Tuesday, July 24, 2007

Data and Swarm Theory

One of my favorite Counter-terrorism Blogs, Global Guerrillas, posted a link to National Geographic's Introduction to Swarm Theory awhile back.

The article itself is good and worth reading.

But I also like the idea of someone out there smarter than I to apply swarm theory to a HIPS type product. Dave Aitel wrote of nematodes back in September 2005 and it didn't get a very warm reception. My gut reaction to these various articles is to implement a defensive swarm via a HIPS solution. Various hosts could form a hive, if you will, and touch each other frequently enough to get a group awareness of any threats they are seeing.

Based on the article the algorithms seem to already exist in at least some state; implementing them as a situationally aware defensive measure could be neat as hell.

I need to know more academic researchers so I can drink beer with them and shower ideas down.

Thursday, July 12, 2007

Ohio Government Laptop Stolen

Saw over on ars that Ohio lost a laptop:
Those who think they might be on the list can perform a search on http://www.ohio.gov/idprotect/ or call 1-800-267-4474 to find out. Less than 60,000 people have yet signed up for the service.


I haven't lived in Ohio for the last seven years but I was on the list. The first time I'm aware that I finally made it on a list.

Threat advantage

The biggest advantage that is often attributed to the threat (aka bad guys) is time. If they have patience then they have all the time in the world to find your weak spots and abuse them.

I think that's changing.

We're obviously no longer dealing with the hobbyist threat. We're dealing with professionals who are in it for the money. Time is indeed money, which I submit makes the average bad guy use his structured attacks as seemingly fast as he can. They use the majority of their time on the front end and then execute their recon/attack as fast as they can risk.

That doesn't mean that a particular targeted operation does not take time, but it is an interesting item to keep in mind. With that said, I suspect a bigger advantage they have is the playing field. It's too easy to not see a targeted attack as the Signal:Noise ratio is spectacularly skewed and too hard to make sense of.

Phishing is a key example: Do we have an automated way of seeing a phish vs a targeted phish vs spam vs ham? We're getting there but that is a tall order.