… from Packetlife.net. Covering everything from BGP to Physical Terminations.

From the site:

“Cheat sheets are in PDF format. You are welcome to use and redistribute them as you please, so long as they remain intact and unmodified.”

That’s the spirit! The tcpdump & Wireshark ones are going on the wall now

What politicians seem to miss (every time) is that progress is driven by innovation. All evolution of the internet as we know it has been driven by information sharing, and this is getting more evident.

The whole term “The Cloud” proves this fact. This new hype which everyone tries to fit their life or product into really is nothing else than simple sharing between large groups of users.

In the future we will see media, music and art turn more prominent on the Internet than IRL. The companies that stick to old business and distribution models will be left behind and those trying to keep up will prosper. This is not something aggressive, it’s just a fact. No legislation in the world will change this, but it might slow it down.

“The web will own every bit”

What we are now calling the cloud is constantly, and at an increasing speed, growing and becoming more capable and integrated into our lives. Today I’m happy that I can stay connected and share my experiences while traveling in the middle of nowhere, tomorrow I will feel extremely secluded if I cannot do the same thing.

In my opinion, what should be further researched is;

How can we enable people to share more freely?

This is a much bigger and more important question than “How can we restrict people from sharing”, as people will always do that anyway.

… and the sky is ultra-gray. Not very fun ;/

On the other hand some things are shaping up. As I mentioned previously, my 3G USB-stick is proving to be very competent and useful. Even works in a stone cellar below ground with just one Window (Café Gråmunken, Old town, Stockholm)

The best thing about the stick is that it works out of the box on my Aspire One, as it is detected as “Option 3G”. That is, the unit’s networking software detects it as the 3G option that will be shipped with newer Aspire models. Very nice indeed.

For those interested, this is how it looks:

My provider is Bredbandsbolaget (Telenor), and the make & model of the stick is Qualcomm 3G CDMA GI0225.

Cheers,

“Till alla kunder!

PRQs verksamhet har nu avyttrats till en grupp utländska investerare. Verksamheten kommer fortsätta precis som tidigare men den dagliga driften kommer ej hanteras av samma personer förutom under en övergångsperiod. Den största skillnaden kommer vara att företaget nu har betydligt bättre resurser. Mer information följer inom kort. Har du några frågor så är du väkommen att kontakta oss.”

In english (my translation):

“To all customers!

PRQ’s operations has now been sold to a group of foreign investors. The business will continue as usual but the daily operations will not be handled by the same people except for a limited period during the transition. The biggest change will be that the company now has much better resources. More information will follow shortly. If you have any questions you are welcome to contact us.”

What is special about this then? PRQ AB is owned (and up until now operated) by the same guys that run The Pirate Bay and hosts some of the worlds most attacked and controversial sites.

Some of the organizations that utilize their services are Wikileaks, The Piracy Bureau, and Kavkaz Center.

More news later on, as their website says.

UPDATE: Previous swedish blog entries on this: Free and thinking, Fajaf. Regular media articles: ComputerSweden

For those that doesn’t know this already, Australia is one of the countries that are actively filtering and censoring the internet. They are doing this to “protect” their citizens from the big bad wolves that reside in the internet tubes without giving their citizens liberty even a second glance.

Read this on the Australian security firm Sûnnet Beskerming’s blog:

“In the lead up to last year’s national election in Australia there were a range of promises made by the incumbent government, under the name NetAlert, which was reported to be for a range of projects including Internet blocking software at the user end, tracking down online predators, and filtering of traffic on the network.

“There can be no other way to put it other than to suggest that these efforts are being pushed through out of an ignorance of the structure and nature of the Internet, even when accurate information is readily available.”

It’s really frightening to see how fast things can go bad. So far we have not seen this kind of lunacy here in Sweden but it feels like we’re getting there.

The internet’s content is not to be controlled by any unique institution or governing organization, as the whole idea of it is then lost. The Internet is a place that should be a free, unbiased, space for information of all kinds from all sources. Sure some will be hostile, but this is not a reason to filter it.

Doesn’t the Australian politicians relate what they’re doing to what dictatorships are doing? Can’t they see that they’re heading down a very dangerous path by restricting free speech? Besides this being a anti-democratic thing, remember that a society that closes on itself and censors it’s citizens never can evolve at the same speed as the world surrounding them, and therefor the country will suffer both economically and culturally.

The Internet was born free and should remain that way. If we can’t do that, then the whole idea behind it is dead and it’s time to form a new network.

Are you with me?

The debate on what internet security would look like in the year 2020 at Internetdagarna ‘08 made me think.

What will the malware landscape look like in 12 years?

Well, if we look at our history it’s quite hard to see a larger trend as our selection really doesn’t range that long back. Viruses and worms has been present ever since people started networking computers, and some ever longer. However, there has always been a very opportunistic area and the “bad guys” has adapted quite easily to the different challenges we’ve put them up to.

Previously the attacks were almost always aimed at being large scale and make as much noise as possible. We had the CIH virus, Loveletter, Melissa, Blaster, Sasser and so on. This type of malware did a lot of damage, caused a lot of headache, made people cry over lost images and cost companies millions of hours in overtime.

But still no one was really hurt. There wasn’t any money missing and everyone kept their identity for themselves. The game was more or less “See mee! PLZ!” and “1′m 4 b3773r VX-coder than you, mother*beep*, our cr3w rule the w0rld!!!1!!!“. Media attention was the holy grail.

This has changed though.

Some years ago (~5 yrs?) we started seeing targeted, financially motivated, malware and organizations that profited from these directly. Back then the malware authors were still learning and a lot of mistakes could be observed. We may have laughed at their worms that had bugs earlier but today it’s not that funny. They’ve learnt from their mistakes and today their cashflow enables them to do real Quality Assurance on their code.

Today almost all types of malware circulating is financially motivated in one way or another. They are adapting their methods of infection and follow world and market trends to identify the times at which hard distribution is most effective.

As my colleague Sebastian Zabala puts it; “For them it’s ‘Money talks and bullshit walks‘“. In other words, if it does not generate immediate cash return it is not the least interesting and terms as ARPIU (Average Revenue Per Infected User) are being used. This has been the single most dominant motivator for the malware evolution that we’ve seen in the past couple of years.

Several prominent groups has been mapped over the last four-five years, and one of them is the notorious Russian Business Network. They seem to have relocated now, but at one point last year (2007) a very large portion of the malware being distributed was coming from their network. This is probably the same now but from other, more separated, locations that isn’t as easily distinguished.

The methods of distribution was previously very direct and the bad guys were satisfied with the distribution method of one host infecting another but this has also changed a lot. Much of this change is probably motivated by their need to continuosly modify the malware to keep as much code as possible out of AV-vendors signature files. Today, a very large percent of infection happens through web browsers that get exploited by trusted websites. These websites has been hacked in one way or another in order to add HTML that loads malicious code through invisible iframe’s or scripts.

These attacks are made possible by insecure server-side code which enables attackers to do SQL injections for example. We are also starting to see signs of social networking applications being exploited for the same purpose and a possible method of infection here is XSS (Cross-site scripting). There’s a myriad of different attacks on the same theme, but it’s the same thing here really, insecure server-side code with a twist making the client essential. All in the true spirit of Web 2.0.

But the method of infection really isn’t that important. There will always be vulnerabilities waiting to be exploited. If not in insecure code, then in user behavior. Just look at the latest waves of fake security products. These often use social engineering to get installed on it’s victims computers, such as faking a windows desktop and tricking the user to click OK or taking other actions to install the malware. These applications alone are estimated to bring in multi-million numbers to the guys behind them this year.

A couple of years back, malware on the windows platform also started to come packed with rootkits and other methods of concealment. These technologies has been more widely deployed during the last year and we are seeing them being used in layers. For example, the droppers that first reach the systems often do not come with rootkit functionality but load (injects dll’s) themselves into system processes in order to stay hidden. The malicious software pack that is later downloaded more often than not come with real rootkits often in the form of system drivers. My guess is that this is meant to make users believe that once they’ve managed to clean out the malware they are in the clear, but only hours later the dropper sucks down another pack of crap and installs it.

From our (AV-vendors) point of view we are seeing steep increases in the number of samples (different versions of the same malware) being distributed and to cope with this problem we are inventing different technologies that either make our signature less important or help us analyze samples. For example Panda has TruPrevent for behavioral analysis and Collective Intelligence for malware identification and faster analysis.

This race will continue. When we establish an effective countermeasure to their latest move, they will change their business model or malware structure. When they do so, we will change our take on the problem.

So… What will the malware scene look like in 12 years?

Well, I don’t really know… I don’t think anyone really knows.

As technology evolves so will the parasitic creatures that feed upon it. My guess is that the malware will be more user tied and that more of the malicious code will be built upon pre-built frameworks that enable faster development. Maybe this already exist?

The Storm botnet that followed us from 2007 into 2008 and still is alive and well is a good example of what the future will have in store. The malicious code relies heavily on social engineering for distribution and installation, and the underlying structure is both stable and agile. They use fast DNS fluxing and double-fluxing in order to keep it alive and also varies communications method between IRC, P2P (eDonkey) and HTTP.

I’m not saying we’ll see more of the same, but rather more malware being based on the same thoughts; Great stability, Good control, Improved anonymity and excellent networking.

Platform independence will probably become more and more important for malicious software as well, as the array of different units used to access the internet is getting bigger every day. By platform I mean both hardware and software.

The challenge for us anti-malware vendors is to keep up. How we’ll be doing that is based on future experiences but in an ideal situation we come as close as we can to a silver bullet for every new twist that the bad guys throw at us. Our real challenge here is to be equally adaptable to new situations as they are. We need to be able to react quickly and hard without impacting the stability of our customers it-systems.

I also think that the user knowledge angle will be more and more important and this will have a big effect on malware distribution. Today I’m seeing younger people just laughing when they stumble upon a strange website and fire up ProcessExplorer to see if something bad happened. This would not have happened five years ago and it changes the way that malware authors have to think.

Hopefully we are up for a cleaner internet tomorrow, but there are no guarantees.

In a worst case scenario the internet might be clogged with garbage, which forces ISPs and national institutions to do filtering in order to isolate the countries that cannot control the organizations behind the malware. This is not something that we want to see and I hope it never goes that far with all of my heart.

Please comment with your thoughts on what the future has in store for us

Cheers,

“It doesn’t really work.”

From Cnet (via BoingBoing):

A National Research Council report, years in the making and scheduled to be released Tuesday, concludes that automated identification of terrorists through data mining or any other mechanism “is neither feasible as an objective nor desirable as a goal of technology development efforts.” Inevitable false positives will result in “ordinary, law-abiding citizens and businesses” being incorrectly flagged as suspects.

The whopping 352-page report, called “Protecting Individual Privacy in the Struggle Against Terrorists,” amounts to at least a partial repudiation of the Defense Department’s controversial data-mining program called Total Information Awareness, which was limited by Congress in 2003.

Whoops… Where did the terrorism argument go Mr.Tolgfors? Lost it did ya’?

More seriously though, I hope that our Swedish politicians will read and understand the facts in the report… It’s just ridiculous that they haven’t done so already.

Read more at CNet!

Got an invite to the free beta program of Spotify from my co-worker Sebastian (last one ) and I must agree with him when he says this is a great application.

For those of you that have not heard of Spotify, read up on it here. In short, it’s an application that let’s you stream any amount of music for a monthly fee (about 8€). Later on you will also have the option of not paying, but having the app show banners etc. That option is only available right now if you have an invite.

Not only is the application extremely slim graphically, but the performance looks very good as of yet (approx 12MB of ram consumed).

This is the kind of thing that could solve the piracy problem for a lot of companies. This is adapting your distribution methods to a new generation (instead of suing it).

I’m not really surprised that it’s a new entrepreneur that developed this, but it’s kind of sad. If this will be the future and replace many other methods of distribution, what the f*ck was all the legal litigation good for? Why did they not spend the money developing new technology minimizing their “time to market” and other factors instead of ruining ordinary peoples lives. Makes you wonder…

Well well. Spotify is great though Try a “day pass” (about 1€) and see if you like it!

UPDATE: Article at TheLocal.se about Spotify here!

I was browsing the intertubes using an open WLAN when i stumbled on this article on Bakmans blog. The entry itself is a bit outdated but it got my brain working a bit.

Engaged in a search for more information on the subject and eventually found this paper (PDF - Aegis PCI DSS Wireless FAQ) through a pcianswers.com post.

One interesting, if not obvious, thing mentioned is that objective 11.1 require you to audit your sites for wireless networks even though you aren’t running any. This requirement comes from the possibility of rouge Access Points placed in the network(s) that handle card transactions, or a net that is trusted by it. You are not permitted to allow any rouge AP’s if you want to be or stay compliant.

Requirement 11.1 reads:
11.1 Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use.

And this control objective is applicable to all organizations that are aiming at PCI DSS compliance. The paper mentioned above has some of Aegis frequently asked questions on this listed and before you start asking expensive consultants, give it a read

The other control objectives discussed in the paper (including FAQs) in relation to wireless networking are:

4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
• Use with a minimum 104-bit encryption key and 24 bit-initialization value
• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS
• Rotate shared WEP keys quarterly (or automatically if the technology permits)
• Rotate shared WEP keys whenever there are changes in personnel with access to keys
• Restrict access based on media access code (MAC) address.
[...]
10.5.4 Copy logs for wireless networks onto a log server on the internal LAN.
[...]
1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes)
[...]
2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
[...]
9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices.
[...]
11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date.
[...]
12.3 Develop usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage
policies require the following:
12.3.1 Explicit management approval
12.3.2 Authentication for use of the technology
12.3.3 List of all such devices and personnel with access
12.3.4 Labeling of devices with owner, contact information, and purpose
12.3.5 Acceptable uses of the technologies
12.3.6 Acceptable network locations for the technologies
12.3.7 List of company-approved products
12.3.8 Automatic disconnect of modem sessions after a specific period of inactivity
12.3.9 Activation of modems for vendors only when needed by vendors, with immediate deactivation after use
12.3.10 When accessing cardholder data remotely via modem, prohibition of storage of cardholder data onto local hard drives, floppy disks, or other external media. Prohibition of cut-and-paste and print functions during remote access.

The above text was copied from the standard document and to fully grasp the implications involved I would, as I did above, recommend you to read Aegis PCI DSS Wireless Security FAQ.

Also, version 1.2 of PCI DSS is to be “released” in the beginning of October and you can find the document of changes here (PDF).

Google Chrome really is a nice peice of software, even though it is still in BETA-phase. Quick response, nice UI and it has a really nice architecture for a fault tolerant browser.

I enjoyed trying it. However, it seems that they (Google) is now stepping away from their previous motto “Do no evil”, as the EULA that ships with Chrome is quite nasty.

Seems like they want you to hand over all IP-rights to whatever you create or publish using the browser. This is the same thing that Microsoft and AOL has tried with their IM applications a couple of years back, and of course it backfired directly and those terms got removed quickly.

From TapTheHive:

In other words, by posting anything (via Chrome) to your blog(s), any forum, video site, myspace, itunes, or any other site that might happen to be supporting you, Google can use your work without paying you a dime. They can go and edit it all they want. Even further, you’re claiming that you have the power to grant these rights.

More information here, here and here.