Michael over at An Information Security Place has taken a bit of flack for calling out Douglas Schweitzer for a lazy and inaccurate (my words not Michael’s) definition of what a ‘bot’ is.

I chimed in on Michael’s behalf to agree that saying a bot is “essentially just another term for an infected computer” is only half the picture.

Yes, what is referred to as a ‘bot’ is a compromised computer, but its much more than that. A bot can be controlled by a remote entity. Bot’s use sophisticated means of communication with the ‘bot herder’, another name for the hacker who can control the bots. Often times they use IRC channels for command and control. Sometimes they leverage peer 2 peer networks for communication. And they are utilized for any number of nefarious acts such as spam relay, distributed denial of service (DDOS) attacks, click-through frawd etc. They have become a key element in the economy of the hackers because they are rented out for cash-money. Because of that, they are a very large threat to the Internet as a whole, and something we’re going to be battling for some time.

Bots used to be called zombies and I like that term better for the nefarious bots, because as Michael pointed out, there are good bots out there too, like web-crawlers (aka spiders).

If you’re going to provide a service to the general public and attempt to define a technical term, at least do it some justice and be accurate.

</rant>

I’ve been working a problem for several weeks now between vendor X’s UTM device and vendor Y’s firewall device. To bring you up to speed; we recently started deploying UTM devices to our satellite offices. Since each of our offices has its own link to the Intarweb, we have a VPN mesh for inter-office connectivity. The VPN’s all terminate at the firewalls and UTM’s.

The rub comes when the devices need to work out a problem with the VPN connection. If one side doesn’t adhere to the RFC then the other side won’t know what it’s saying.

That’s exactly the problem I’m running into now. One side drops the IPSEC tunnel but the other side doesn’t get properly notified. One side continues to send traffic encrypted with a now-dead SA and the other side discards the traffic. The problem gets worse because the ISAKMP tunnel remains up so one device continues to try to set up ‘quickmode’ and gets itself worked into an infinite loop where it won’t remove the old tunnel nor can it establish a new tunnel and lo and behold we have a link down until we manually flush all SA’s for the link.

This is one argument in favor of homogenous layouts but then you have the problem of complete exposure when your appliance model has a vulnerability.

Damed if you do, damned if you don’t.

I really do hate when I’m trying to troubleshoot a problem with vendor support and they say something like ‘there’s a new upgrade available that addresses several problems relating to the one you’re having and we’d like you to upgrade.’

I seriously have never had a situation where upgrading firmware solved a problem. ever (more…)

I took a trip to Iran last summer and took this picture in one of their holy shrines. In my description of the picture I mentioned the gorgeous architecture of the shrine but then said it was desecrated when the cleric lead the congregation through a chant of ‘death to Israel, death to England, death to America.’

Yesterday someone commented on the picture questioning whether the cleric did indeed say that and went on to talk about the ‘Pure & Wonderful Way of life’ of Islam. So I took a look at his pictures on flickr and found a picture of various assault rifles, sniper rifles, a grenade launcher an inert hand grenade and flares. Just in case the picture mysteriously disappears, here’s a screeny.

Nothing like fitting the wrong stereo type.

I am working with a guy here who is troubleshooting a connection through our firewalls so I’m grep’ing through live firewall logs. Almost immediately after placing his host online it was getting bombarded with connection attempts, likely connection attempts to entire blocks, not just our host specifically (I could tell if I actually looked at the source IP instead of the destination IP, but I’m too lazy and too busy blogging right now).

Anyway, some of the connections that caught my eye were UDP:1026 and UDP:1027, which indicate Messenger spam. You remember; the old spam that uses the equivalent of ‘net send’ to pop up a window that looks like a system message to the user.

It’s unbelievable that something like this is still effective today. I imagine its mostly home users who are the intended targets but it’s so prevalent that it’s become part of the ‘noise of the Internet.’