Re: [Full-disclosure] [SCADASEC] 11. Re: SCADA Security - Software fee's
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Kletnieks, This list's lack of usual moderation does not mean your opinion is either respected, welcomed, or desired by anyone. Like my father always says, Give a nigger a podium and he'll rap for anyone. Give a white man a podium and he'll beat his chest like a primate and spew mindless propaganda to anyone that will listen with the hope that the senseless banter will impress those less intelligent than he. And you, my friend, are not black. - -bm On Sat, 21 Feb 2009 21:30:01 -0500 valdis.kletni...@vt.edu wrote: On Fri, 20 Feb 2009 09:24:29 EST, Smoking Gun said: Ironically, your own quotecompanyquote offered penetration testing services at the insane pricing scheme of we'll pentest0r joo for free and if we find something you can pay us to find other holes!. And how, exactly, is that an insane pricing scheme? If you think about it for a bit, it actually makes quite a bit of sense - Snosoft needs to prove they're in fact good enough to be able to find the holes you're paying them to find, or it doesn't cost anything. That *sure* as hell beats paying $100K for a pen test, and then finding out that you hired a bunch of asswipes who can't find holes. -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmhivgACgkQhNp8gzZx3sjGjwQAr0ZyhPVzovGihp1qg2YibAZL3qCr a8X+eU0+AHRHMYOg0sUTchiO6C71HYJuO5RXjjpvEn/hZ2iVZJtBOlQzc9Qe4T6FnzQh sJBglaLzNPZ76MbjSt3NWYAywdGTwaBewP9pS2uQ5o//4TG2TYnk0//LOEhlczr382iq vJ+hFVU= =kvvJ -END PGP SIGNATURE- -- Jumpstart your career with Six Sigma certification from top programs. http://tagline.hushmail.com/fc/BLSrjkqmwwuXrPPSCBMQsL6SmPWO0ctjPRzbD77FbGGeXcOSfIH6X4LFJZC/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Oh Yeah, botnet communications
On Thu, Feb 19, 2009 at 21:21, valdis.kletni...@vt.edu wrote: On Thu, 19 Feb 2009 23:38:37 EST, T Biehn said: God Valdis, Dont concentrate on the mundane, the core issue is the unpredictable nature of it. You have them all coordinate reading the news at 12:00 AM GMT. You build some silly algorithm that ensures they pick the right article. Right, so now you need this insanely complicated system to make sure that you get the right article at midnight, even if you have a race condition or you're getting an old copy because of a caching proxy in the path or if they hit different boxes on a load balancer and the articles update a few seconds apart, and then make sure they all pick the right article - which means they need to *agree* on the right article without knowing for sure what article the *other* bots are looking at. And that also means that the botnet owner (or at least a system they have) has to *also* be online so it can also check CNN and figure out what domain to register - which sucks if Godaddy just put up the Down for 3 hours due to unexpected system problem sign or any of a zillion other failure modes in trying to register that next domain in real time. You can't register the next 3-4 day's worth of domains ahead of time and make sure they went live. Lots of failure modes there. Or you can just hash the damned clock once an hour, which seems to be quite sufficient to keep the average botnet running. *THAT* is why they don't base it off a news RSS feed - all these mundane issues make it *harder*. You wanna do it the hard way that has more ways to fail and sprout bugs, be my guest. Most of the coders out there prefer something just a bit simpler. Not necessarily as insanely complicated as you might think - an RSS feed can include some interesting numbers, such as stock quotes, etc., where the non-integer portion of the number(s) are pretty random, and reporting on them is pretty standardized. And, I don't think, for the purposes of discussion, it *has* to be an RSS feed. It could be any publicly available, regularly updated text, including www.wsj.com. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Oh Yeah, botnet communications
I was going to toss it out there in my first post that they'd could just expose an interface or load in a script to autonuke once deriving the algorithm. The point really wasnt this trick (which was about eliminating LEAD-TIME) it was more so to prompt a discussion around various trivial tricks to write a more 'reliable botnet'. Such as the idea brought up to use alternative feeds rather than news, and then the input of using the result to pick a range of ips (lead time enables whitehats to secure boxes that would be hit FIRST) as control points, the CC ports would also be randomly chosen from this as well. combined with encryption you can't really write a signature, unless (and Valdis will point this out in between bouts of twirling his moustache) of course you have a script that alerts on any traffic on the given port. -Travis On Sat, Feb 21, 2009 at 9:26 PM, valdis.kletni...@vt.edu wrote: On Fri, 20 Feb 2009 10:48:17 PST, Gary E. Miller said: Or how about yesterday's close of the SP 500 or Cisco stock? Or maybe yesterday's Lotto numbers. Maybe a hash of all the above. This would drive bot hunters nuts. Until they reverse engineer the new scheme. Since the scheme is in every bot it would just take some reverse engineering. Thank you for noticing that detail. ;) And since *some* people need it spelled out for them in excruciating detail: Currently, hashing the current time is good enough, because it works just fine until the bot hunters capture a copy and reverse engineer it to find out *what* hash function you're using. If you make a botnet that instead looks at the news articles at 12:01AM, or the SP500, or anything like that, it's more complicated code, so it will take longer to reverse engineer. But once that happens, the bot hunters can *also* look at the 12:01AM news, and submit the nuke a domain request at 12:03AM, or look at the SP500 at the close and submit the nuke a domain request, or whatever is needed. In other words, the *only* thing all this code does is buy you an extra few days (tops) while the bot hunters reverse engineer your more complicated code. Once they do that, it's *no better at all* than something simple like hashing the time. And unless you're *really* a superstar coder (rather than just somebody who *thinks* they are), there's a really good chance that the bot hunters (who have access to some *real* superstar RE guys) will actually be able to RE your code faster than you wrote it. Taking 3 days to write and test code that gets broken in 2 days is a losing proposition. You want to make it more difficult for the bot hunters, spend more time devising ways to make the code harder to reverse engineer - that will buy you benefits *across the board*, as not only the hash function gets harder to reverse engineer, but all the *rest* of the code (little details like how your CC works, or what payloads/attacks you have onboard, etc) also gets harder to do. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/