of threat prediction.

Number 1 is the password stealing website, this will stay number one treat

There would be such high volume of SPAM if it has worked- same thing for ponzi sceme and nigerian scam. SPAM has to be only 1-2% effective

Number of Bot declining could be related to classification- it could be classified as virus, sometime it's classified as trojan sometime it classified as downloader..

Bot decline will be a temporary.

the term rootkit is getting looser and looser - in the future people will use more specific term.

Now that we get people get paid to find vulnerabilities- there will be more of them.

Top 10 predictions for security threats in 2007:

 1. The number of password-stealing Web sites will increase using fake sign-in pages for popular online services such as eBay.
2. The volume of spam, particularly bandwidth-eating image spam, will continue to increase.
3. The popularity of video sharing on the Web makes it inevitable that hackers will target MPEG files as a means to distribute malicious code.
4. Mobile phone attacks will become more prevalent as mobile devices become "smarter" and more connected.
5. Adware will go mainstream following the increase in commercial Potentially Unwanted Programs (PUPs).
6. Identity theft and data loss will continue to be a public issue - at the root of these crimes is often computer theft, loss of back-ups and compromised information systems.
7. The use of bots, computer programs that perform automated tasks, will increase as a tool favored by hackers.
8. Parasitic malware, or viruses that modify existing files on a disk, will make a comeback.
9. The number of rootkits on 32-bit platforms will increase, but protection and remediation capabilities will increase as well.
10. Vulnerabilities will continue to cause concern fueled by the underground market for vulnerabilities.

Labels: ,

Thursday, January 19, 2012

CPE: McAfee AudioParasitic: Episode 9: teaching Malware authoring part 2/2

length: 00:25:50

Continue discussion about ethic of teaching malware writing with Karthik Raman and Craig Schmugar, part 2/2

You can do a lot of research using all available information in Interne without writing your own malware…
The design of the course should not encourage the student to write their own malware..
But what they are trying to do? I don’t think there is anything new that can be taught

When they decide to teach people to write malware, I don’t think they know what they are doing…

Would/ Could  the University be  held liable if the virus cause damage???

It comes down to: intent and technique…

Would you take course on malware writing?? Dave said yes J

I don’t think this course will help writing malware.

It is not suitable for high school level – should be master level.

Fitch said one time: we always get road map from malware writer…

We did not come into any conclusion – as always with the rest of the podcast…

Benefit of malware writing course does not outweight the  negatives – but if this changed I agree..
Hopefully this will mold people to more ethical approach.

Code is code, can be used for good intention or bad intention.
No valid point to tech malware writing..

Labels: ,

CPE: McAfee AudioParasitic: Episode 8: teaching Malware authoring part 1/2

length: 00:19:51

discussion about ethic issue with Karthik Raman and Craig Schmugar

there will be a class to tech malware writing, under the auspice to become security researcher…

Karthik: Many people have gut reaction –but actually require more nuance, se should look this more carefully

Dave: they shall not write malware

Craig: In pratical way malware writing will not help to become better security researcher…

This course has been offer for educational purpose only…

The AV industry has been plague with conspiracy theory that AV companies write their own virus… result: they shall not hire anybody who has written a piece of malicious code…

Today is totally different than 15 days ago –there is a huge amount of malicious source code, no need to hold malware writing course – it is better to analyze the source code data readily available…

Military use war games to practice
Virus disassembly, law, ethic  must be taught

Economics study capitalism and socialism…

Depend on how much other thing are emphasized, beside writing itself..,.
  You don’t write your own bullet to test the vest…

AV companies use: clean set- non malicious samples created internally to test some AV functionality such as terminating process.

Even if the intention is good, incident can happen….
Learning from Univ can be a safer option that learning from the wild

Ironic teaching limited number of malware while there is HUGE amount available source code

Labels: ,

CPE: McAfee AudioParasitic: Episode 7: Vulnerability disclosure and Bounty Program

length: 00:14:16

Lot’s of people seem don’t agree on what we said about vulnerability disclosure…
It’s like abortion – cause so much bipolar position

 People think one vulnerability is posted – they expect in 10 minutes the vendor will provide patch … people dot think that on the other side of the fence there are other people who will exploit it!!!!

I don’t think this is a winnable argument..

I don’t think they are very honest on the purpose of Bounty Program…

Their intention is fame and money – get real!!!

When your buy a vulnerability from someone- where is the assurance that that person is not sharing with the underground world??

At the end of the day the Bounty Program is a BRILLIANT marketing strategy.

The company get a lot of PR- huge amount of publicity – completely ignore the people who is in risk..

Labels: ,

CPE: McAfee AudioParasitic: Episode 6: Rootkit technology

length: 00:18:40

Scanning the system while it is running is probably not the best way to detect rootkit…
Depending on the complexity of the rootkit, sometime reboot is necessary
Because when it is already running how do you know? When do you know? That a rootkit exist?

For future probably there is no rootkit per se – but a rootkit component that can be complied module into malware…

Fu rootkit

There is a wrong perception that rootkit spead!
There is no rookit without malicious component, there will be no mass SPAMing of hackerdefender…

Packer: image of file in memory

The pack – “unrecognizable” in disk because it is obfuscated..
Once it is executed it will difficult to detect…

The generic & behavioral drive have the capability to detect this type of behavior..
People don’t realize how complex and the capability of generic/behavioral driver/signature…
AV is not dead!
A lot of download & spyware can be detected with the heuristic and generic driver…
The idea of rootkit or packet to hide is to be stealthy

Labels: ,

Friday, January 13, 2012

CPE: McAfee AudioParasitic: Episode 5: Are we solving the problem in the Security Industry? Part 2/2

length: 00:20:31

continue the discussion with Stuart McClure

does it worth to spend time writing secure code???

Secure code must be implemented is all process from design to implementation – test

Risk-reward analysis – some companies are willing to say it is not worth the hassle to do it 100% because the cost is significant – they might not see the benefit.

Every SW program has vulnerability –it has not been found yet

There is a natural resistance to not admitting vulnerability – because it will challenge the revenue – I get it!
What I dont get it is when we have been demonstrating the PoC to them – they still deny the vulnerability.

What are the biggest challenges?
1.       Malaise – people who think security is good enough is the biggest problem
It’s like insurance, unless you’re never had accident you are not interested to get full insurance – people just want to buy the good enough – it is human nature – there will be always problem  because people do not take risk seriously..

Money is a strong-strong motivator to write malware…today they became much more professional- so professional that they can get a very strong blip.

Going after Bill Gates is  passé – now it is about making money
It was not the fault of the bank if they bank get robbed..

It use to be AV industry against malware community
Now, it is AV industry against Malware industry…

Closing thoughts:
1. it is very real
2. user control security – eliminate the 99% of the threats
3.  vendor control security -  must be built in

Ultimately it’s about user education..

Labels: ,

CPE: McAfee AudioParasitic: Episode 4: Are we solving the problem in the Security Industry? Part 1/2

length: 00:19:27

discussion with Stuart McClure

Stuart was family for a while…
Started in late 80s – until early 90s – blossom into significant consultant – E&Y, IDG, first security column InfoWorld…
Wrote hacking Exposed series…
Founded Founstone – we need to automate a lot of our knowledge , process, priorities…put it into training, technology – process of assessing your risk.
Where the biggest risk are? With the least amount of effort to remediate successfully the problem & repair…

Foundstone was acquired by McAfee…

Are we solving the problem in the Security Industry?
Or are we in the maintenance mode / catchup mode – because the bad guys are always one step ahead???
Are we shoveling sand against the tide?

Security is a process- it not a finish line.
The earlier people get that the easier it will be.
There is big problem, because people wants quick-fix but there is no quick fix.

If you understand security you can really kill 80-20 rule:
80% of the way hacker penetrate can be remediated by 20% of the effort.

Are we fixing the problem?
Yes, we are but there is not quick fix- manager security day to day – since zeroday..

SW is really consists of 3 components:
1.       Input
2.       Process
3.       Output

Hacker: focus only on input – expecting the process to provide different output..

Labels: ,

CPE: McAfee AudioParasitic: Episode 3: Bot and evolution of Bot

length: 00:20:37

discussion with Allysa Myers – one of the most renown bot expert..
started with macro virus and script virus..

most malware static and most of the static malware are bot!

purpose of bot: it to control the system

It started as IRC script – one guy try to flood some guy kocking off the channel- taking down the entire chat room – taking down the entire server… - they had to get more and more computer to achieve this!!

Using trojan the realize how successful ,then they started to take down amazon – yahoo!

Find vulnerability – infect the machine

Today  - malware is packed with different packer – not necessary detectable..
Because the malware get repacked – millions of virus to millions of people…

Packet: it is like winzip – but write the file in memory  the uncompress file never actually hit the disc.

As packer get more popular – AV will make signatures..

Packer variation –
New malware against old existing malware – create a new malware..

Command and control – C&C infected machine will log into chat room & provide sysinfo – ide what OS/patch/BW – get pwd/ exec file

IRC is initially used to control – port 6666 – changing
IRC traffic is changing
HTTP is getting more and more prevalent – still IRC command more to p2p

P2P – without C&C  -anybody as long as they have the password can control it!!

At this point it is important to understand the risk – it is known there are people out there who want to cause problem –protect your assets!!

Labels: ,

Thursday, January 12, 2012

CPE: McAfee AudioParasitic: Episode 2: term "anti-virus"

length: 00:20:48

discussion with Craig Schmugar

news article some weeks ago.. AV is dead.. J

why do still see the term AntiVirus when we usually see either a Trojan or a Bot???

Anti-Virus – is an attempt to find a ground balance – if we change people might not understand..
I love you virus—people know that and have that frame of reference..

Term: blended thread – sexy term.. it was not a new concept… but it was a buzz word..

Virus kinda stood test of time. Other terminology come and go..

As product – AV is the core technology..

People use the term virus as terminology for malware – downloader , trojan, bot..

You hear researcher : virus  = self replication code..
Trojan something very different

By definition – trojan is more severe.. in the past but now mass mailing malware with trojan…  the end result is the same..

People think with vista AV is useless J

AV is very reactive – it does not stop you getting virus..

Heuristic detection and generic detection has not been marketing very well… people are not aware

Some year ago –there was anti-spyware movement.. it was simple hash mechanism…

Signature based is dying but moving more to the heuristic base

Continue the episode 1 discussion with Joe Telafici & Kevin Beets

Snort is benefiting from information disclosure

Fitch: I said for year the my product requirement is written by malware writer!!!
I dont have really much of choice..
People pretty much expect 100% detection..

it’s kinda sword.. we know about rootkit for long time – but not until there was rootkit in the wild we could get the justification to add more anti-rookit development.

The fact people living out malware has created better malware toolkit..
All these business model build alround all this activities:   spammer – bot guys – selling exploits – dropping spyware..

Are we really giving me them more ideat on feature…
Dave: no – because they are more focus on making money…
Fich: if tend to make as simple as possible to get money.. but the more difficult we can make them- the further they go.

Where is the line must be line:
Malware must not shared
Vulnerability or anything that help to protect should be disclosed.
Allowing to be disclosed will give incentive to vendor to patch
Not oppose to full discloser when responsible disclosure does not work..
Dave is OK with that answer..

Our job- give top notch protection & giving as much information without causing more problem..
It is really case by case bases…
Sometime may be appropriate – sometime it is not..

Labels: ,

CPE: McAfee AudioParasitic: Episode 1: Nordea Bank phishing incident

length: 00:24:49

1st episode audioparasitic mcafee podcast..

Take a close look of the issue and trend- what driving the industry…  beat that issue into submission with 2 very opinionated hosts.

If you look for malware /news wrong podcast.. but if you look highly caffeinated commentary – welcome to  AudioParasitic

Nordea Bank phishing –largest most successful malware threat
The developers behind it is very very capable and aware with signature based AV
It was a specific trojan bought for this specific target – that managed to say active for a window period of time..
But on the other stuff – it is not different from what we have seen for many many years.

Don’t trust email from someone you don’t know..

Password stealer – 1.1 million dollar.. pretty big amount of money lost in a very short time..

I don’t know if we are going to see more and more  password stealer…
But I do know the complexity to avoid AV will increase.

Nordia attack is  almost like chest game – the figure 4-5-6 steps ahead…
This is fascinating as tread but not as malware…
The information gather from multiple victim was taken from multiple servers and countries..

One of the only thing nordia could have done is to inform customer that they are not going to use internet for password..etc..

People has to treat internet as really bad neighborhood…

Discussion on information disclosure

How much information do we share with customer – or other vendor… if you put 2 security researchers in the room askthis question – they will start to fight… this is a very volatile discussion
Joined by:
Joe Telafici – Fich since mid 90 with Symantec.. running AV
Kevin Beets – foundstone  -  starting with Admin with pix & CP – move to foundstone.. acquired by
2 different position..

Joe Telafici  more close information minded – because of historical and recent reasons..
Kevin Beets I am full disclosure side following the responsible disclosure!! I don’t think hiding the information is the way to go ..

What level? Is there a minimum level that we can share?

In AV industry – we only share only to people who know personally – people that we trust  - people that we are confident if we give them a sample they are not going to share with anybody else… and NOT get infect other people in any shape or form…this is not a company effort but people effort…
All cooperation of AV – occurs at personal level – AV company on researcher in McAfee trust someone at Symantec or kaspersky – trust them that they can hand a loaded gun and not pointing back…
That being said.. there has been a lot of changing.. there are many groups starting to share information…

Kevin we should share them all…

On the malware side – not a lot of that is shared – many is closely shared
In the vulnerability side – it it public and it is outhere..

There is difference between disclosing vulnerability and posting malware exploit… there is different level of damage that can be done…

Analogy: describing how to build bomb is one way
Giving someone else a bomb is a different way…

It depends!!!

Also depend if the malware is replicating or not – a single accident or many people

All these rules were put in place because end of 80s early 90s researchers are sending sample wildly.. accidentally in good faith.. running sample in the lab, not realizing the FW is open and infecting other people..

Fitch – I never touch a single piece of malware since becoming VP in McAfee because I am not uptodate any more..
And accident happen- I watched people with 10-15 years of experience accidentally doubleclick a piece of malware..  launch a piece of malware.. if you don’t both  technological and physical policies to handle this – because bad things is going to happen eventually
We don’t have to only know how to handle properly BUT also how to remediate problem..

Kevin and Fich both agree on how disclosure

PoC disclosure – you need a little skill set to cause damage..

It is interesting when you have 2 people who think they are on different position but actually there are in a pretty close position ..

Does the information we share gives people ideas???
Kevin : I don’t think so! If you are interested in security..
Fich: thinks it depends who the people we give information..
Dave: Fitch you are not allowed to use “it depends” anymore!! J

If this simple – I would not have a job..

I have watched this happen… I was standing next to Greg Hoglund when he started to write first anti rootkit

We do a lot of things with AV behavior.. but we don’t ever discussed about it…  because we don’t want people to know what we are doing..
Certainly we anybody can pickup a good debugger to reverse engineer it.
We can make it hard –very hard – but we cannot make it impossible to reverse engineer!!

I watched techniques that are  fairly simple – trivially simple but it took 4-5 years for the malware community to figure out work around –because they don’t know why are doing it…
But one a smart guy found it…discuss it in the discussion forum.. today that feature is useless..

If we talked about it –it would have not lasted a year.. it would have not provided any benefit!!
We have detected 100k malwares.. without lifting a finger!!

If you look at my doom – the first mydoom was written by someone that we never caught- but then he released the source code… and weeks later many variants came to live..

We caught a kid who wrote the variant.
This kid would never wrote anything on that scale on his own!!!!

We still get mydoom variant floating around – as the result of that source code being released..

Yes –once the genie is out the bottle we cant put it back. But we can make is difficult for ourselves or we can make it really difficult for ourselves!!!!

The foundstone is available for people…

Labels: ,