DDoS: Everything you could possibly need to know

This is more of a reference than it is a blog. I recently found a link to the most comprehensive all-in-one resource for information relating to Distributed Denial of Service (or DDoS) attacks that I have ever seen. The page seems to be well maintained (as of the publishing of this blog) by its author, Dave Dittrich. Mr. Dittrich has been inovlved in a number of infosec research projects, including the Honeynet Project, teaches at the University of Washington, and has done extensive work with DDoS tools and in related research.

This DDoS resource goldmine is broken down into sections including:
- Related literature
- Analysis and talks on attack tools
- Defensive tools
- Advisories
- Mitigation information
- Legal implications
- Related research
- News articles
...just to name a few. If you've ever been interested in doing any work or research in this field, this page is a great starting point.


A light at the end of the tunnel

Nearly a year ago, I wrote about the need for a standard malware nomenclature. Around the same time, I also commented on the need for an information security clearinghouse, possibly run by the DHS. It seems someone was listening to the pleas from the security community: today, C|Net reports that US-CERT (run by DHS) will be getting into the business of naming malware by acting as the public face of the Common Malware Enumeration Initiative, designed by a number of government entities as well as the much-respected MITRE. By running this through the government, the politics of inter-company nomenclature are completely circumvented. Each company can keep their own nomenclature, and map to the CME ID through their products and websites. One major issue that isn't clearly addressed, however, is how variants will be handled by CME. The state of malware being what it is today, this is the biggest point of confusion in battling outbreaks. New viruses aren't nearly as common as variants of old, tried-and-true formulas. Without a way to clearly address variants, this system may be much less effective. Its potential at this point, however, is great.

This announcement, along with other recent developments at US-CERT such as the revealing of the National Vulnerability Database (NVD), is positioning the site to become a critical juncture for the information security community. It appears the DHS, in at least one small respect, is starting to show some positive progress in its mission. I've personally met the gentleman responsible for the creation of the NVD at NIST, as well as some others involved with US-CERT, and have been very pleased with what I've seen. This is something to keep a close eye on in the coming 6-12 months, as it may soon be bookmarked as your browser's home page.

The only concern I have thus far is how quickly and completely US-CERT disseminates information to the public. There is much more to US-CERT than meets the eye; it is also a powerful tool for inter-agency communication and data sharing within the US Government. If the movement of information from the protected side to the public side is kept open, this may end up being a key cog in fighting the good fight for analysts in the years to come.


Marcus Ranum on the "Six Dumbest Ideas in Computer Security"

While I don't want to become a blog that blogs about other blogs, one particular piece by Marcus Ranum is noteworthy: The Six Dumbest Ideas in Computer Security. Marcus Ranum is one of the oldest names in Information Security, having been involved in designing a number of groundbreaking tools and is currently the CEO of NFR. Suffice it to say his comments carry some weight in this industry. Many of his opinions in this paper are valid, but a few I disagree with. Regardless, this is a piece that is worth reading closely.


New trends in malware

First off, it has been over two months. A busy, busy summer has unfortuantely made me put this project on the back burner. I'm hoping to reverse that trend in the coming weeks as I attempt to work an update into my Monday morning routine.

Administrative notes aside, this week saw two important revelations in malware. The first is one that has the most broad implications, and is merely a foreshadowing of darker days ahead. F-Secure reported that the Commwarrior.B virus took out nearly all of a Scandanavian company's cell phones a week ago Wednesday, according to C|Net. This is just months after a WDSGlobal expert claimed that the threat is overblown, citing internal data that such viruses accounted for only 0.0036% of all of that company's support calls. What's important here is the difference between the current threat and the future threat. While the current state of affairs is such that these infections are relatively rare, the atmosphere is as ripe as it could be for a major, major problem in the not-too-distant future, and necessitates security professionals begin thinking about what to do when that time comes. Features are being added to mobile phones at a bilstering pace, making them behave more and more like portable computers than simple telephony devices. Want proof? Many believe that Apple is set to release iPod-like phones with a major phone manufacturer any day now. As these new features are rapidly added, history shows us that security takes a back-seat to features and shortening time-to-production. Hopefully, history will not repeat itself here.

A second uncelebrated, but important piece of security-related news in the past week was the linking of an individual suspected of authoring the Zotob worm to a credit card fraud ring. For over a year, security experts have been warning that the identity theft and malware underworlds were colliding. Recently, the public has finally begun to see that in cases like the CardSystems ID theft. This marks the first major malware outbreak, to my knowledge, that has been linked by law enforcement authorities to an identity theft ring. Moreover, the suspect, Farid Essebar, is also believed to have had a hand in 20 other pieces of malware. This could be the groundbreaking case that offers the public a rare glimpse of the collision of two underground groups, and is worth following.