Random notes from Taosecurity

Richard Bejtlich from Taosecurity (one of my favorite blogs) has provided some interesting bits of information lately originating from his conference visits.
I can't say the same. Security conferences over here are at a low point. Sure, there is Blackhat Europe this week but that one comes with a hefty price tag. I have to wait till November and December until hack.lu and 25C3 are coming. I'm a bit curious what the 25th edition of the Chaos Computer Congress will provide. But I'm digressing. Here are some pieces coming from Ten Themes from Recent Conferences, Black Hat DC 2008 Wrap-Up and Thoughts from Several Conferences.

His ten themes describing the state of affairs:

1. Permanent compromise is the norm, so accept it.
   
2. We can not stop intruders, only raise their costs. ‏
3. Anyone of sufficient size and asset value is being targeted.
   
4. Less Enterprise Protection, more Enterprise Defense.
   
5. Less Prevention, more Detection, Response, Disruption.
   
6. Less Vulnerability Management, more System Integrity Analysis.
   
7. Less Totality, more Sampling.
   
8. Less Blacklisting, more Whitelisting.
9. Use Infrequency/Rarity to our advantage.
   
10. Use Blue and Red Teams to measure and validate.

• Team Cymru's Internet Malicious Activity Map. (per Class A subnet)
• Oliver Friedrichs from Symantec will release his upcoming book Crimeware, some of which is described in this post.
• Nitesh's statement in Social Engineering Social Networking Services: A LinkedIn Example
• Sinan Eren from Immunity described how his team conducts "information operations:

1. Attack the anti-virus/spam filter on the target company's mail transfer agent.
2. Hook the AV to grab copies of all email. (Feeling good about that AV scanner now? Hey, it's defense in depth! Add more, you're secure! Not only does it not work 2/3 of the time, it's an avenue to be compromised! Argh.)
3. Analyze email to understand the target.
4. Inject forged email into ongoing thread between target and customer. Include malicious attachment.
5. From target's computer, exploit DNS MSRPC vulnerability in target's PDC.
6. Grab hashes, exploit other hosts. Find files of interest.
7. Identify special network segmented from current network but accessed via USB drive.
8. Modify USBDumper to acquire files when drive is moved from first network to special network.
9. All interesting data transferred via Immunity's "PINK" C&C channel.

• Sinan concluded by recommending we invest in human capital, not security products
• Why we bother blocking anything but specific IPs outbound. All we've done by restricting outbound protocols is force everything to be SSL-encrypted HTTPS traffic

These are the bits I liked and wanted to keep track of. Read the three original articles for a complete view.
Okay, using AV to own the gateway, using social media as intelligence, using outbound ssl as covert channel, the need for user awareness, some of these sound familiar. ;-)

And don't forget to have a look at Richard's blog from time to time!! ;-)