Wednesday, April 11, 2007

Training an IDS

Thanks to the newly named Threat Level I read Women at Love Field 'Acting Suspiciously' and Airport Watch Figure Confirms Terrorist Tie. You can obviously make up your own mind about these two, but I'm glad the police were alert enough to grab them. Here's a few choice quotes. I promise to tie this to digital security.

"I'm a trained sniper and proud of it," Ms. Al-Homsi said in an interview Thursday after first refusing to comment on whether she has any terrorism ties. She then said no.

Unless this is a lie, I doubt this lady received training in the US military. So where else would she be trained to be a sniper?

She said that she practices her rifle skills at the Alpine Shooting Range in Fort Worth. An employee confirmed that she's been going there for years.

"In all the Muslim garb, shooting an assault weapon, it seemed at first like she was trying to draw attention," said Dave Rodgers. "But then she came out so much, it became normal."


Hmm, like that back door installed before you started looking for it? Assuming the "sniper" really is a threat, it sounds like she trained shooting range employees to accept her as normal simply by being a frequent customer -- like that regular 2 am data transfer out of your site. It must be an authorized backup activity, right? It's always happening. That makes it normal... I hope?

4 comments:

Ayisha said...
This comment has been removed by a blog administrator.
Anonymous said...

Couple weeks ago one of our pen-testers was doing work for a client that happens to be a large utility company.

His probes were getting completely dropped by the front-line IDS. He was about to give up and write the report.

Then he had a bit of inspiration. He had found out they hosted their own web sites. So he started surfing the site, signed up for an account on one of their services, and then relaunched his probes.

The probes got through this time, and he was able to aggressively scan the front-line and DMZ hosts. Recursion was enabled on their DNS so he was able to probe way into their internal structure as well.

The worst finding was that they were depending on Secure Works for realtime monitoring and alerting. After he began looking like a real customer Secure Works didn't note anything and the utility's security manager never received an alert.

Bunda Pakistani said...

"We were watching the airplanes," Ms. Al-Homsi said. "That's not a crime, unless you're Muslim."

Richard Bejtlich said...

Anybody acting like they did would be apprehended and questioned.