On 26-Jan-10, at 9:24 AM, r.b. wrote: > '“In other words,” The Register’s Lew Page notes, “any code you write, > perhaps even any document you create, might one day be traceable back > to you - just as your DNA could be if found at a crime scene, and just > as it used to be possible to identify radio operators even on > encrypted channels by the distinctive ‘fist’ with which they operated > their Morse keys. Or something like that, anyway.' > > This makes great copy but it doesn't sound like they've heard about, > or bothered to take into consideration: > > JITs > Automated code generation > Optimizers > > Or a slipperier issue: > > Just because someone wrote the code doesn't mean they launched the > attack. > > This idea has been hyped before without result. I don't expect that to > change any time soon. > > -r > > On Tue, Jan 26, 2010 at 17:58, Larry Seltzer > <[email protected]> wrote: >>>> One of the trickiest problems in cyber security is trying to figure >>>> who’s really behind an attack. Darpa, the Pentagon agency that >>>> created >>>> the Internet, is trying to fix that, with a new effort to develop >>>> the >>>> 'cyber equivalent of fingerprints or DNA' that can identify even >>>> the >>>> best-cloaked hackers. >> >>>> http://www.wired.com/dangerroom/2010/01/pentagon-searches-for-digital-dna-to-identify-hackers/ >> >> How much luck can they actually have with this? >>
You folks are thinking too mechanistically. That's the problem with using real world metaphors like DNA analysis and fingerprints... the internet isn't exactly like the physical domain. So it doesn't just have to be running some filter on a binary piece of code. I've worked with enough penetration test teams and different pen testers to identify that each attacker/intruder definitely has identifiable "styles," habits and other traits that could be identifiable give-aways. What the attacker does after getting on the machine for reconaissance for instance(I.e. how thoroughly do they examine local processes on the machine, or do they go immediately for the next hop network survey and pivot, timing, aggressiveness, noise level, etc...), the sequence or ordering they use to check for vulnerabilities etc... These correlational bits of information could very well lead to some sort of identification of different attackers and attack campaigns. You are also limiting your scope of imagination to single discrete intrusions - but identifying objectives and different attack teams could be done across a whole series of intrusions in an attack campaign to identify different "advanced persistent threats" as it were.... ;-P I'm not agreeing or disagreeing with the methodology espoused or know enough about what the team mentioned in the article is trying to identify to say whether it can work, but it's not right to out of hand dismiss the idea of identifying different separate attack campaigns across a series of intrusions by their properties enough to differentiate different threat vectors. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 22-26 http://cansecwest.com Amsterdam, Netherlands June 16/17 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
