August 24, 2008

Trojanize yourself for deniability

I know this has been discussed a thousand times before (since 2003 at least!), but a recent assignment has made me think again about this. Let's just presume you're on a forensic task, and you're surfing through the suspect's computer. You end you finding the contents you were looking for, but meanwhile you start the routine antivirus scan. Ding, you hit a well known trojan.

It's password protected, and was obviously installed before the data you were looking for were downloaded.
You dig deeper, and discover the trojan will actually start at boot and be exposed to the internet.

That's it, the suspect has not lowered its security level during normal operations - assuming the trojan is actually safe and the password was hard enough to guess - and you are left wondering who has actually put that data into place. How can you tell it wasn't the remote aggress controlling the suspect's computer?

Sure, you can try to retrieve some more data to uncover the truth, but carefully leveraging this trivial issue (think about actually giving it encryted commands from time to time using a different account to confuse even a 100% sniffed wiretapping) is enough to obtain plausible deniability.

It seems too easy: I'll keep thinking about that, but any idea is really

August 04, 2008

Understanding High Availability

I've just finished a course on High Availability, more of an overview on different HA technologies on various platforms.
What I have noticed is that is really, really hard to have people understand that you cannot plan high availability as a "one night affair". Most organizations have their border routers under VRRP, and their Oracle database running on application cluster, but yet they seldom have layer 2 redundancy ( the "oh my god, a loop! kill it, kill it!" syndrome) or any redundancy on "less-important" systems.

Like an old friend said, "if it's worth having it, it's worth having it all the time". With the new virtualization techniques available there's really no excuse for not achieving HA on most of your infrastructure.

Need an easy to manage yet featureful HA firewall? Go for pfSense. You can name almost any software, an HA solution is there for free or for the time you need to build it: if it's running on Linux, then you have DRBD (150-160Mb on two bonded nics) and Heartbeat and many others, if it's under Windows you have tons of choice - not to forget a scheduled VMware converter run which might not be HA but yet it's far more than most organizations actually have.

One of our clients had an hardware failure last Friday, which resulted in a complete halt of business for the weekend. Hard to tell how much damage was actually done, but does it make any sense to work in such a way when HA solutions are so cheap?

Yes, you need skills to do HA. But what we don't need anymore in our business is IT people without skills: we already have far too many.

PS: As you might or might not have noticed, this is the first post since a lifetime. Long story short, more posts will come from now on ;)