tag:blogger.com,1999:blog-4088979.post1818554940446608453..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Three Capabilities, Three CompaniesRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4088979.post-74830743987148801602008-12-09T00:42:00.000-05:002008-12-09T00:42:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-38625053911602733762008-02-26T16:56:00.000-05:002008-02-26T16:56:00.000-05:00Whats the advantage of MIR vs AIRS?I would have th...Whats the advantage of MIR vs AIRS?<BR/>I would have thought you would roll your own?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-29752412138754178452008-02-17T22:15:00.000-05:002008-02-17T22:15:00.000-05:00Hi Richard, Sound interesting. How do you plan o...Hi Richard,<BR/> Sound interesting. How do you plan on getting around any privacy and legal concerns, especially using HBGary to capture memory snapshots? Did you add it to your AUPs? Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-59539302234943605212008-02-16T23:28:00.000-05:002008-02-16T23:28:00.000-05:00Dave,Actually, nothing at all like that. When you ...Dave,<BR/><BR/>Actually, nothing at all like that. <BR/><BR/>When you have worked late hours on client engagements and have known a guy for about 6 years, a mutual respect tends to develop. <BR/><BR/>Nothing at all like the fanboi blog-o-world or whatever kids call this nowadays.<BR/><BR/>- MAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15843243273846599912008-02-16T14:49:00.000-05:002008-02-16T14:49:00.000-05:00Indeed, good point!It's just that I fear this tool...Indeed, good point!<BR/><BR/>It's just that I fear this tool may be used against you. I take a hard line on fake data as I have been on the receiving side of it before.<BR/><BR/>The in memory resident only attacks are common, pdp at gnucitizen.org seams to be pioneering this with web browsers. These are quite the problem, especially with ssl connections. Burdach does a good job of explaining the problems with memory analysis. http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf<BR/><BR/>I suppose we need a better method of getting the information out of a compromised system with out allowing the system to know about it or possibly defend it. Thats one of the reasons I have been following your lead with network analysis as playing with the host usually leads to data manipulation and spoilage.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-33199172241524780382008-02-16T14:18:00.000-05:002008-02-16T14:18:00.000-05:00Anonymous,First, you have to realize that everythi...Anonymous,<BR/><BR/>First, you have to realize that everything in security is best-effort. I am not going to be able to shut down and image every asset I suspect to be compromised.<BR/><BR/>Second, your approach will not tell me anything about malware that is memory-persistent only. This is the problem we had 10 years ago with completely memory resident kernel mode rootkits on Solaris. You take the box down and the evidence disappears. Yes, some intruders are willing to lose access to the box rather than deploy a persistence mechanism on the disk.<BR/><BR/>There is no one best approach. I am adding tools to my kit so I have more options.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-91468519216188550222008-02-16T13:49:00.000-05:002008-02-16T13:49:00.000-05:00"Over the next few months they are going to add th..."Over the next few months they are going to add the capability to remotely push their agent to a victim and then pull data from the victim to a concentrator."<BR/><BR/>I don't know about you but I see a major problem with this approach. Once a computer is compromised, it is always compromised. All products have bugs and all products have design weaknesses. This product is going to rely on the compromised computer to send back real information. If you are going against a skilled attacker...aka one who has been watching your every move for several months (or your blog), then he is going to know you are going to use this product. All he has to do is go and find a copy of this software (legit or warez) and then work out a weakness or a way to just plain fake the data. So you use this project but the bad guy already knows its coming and sends back the all clear or some other kind of misinformation leaving you to suspect nothing.<BR/><BR/>When doing a forensics or a malware analysis of a computer, there is only one option: take it down and test with a clean operating system (I'm thinking knoppix std here). For the more paranoid among us, a clean computer is also good as there is a lot of flashable firmware in modern computers that an attacker can hide in.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-10852308445643257772008-02-16T03:52:00.000-05:002008-02-16T03:52:00.000-05:00>the team I met was open to my >suggestionsummmm y...>the team I met was open to my <BR/>>suggestions<BR/><BR/>ummmm yeah - I can imagine that conversation. <BR/><BR/>Alice: Hey Bejtlich's here and he's got some suggestions<BR/><BR/>Bob: Yeah pull the other one<BR/><BR/>Alice: Seriously he reckons we should change a couple of things like this ....<BR/><BR/>Bob: That's interesting, good even .... shit you really mean Richard Bejtlich????<BR/><BR/>Alice: yea<BR/><BR/>Bob: And he's going to buy our shit<BR/><BR/>Alice: he's looking<BR/><BR/>Bob: And he's making suggestions ... come'on how much do you think he'd CHARGE for advice on a product - just make sure we do whatever he's on about!!Davehttps://www.blogger.com/profile/13463127139929591956noreply@blogger.com