[SecurityRatty] tag: transmit

EPTS: Proposed Event Processing Definitions, September 20, 2006

Thu, 21 Aug 2008 01:47:11 +0000

For interested readers, here are the event processing definitions we provided to the (future) EPTS working group on September 20, 2006, coordinated (edited) by David Luckham and Roy Schulte;

adaptive process management (n.) an element of resource and business process management, adaptive search and event processing. Sometimes referred to as “Level 4” event processing or process refinement.

application concept (n.) a definition of a set of properties that represent the data fields of an application entity. An application concept can describe relationships among themselves. For example, an order concept might have a parent/child relationship with an item concept. A department concept might be related to a purchase requisition concept based on the shared property, department_id. Application concepts can include an application state model.

application state modeler (n.) a UML-compliant application that allows you to model the life cycle of a concept instance — that is, for each instance of a given concept, you can define which states it will pass through and how it will transition from state to state. States have entry actions, exit actions, and conditions, providing precision control over the behavior of an event processing agent. Transitions between states also may have rules. Multiple types of states and transitions maximize the versatility and power of the application state modeler.

derived event (n.) an event that is created as a result of processing one or more other events.

complex event (n.) an event that is a situation-entity abstraction of two or more simple, derived or other complex events.

complex event processing (n.) CEP is a technology for extracting information from message-based systems. CEP is primarily an event processing concept that deals with the task of processing multiple events from an event cloud with the goal of identifying the meaningful events within the event cloud. CEP employs techniques such as detection of complex patterns of many events, event correlation and abstraction, event hierarchies, and relationships between events such as causality, membership, and timing, and event-driven processes.

event (n.) a instance of an event definition. It is an immutable object that represents a business activity that happened at a single point in time. Just as one cannot change the fact that a given activity occurred, one cannot change an event — events are immutable.

event aggregation (n.) the aggregation of simple, derived or complex events into higher levels of event abstractions.

event definition (n.) a set of properties related to a given activity that represents an important or interesting change of state in a human, system or computational activity. An event definition includes event properties such as event priority, event time to live (TTL), and a description of the payload, which is comprehensive information related to the activity that occurred. Events expire when the TTL has elapsed, unless the event processing agent has instructions to consume them prior to that time.

event channel (n.) a communications channel in which events are transmitted from event source to event receivers, typically received as electronic messages. Each channel can have multiple destination and. events can be configured to transmit to a default destination. JMS is an example of an event channel.

event cloud (n.) a partially ordered set of events (poset), either bounded or unbounded, where the partial orderings are imposed by the causal, timing and other relationships between the events. Typically an event cloud is created by the events produced by one or more distributed systems. An event cloud may contain many event types, event streams and event channels. The difference between a cloud and a stream is that there is no event relationship that totally orders the events in a cloud.

event-driven (n.) the behavior of a human, system or computational entity whose execution or actuation is in response to events, typically received as electronic messages.

event-driven architecture (n.) an architectural style for distributed computing applications in which some of the components are event-driven and communicate by means of events.

event processing (n.) computing that performs operations on events, including modifying, creating and destroying events.

event-object (n.) an software object that represents an event, generally for the purpose of computer processing, that exhibits both encapsulation, inheritance and polymorphism.

event prediction (n.) computational activity where the impact of events, complex events, and situations caused by events identified, including both opportunity or threat. Sometimes referred to as “Level 2” event processing, impact assessment or predictive analytics.

event pre-processing (n.) computational activity where events are cleansed or normalized to produce semantically understandable data. Sometimes referred to as “Level 0” event processing.

event processing (n.) computational activities on events dealing with the association, correlation, and combination of event data and information from single and multiple event sources to achieve refined identity and situation estimates for observed event objects, and to achieve complete and timely assessments of opportunities, threats, and their significance. Event processing is characterized by continuous refinements of event estimates and assessments and by evaluation of the need for additional sources, or modification of the process itself, to achieve improved results.

event processing agent (n.) an EPA is a computational entity that performs event processing.

event processing network (n.) a set of event processing agents and a set of event channels connecting them.

event properties (n.) data representation of an event, typically by name-value pairs of type string, integer, real, boolean or a complex data type.

event refinement (n.) filter, identify and track events & make initial processing decisions based on association, correlation and state estimation. Sometimes referred to as “Level 1” event, or event-object, track and trace.

event stream (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

event stream processing (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

rule (n.) defines what triggers unusual, suspicious, problematic, or advantageous activity within an event processing agent and what the EPA does when it discovers these types of activities. Rules execute actions based on certain conditions on events, instances, or a combination of both. A rule includes a group of condition-rule statements and action-rule statements. The condition statements instruct the EPA what to look for in events, and action statements instruct the EPA how to respond when conditions are met. If all the conditions in a rule are satisfied by events or instances or both, the EPA fires the actions. The action might be to execute tasks, create an event instance, modify property values in an event instance, create and send an event, or something else.

rules engine (n.) a type of event processing agent that uses a declarative programming model to process events. Formally described as “an abstract structure that describes a formal language precisely, i.e., a set of rules that mathematically delineates a (usually infinite) set of finite-length strings over a (usually finite) alphabet“. Informally, it can be any system that uses rules, in any form, that can be applied to data to produce outcomes.

rule language (n.) is an artificial language that is used to control the behavior of an event processing agent. Rules languages, like human languages, have syntactic and semantic rules to define meaning.

situation refinement (n.) identify situations, or complex events, based on event clustering, event-event relationships and relationship analysis and context. Sometimes referred to as “Level 2” event processing.

simple event (n.) an event that is not an abstraction or composition of other events.

virtual event (n.) an event that is imagined, modeled or simulated.

Note: The Emerging Technologies Engineering Team at TIBCO Software significantly contributed to these event processing terms and definitions.

Security Through Visibility - Montego, Lancope and NetFlow

Wed, 30 Jul 2008 17:57:06 +0000

We've probably all heard that you can't secure what you can't see and that statement is even more profound when it comes to virtual environments. This is because it is extremely challenging to see what is going on at a micro vs. macro level within a virtual environments network. The virtualization vendors such as VMWare and Citrix have provided embedded tools into their management consoles that show a macro level of visibility but its not enough to identify security events in the environment. Take a look at the attached picture. It simply shows VMWare's ability to monitor virtual network performance statistics from a bits per second perspective.

<-Click To Enlarge

With only this level of detail how can one determine which network applications are causing spikes. Is it FTP traffic that is occuring at a high volume at an unuseal time of day? If that were occuring, could that be indicative of either a breach or some sort of problem? What if FTP isn't even an authorized service in the virtual environment but there is a high volume of it? Did someone install a rouge FTP service so they could steal information from the server at will?

These types of questions can't really be answered without a micro level of detail into the packets flowing in, out and within the virtual environment. Now, what I am highlighting is not security in the traditional sense of prevention but using visibility as a means to first identify, then pin point the source of an issue so that it can properly be mitigated. Having constant visibility can also ensure that other security products in the environment are performing as expected. What if a Montego HyperSwitch with firewalling enabled is configured with many policies but someone forgot to create an FTP block policy. One could think they are protected from rouge FTP services transmiting data out of the network, but without constant visibility monitoring, can you be certain?

Some vendors, namely Reflex Security will get you to believe that their IPS / IDS solution that is inline and running in the virtual environment is the right and only approach. Or they will tell you to hang a virtual IDS off a span port in the virtual environment and you will at least have visibility into the attacks that are taking place. Well, sure... You now have attack visibility but at the performance cost of your virtual environment. Signature matching technologies are great, I'm a huge believer; however they don't scale very well in shared computing environments such as virtual ones. IDS systems also don't typically track protocol and network service (FTP, HTTP, etc.) utilizations; which is another important part of visibility.

So, what do we do to gain visibility without the performance headache? Well, for starters its probably best to put your IDS/IPS solutions in the physical environment where performance will be less of a concern. In fact, you can span a virtual switch's traffic out to a physical NIC as easy as you can to a virtual one. So why do it virtual and have to pay a 60% CPU utilization tax? Another solution is to IDS inspect only the things you care about. Why IDS inspect SSL traffic if you know your solution can't unencrypt SSL. Its just a waste of compute cycles isnt it? Policy based switching helps you with directing only the things you care about to an IDS (attack visualization product). Montego's HyperSwitch also can help you with the traffic redirection of only the things you care about.

Another method of visibility which I tend to be a fan of is one of packet analysis (aka NetFlow). NetFlow was invented by Cisco some time ago and has gained popularity in the physical world and definately has a use in the virtual world. NetFlow is lightweight. Let me say that again, its light weight! It only sends a summation of packet detail to an analytical engine which can do some number crunching, packet comparison, etc. etc. to make some sense out of whats going on. Lancope, an Atlanta based visibility company that provides Network Visibility, Security Visibility and User Visibility has this tool on their website that is a Netflow Bandwidth calculator. You'll see from playing with this ( http://www.lancope.com/netflowcalculator.aspx ) calculator that it doesn't consume a lot of network bandwidth to transmit these network accounting records. It also doesn't cause a lot of CPU overhead to send these records to an analytical engine sitting somewhere in the network.

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

Slide 3

•Monitor and Alert network behavior of VMs
•Track Vmotion movement of VMs accross physical servers
•Monitor and Alert on communication between VMs
•Identify users accessing VMs
•Identify unauthorized or rouge VMs
•Monitor and Alert when VM’s go online or offline
•Identify network services running on VMs
•Monitor Network / Application performance of VMs
Display active hosts accessing VMs

...and probably a slew of other things I'm not aware of. A screen shot of their product is bellow:

<- Click to enlarge

You'll notice from the screenshot that you are able to visualize who is talking to who, how much traffic they have sent and received and something called a concern index (not seen on this screenshot).

Now, a concern index is a number that increases as Lancopes analytical engines monitor suspicious activity on a session. A high counter can be indicative of a security problem. Its another way of identifying (visualizing) compromised hosts (virtual machines) without having to do signature matching like a heavy weight IPS engine. Example: Lets say you have a VM that has a BOT on it and is "owned". The Lancope product is monitoring this long life session. Let's say that session is established for several hours or maybe even days or months. Lets also say that the conversation appears to be mostly unidirectional from a public ip address not belonging to your enterprise. Lancope would increase a the concern index on this since this server hasn't typically had this type of behavior. Once the concern index reached a certain level it could then fire off an email, send you a text message or something saying: Warning, Warning, Danger, Danger Will Robinson!!! You're virtual server may be infected with a BOT, please investigate immediately!!!

This example is VISIBILITY which helps you with SECURITY. There are a number of other things you can do with NetFlow and Lancope products that have less to do with security and more to do with operational efficiencies. Things like, helping you answer questions of: How do I know what network applications are taking up the most bandwidth? When should I move those applications over to a server with more horsepower? When did these VM's vmotion over here and was there a traffic condition / CPU condition that caused that to occur? I could go on and on but thats a topic for another blog entry.

So, my suggestion is to take a look at what NetFlow has to offer. Montego Networks supports NetFlow transmission and Lancope supports NetFlow analytics and with both you can regain what was lost visibility.

I hope this was helpful to you all!

-John Peterson

Security Through Visibility - Montego, Lancope and NetFlow

Wed, 30 Jul 2008 17:57:06 +0000

<-Click To Enlarge

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

Slide 3

???Monitor and Alert network behavior of VMs
???Track Vmotion movement of VMs accross physical servers
???Monitor and Alert on communication between VMs
???Identify users accessing VMs
???Identify unauthorized or rouge VMs
???Monitor and Alert when VM???s go online or offline
???Identify network services running on VMs
???Monitor Network / Application performance of VMs
Display active hosts accessing VMs

...and probably a slew of other things I'm not aware of. A screen shot of their product is bellow:

<- Click to enlarge

I hope this was helpful to you all!

-John Peterson

Times Up IPv6 OMB Mandate

Mon, 30 Jun 2008 15:27:18 +0000

Three years ago, the OMB set a June 2008 deadline “by which all agencies’ infrastructure (network backbones) must be using IPv6 and agency networks must interface with this infrastructure.”

Agencies are supposed to demonstrate that they can:

Transmit IPv6 traffic from the Internet and external peers, through the core (WAN), to the LAN.
Transmit IPv6 traffic from the LAN, through the core (WAN), out to the Internet and external peers.
Transmit IPv6 traffic from the LAN, through the core (WAN), to another LAN (or another node on the same LAN).

(Source: OMB IPv6 FAQs)

One year ago, the OMB reviewed the Enterprise Architecture Assessment Framework results and found that six of the twenty-four agencies were on track to achieve the June deadline. Two months ago, there was a good article by Carolyn Marsan Duffy about the status of compliance. Take a look at this article because it seemed like there was a lot of backpedaling going on about meeting the date – using phrases like “we don’t like the term mandate” and “more of a recommendation than a mandate.” At the time, only three agencies were in compliance.

Duffy just wrote an updated article, “Feds say they have aced IPv6 deadline”, and suddenly two months later, all lights seem green. As of June 24, ten of the twenty-four agencies sent emails to the OMB stating that “they have successfully transmitted IPv6 packets”. Fourteen still need to report in, but none have asked for an extension. And all of it was done through the regular tech refresh budget over the past three years. So if this is true, kudos to the feds!

Right around the time of the first not-so-rosy article, we ran a survey at FOSE, the big federal government IT show. We asked attendees if their agencies would be ready by the deadline:

33% said they would be ready
6% said they were already there
33% said they would NOT be ready
About a quarter didn’t know

What was really interesting is that we asked this same question in 2007, and the audience was equally split (yes/no) on whether or not their agencies would meet the mandate – 1 in 5 (2007) instead of 1 in 3 (2008).

So what can explain these numbers? Surprisingly, out of the attendees we talked to, only 65% of them said that IPv6 is important to their operations, making it second to last on the list of IT priorities covered by the survey. Maybe the answer lies in the relative “unimportance” of the milestone – that just the network backbones (and the routers supporting them) be capable of passing IPv6 packets. The true test for government IT workers will be when actual IPv6 applications must be supported which will impact networks, systems, application and monitoring tools throughout the government.

So was this a nice checklist item for the Bush administration? This initial deadline is the only one for IPv6 mandates from the current OMB incarnation. Actually running IPv6 applications, that’s a whole ‘nother story, apparently for a new administration.

ShareThis

Storm Worm Hosting Pharmaceutical Scams

Fri, 30 May 2008 10:50:06 +0000

With Storm's recent SQL injection and introduction of several new domains within, the very latest additions to their domain portfolio are the following domains (naturally in a fast-flux provided by already infected hosts) hosting pharmaceutical scams :

producemorning.com
pressrose.com
posestory.com
picturewest.com
lowsmell.com
catsharp.com
printlength.com

All of the domain's DNS entries are set to update every 2 minutes, meaning they every 2 minutes another 20 different and infected IPs will be hosting the domains, which on the other hand logically have identical WHOIS entry records :

Administrative Contact:
WenFeng NO.397,zhuquedadao street,xian
City,shanxi Province xi an Shanxi 710061 CN
tel: 298 5228188
fax: 298 5393585
yayun22@163.com

It's also worth pointing out how they emphasize on the benefits of SSL based transactions, when none of the sites is supporting SSL, but is doing something a great number of phishers do - they've changed the favicon to a key lock looking one, since maintaining a SSL infrastructure on the infected hosts is both, unpragmatic, and a bit unnecessary if they social engineer the visitor :

"SSL Encryption or Https is a technique used to safeguard private information which is sent via Internet. To prove the site's legitimacy, the SSL encryption uses a PKI (Public Key Infrastructure) - public/private key, to encrypt IDs, documents, or messages to securely transmit the information in the World Wide Web. In order to show that our transmission is encrypted, most browsers will display a small icon that would look like a pad "lock" or a key and the URL begins with "https" instead of "http". SSL Encryption or https from a digital certification authority will helps the secure web site with confidential information on web. "

With pharma masters increasingly using fast-flux to increase the survivability of their domains participating in affiliation based pharmaceutical affiliate programs, Storm Worm is anything but lacking behind programs that connect scammers and (infected) infrastructure providers.

Related posts:
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

Three computers at the University of Colorado are compromised

Wed, 30 Apr 2008 04:54:01 +0000

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
University of Colorado

Contractor/Consultant/Branch:
University of Colorado at Boulder

Victims:
Students and instructors involved with the Division of Continuing Education and Professional Studies between 1997 and 2003.

Number Affected:
~9,500*

*According to the school's response, "approximately 9,000 students, and approximately 500 instructors"

Types of Data:
"names, Social Security numbers, addresses, grades"

Breach Description:
"The University of Colorado at Boulder has announced that it discovered three computers in the Division of Continuing Education and Professional Studies were compromised and that one of the computers contains private data (i.e. names, Social Security numbers, addresses, grades) of approximately 9,000 students, and approximately 500 instructors."

Reference URL:
University of Colorado at Boulder
KUSA Channel 9 News
KJCT Channel 8 News
FOX News Colorado

Report Credit:
University of Colorado at Boulder

Response:
From the online sources cited above:

BOULDER - The University of Colorado at Boulder announced Friday that three computers in the Division of Continuing Education and Professional Studies were compromised, leaving nearly 10,000 people open to potential identity theft.
[Evan] It's not clear whether or not these computers were client computers or servers.

CU Boulder IT security investigators on Thursday discovered a malicious file on the computers and began analyzing log files to determine the extent of the exposure and whether any information was accessed.
[Evan] Hmm. A "malicious file" could mean a lot of things.

Investigators are still trying to determine the intent of the malicious file and whether it allowed the perpetrator to gain access to any private data.
[Evan] The school must think that there is a chance that the intent of the malicious file was to capture and transmit sensitive information and that there was a chance of success. Otherwise, why would the school report it? If it were a run of the mill virus (supposing one exists nowadays), would you report it? Hard to say.

Bronson Hilliard, a spokesman for CU-Boulder, says one of the three computers had personal data, including names, Social Security numbers, addresses and grades, of about 9,000 students and about 500 instructors.
[Evan] Should we assume that these were client computers and that "had" means stored?

"The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security," stated Chancellor G.P. "Bud" Peterson

"We will continue and strengthen our security efforts and hold our departments accountable for their success."
[Evan] Excellent quote, from G.P. "Bud" Peterson. The keywords that I really like are "continue", "strengthen" and "accountable".

Hilliard says they do not believe the data has been accessed, but CU is in the process of contacting the affected students and instructors by mail.

Officials say students and instructors who were involved in the Division of Continuing Education and Professional Studies between 1997 and 2003 were affected.
[Evan] Does the school still need to store personal information that is 5 - 11 years old?

CU says a computer forensics firm has been hired to conduct an analysis.

Over the past few years, the CU-Boulder campus has stepped up efforts to increase security awareness and address IT security.

These efforts have included:

Launching a campus risk assessment process in 2005 to identify campus IT security risks and to locate and eliminate unnecessary databases of social security and credit card numbers;
Switching from Social Security numbers to a student identification number system in 2005;
Using a restrictive network firewall installed in August 2006 that has greatly reduced the campus’s exposure to vulnerabilities;
Conducting computer security training for all employees.

Commentary:
Generally, I get the feeling that the University of Colorado is much better off in their information security efforts than most schools. The leader of the organization, G.P. "Bud" Peterson seems to be in touch based on his remarks, and this should not be undervalued. Organizational leadership is absolutely critical for the implementation and management of an effective information security program.

Let’s make some assumptions.

Assumption #1 - Most malicious files are obtained through web browsing and email. There are numerous controls that can prevent (or detect early) attempted infections through this avenue of attack. Are these in place at CU?

Assumption #2 - The compromised computers were client computers. Generally, it is not advised to store confidential information on client computers unless there is a compelling business case.

Assumption #3 - The compromised computers were servers and Assumption #1 is true. I have run into many cases where a server was compromised through administrator web surfing. I also used to remember when it was recommended that people not run anti-malware applications on servers (due to heavy I/O primarily). A tip: Don't surf the web from servers and in most cases run (and maintain) anti-malware applications on servers.

So, I make a lot of assumptions. Some may be true, and some may be so far off that I should be writing this article on the moon. Either way breaches get me thinking and thinking is mostly a good thing.

Past Breaches:
Unknown

The DDoS Attack Against CNN.com

Tue, 22 Apr 2008 15:30:53 +0000

The DDoS attack against CNN.com, whether successful or not in terms of the perspective of complete knock-out, which didn't happen, is a perfect and perhaps the most recent example of a full scale people's information warfare in action. Utilizing the bandwidth of the over 200 million nationalism minded Chinese Internet users, can greatly outpace any botnet's capacity if coordinated, or though the use of automated DIY tools, like the ones we've seen released for the purpose of attacking CNN.com

CNN.com was indeed inacessible for a period of three hours according to NetCraft, and literally any web site performance monitoring too with a historical perspective for a host can prove the same :

"The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here."

Unrestricted warfare is all about bypassing the most fortified engagement points, and achieving asymmetric dominance by excelling where there are no engagement points, in order for the attacker to enjoy the pioneer advantage. Now that CNN.com was indeed slowed down to a situation where it was unnacessible, what remains to be answered is how was CNN.com DDoS? Throught a botnet, or through the collective bandwidth of virtually recruited Chinese citizens? Despite that the common wisdom in terms of botnets used speaks for itself, this is China hacktivism and therefore common wisdom does not apply in an unrestricted warfare situation, and best of all data speaks for itself.

- Through the use of DIY DDoS Tools

Besides anticnn.exe which I assessed in a previous post, there's also the Supper DDoS tool that as it appears was also getting actively recommended for participating in the attack, courtsy of a Chinese script kiddies group. Some basic info :

Scanners Result: 3/32 (9.38%)
DDoS.Win32.Sdattack.A; DDoS.Trojan
File size: 1510643 bytes
MD5...: ed25e7188e5aa17f6b35496a267be557
SHA1..: 71138f0c0556dde789854398c3c7cde29352662b

For instance, Estonia's DDoS attacks were a combination of botnets and DIY attack tools released in the wild, whereas the attacks on CNN.com were primarily the effect of people's information warfare, a situation where people would on purposely infect themselves with malware released on behalf of Chinese hacktivists to automatically utilize their Internet bandwidth for the purpose of a coordinated attack against a particular site.

- Collectively building bandwidth capacity and mobilizing novice cyber warriors

What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com. All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. If it were a botnet used, the diversity of the infected hosts would have required more efforts into dealing with the attack, then again from another perspective regular web traffic compared to network flood is sometimes harder to detect as a DDoS attack.

hackerhf.com/cnn.html
80aft.com/cnn.htm
tom765.cn/cnn.html
ah930.com/cnn.htm
0851qiche.cn/cnn.html
xdadmin.com/cnn.html
ah930.com/cnn.html
s234sdf3.cn.webz.datasir.com/cnn.asp
bbscar.com.cn/cnn
120abc.cn/cnn.html
hospltal.cn/cnn.html
bbs.cityzx.cn/cnn.htm
bestmf.cn/cnn.html
anlycloud.com/cnn/cnn
qibubbs.net/ddoscnn.htm
maje.cn/cnn.html
edu.sina.googlepages.com/FuckCNN.htm
urlonline.com.cn/kaocnn.html
lmpx.net/cnn.htm
ily88.com/cnn.html
zjipc.net/cnn
axlovechina.cn/
idernice.com/cnn.asp
conncn.com/cnn.html
xuanxuanmu.000webhost.com/cnn.html
jianw1.cn/cnn.htm
bjzs114.com/cnn.htm
0851qiche.cn/cnn.html
yaanren.net/cnn.html
todayol.cn/cnn.html
17bnb.com/cnn.htm
hackerhf.com/cnn.html
hnjdbbs.com/cnn.html
sql8.net/cnn
bh125.cn/cnn.html
razorcn.cn/cnn.html
93HR.com/cnn.html
tke08.com/cnn.htm
vipeee.com/cnn.htm

This is also the statement made for the recruiting purpose across the forums, including remarks against France's policy against China :

Anti-CNN Plans v4.19

"Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows: We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland.

We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. France on bad faith.

Recently, the United States "cnn" Since, as we said a number of Chinese people can not accept things, is that we are willing to endure, willing to yield? We plan on taking the lead in the 2008.4.19 "cnn" Web site attacks, as a Chinese, please support us.

Plot:
1, first of all, all the conditions for full, I expect four days later, in the - on April 19, 2008, 8:00 p.m., at www.cnn.com against a DDOS attack! More than three hours on the CNN Web site with the assistance of attacks, How DOS attack CNN website? If you are patriotic, please forward!

iframe Id="cnn" width="100%" height="100">
script>
Var e = document.getElementById ( 'cnn');
SetInterval ( "e.src = 'http://www.cnn.com'", 3000);
/ / 1000 said that 1,000 ms, you can modify and transmit

You can also directly open qibubbs.net/ddoscnn.htm open on the trip, you do not affect anything. I have to, I have friends in all of it again, the strong support of friends, and their repercussions great, and to many people, have been transmitted in other friend, a classmate now has begun to link their Web sites the I believe that compatriots in China, in collaboration with CNN article seconds click rate in the second can at least 50 million times, if the 200 million Internet users click on, I believe CNN, will be suspended instantaneous, as our fellow countrymen will be more hackers the chance to win big, exciting good mood now, and looks forward to 8:00 after we are all fellow hackers smoothly, we will sincerely pray that China win. The great motherland is not to take advantage of the separatist elements, all anti-China reunification of the sophistry of speech are all in vain Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows:

We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland. We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. "

This particular DDoS people's information warfare attack against CNN.com is also a great example of a psychological operations (PSYOPS) chain-letter. Given China's 3.0 state of social networking, messages forwarding people to sites that would automatically refresh their browsers with CNN.com were distributed at over 5000 web forums, with a bit of propanga taste enticing everyone to forward the message by telling them "If you're a patriot forward this attack link", so if you don't, it means you're not a patriot, another indication of China's understanding of the effectiveness of psychological operations (PSYOPS) online.

Software and SoftwareVersion in Syslog?

Mon, 25 Feb 2008 14:00:00 +0000

The latest update of syslog IETF draft "The syslog Protocol draft-ietf-syslog-protocol-23" (here) enlightens its readers that it now has "structured data elements, which can be used to transmit easily parseable, structured information and allows for vendor extensions." Wow, amazing!

Have you ever seen a syslog entry that had "enterpriseId", "software", "swVersion" or something of that sort?

Why not? :-)

Links for 2008-02-04 [del.icio.us]

Mon, 04 Feb 2008 21:00:00 +0000

practical risk management: What is GRC vs. IT GRC - How does it help IT Security mature to the next level?
theBaum » Blog Archive » What Do We See “Standing on Our Own Platform”?
First, it’s our belief there’s a lot of money out there wasted on point products for managing networks, servers, applications … even security. A lot of these systems redundantly collect, transmit and store much of the same machine generated data. Th

Five stolen Florida Department of Children and Families laptops

Fri, 04 Jan 2008 07:12:20 +0000

Technorati Tag: Security Breach

Date Reported:
1/4/07

Organization:
State of Florida

Contractor/Consultant/Branch:
Department of Children and Families (DCF)

Victims:
Daycare workers in Orange, Seminole and Osceola counties

Number Affected:
"Thousands"*

*DCF is notifying about 1,200 day-care providers and their employees

Types of Data:
Names, addresses, Social Security numbers, and "other information"

Breach Description:
Five laptop computers were stolen from a Department of Children and Families (DCF) office near the Orlando Fashion Square Mall on November 7th and/or 8th, 2007. One or more of the laptop computers contained sensitive personal information belonging to thousands of day-care workers in Orange, Seminole and Osceola counties.

Reference URL:
The Orlando Sentinel Story

Report Credit:
Dave Weber, The Orlando Sentinel

Response:
From the source cited above:

Social Security numbers, birth dates and other information about day-care workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near Orlando Fashion Square mall in Orlando on Nov. 7-8.

there were no signs of forced entry at the DCF office.
[Evan] No signs of forced entry seems to imply that these laptops were stolen by someone who had legitimate access to the office (had keys) or that these laptops were stolen during business hours. You would think that it would be hard to walk out during business hours with five laptops.

the Florida Department of Children and Families is just now notifying about 1,200 day-care providers that their employees, as well as center operations, may be at risk.

The computers contained applications for child-care-center licenses. Centers are required to provide personal information on the applications, including employees' birth dates and Social Security numbers, so DCF can conduct background checks.
[Evan] I'm glad to read that DCF conducts background checks on day care workers. I am all for that. Storing the applications on a laptop computer that is not physically or logically secure is terrible security practice.

Officials said they don't know how many day-care employees' records were on the stolen computers.

DCF wanted to have a complete list of centers before contacting them. She said the agency had 45 days by law to notify those whose records were stolen. - DCF spokeswoman Carrie Hoeppner
[Evan] 45 days from November 8th is December 23rd, but there is also a provision in the law that states "Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation." Maybe law enforcement led to the delay in notification. I would think that a complete list of daycare centers would be available as quickly as it takes to run a simple database query.

the agency also was concerned that the thieves might not realize they had potentially valuable data, and did not want to publicize it.

Hoeppner said she is unaware of any identity-theft crimes resulting from the computer thefts. But she acknowledged that an identity-theft victim may not have considered the DCF theft as the source of their trouble

Victim Reaction:

"They could get information on anybody who works in this place. They could get our Social Security numbers," said Tracey Batchelor, a worker at the Children's Garden Learning Center on University Boulevard in Orlando.

Commentary:
Here is an idea. Collect the necessary information on the application, enter the information into a secured database, then shred the application.

If you can't or don't know how to reasonably secure laptops and other mobile devices, then don't use them. If you can't or don't know how to reasonably secure confidential information, then don't collect, create, store, access, or transmit it. It would be nice if things were so easy, but unfortunately they aren't.

Access to confidential information must be strictly controlled including the restriction from copying to mobile devices (where possible) and use of strong encryption. Anyone who has read about other breaches has heard this all before.

The Florida breach notification statute is interesting and easy to understand:
817.5681 Breach of security concerning confidential personal information in third-party possession; administrative penalties.

"Notification must be made no later than 45 days following the determination of the breach unless otherwise provided in this section."

"Any person required to make notification under paragraph (a) who fails to do so within 45 days following the determination of a breach or receipt of notice from law enforcement as provided in subsection (3) is liable for an administrative fine not to exceed $500,000, as follows:"

"The notification required by this section may be delayed upon a request by law enforcement if a law enforcement agency determines that the notification will impede a criminal investigation. The notification time period required by this section shall commence after the person receives notice from the law enforcement agency that the notification will not compromise the investigation."

"If a person discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at a single time, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices."

Past Breaches:
Unknown