Tuesday, February 19, 2013

CCC: China! C300!! Collaboration!!!

It's seems we should call it Cebruary as everything that happens this month seems like it's C-ish.

[C]hina

China is in the news with the Mandiant APT paper (I am not going to bother linking it, it's everywhere). An interesting read for sure - kudos to everyone involved. We are never keen to pick sides but found the Bloomberg TV spot (on the same topic) that shows Maltego quite interesting. Here's a screen shot and a link:


Somehow related - the gov.cn zone leaked a few weeks ago and we thought it would be interesting to see how these DNS names resolve to IP addresses. From the IP addresses we went to netblocks, from there to country. And that's where we stopped. The most interesting points to note were:

1. There were quite a few DNS names that resolved to internal IP addresses (mostly 10.*, but some 172.16s as well). Before you freak out - no - we're not showing the DNS names corresponding to these blocks. You can go do that yourself. And yes, these could be the same as your grandma's internal IP range at home.


2. Almost all of the infrastructure is located in China (no surprise), but there were two or three IPs in the US (surprise). Initially we thought that was a bug in the IP2Location transform. So we checked it by hand. Sure enough - it's in the US.

Of course this is where we stopped because we are civilized, suit-wearing responsible adults. But someone (you know who you are) did not. They proceeded to nmap all of these in Maltego. And then mailed us the graph (while it's interesting, we did not ask for this). It even prompted Roelof to Tweet the following:


Of course the graph is interesting. It shows that, if you were to do a conventional infrastructure over-the-Internet attack [that's like...so 90s - Ed], it looks like there's a nice cosy attack surface  [it's a giant honeypot - Ed]. In the graph below we ONLY look at port 23 (telnet) and 22 (SSH):


Why is this picture so blurry? Ag no man - don't be silly! We're pretty sure the Americans/pick a 1st world country are not sitting on their hands either and have pictures just like this on their pretty 4K projectors. In fact - we would just love to see the (translated!) Chinese intelligence reports on US based attacks...

[C]anon [C]300

Canon South Africa was nice enough to let us use their spare C300 for a week. A week! It meant we had to do a lot of videos in a short space of time. We ended up doing three. One we are keeping for the BlackHat CFP prize. The other two we put out on the Interwebs. The first one is just a recap of navigation in Maltego. We did this as our nerves were getting pretty thin with people navigating Maltego with scroll bars. The video was shot at a dairy that's across the street from our office (no really). What made the video really interesting was the fact that a black swan chased Andrew around. Here is a still of Andrew gracefully defending himself with a metal table. For more - click on the video below:


The second video was a lot more serious. Andrew wore a suit. OK, he didn't but the video was a lot darker and moody. We looked at how you could use Maltego with Machines that run perpetually to create a type of intelligence dashboard. Furthermore we showed how you can easily create alerts in Maltego - in our case when two people phoned that same 3rd party. Here's a still from the video:


Why does Andrew start with 'Hi James'? It's a tricky question. Ask him next time you see him. It's a nice video and although we released it on a Friday afternoon we almost have a thousand views on it today.

Thanks to Canon for letting us use their C300! Now we just need to convince the guys at RED to do the same...

[C]ollaboration

Last Friday we went to the developer's cave to get a demo of collaboration. It's VERY freaky to see how a Maltego graph updates on a untouched computer. It's also quite fabulous and it's going to change everything. Oh, and we also support real time chat right inside the client. Best part - NO SERVER required. Unless of course you're paranoid and don't believe us that the messages are 256 bit AES encrypted with an user chosen passphrase. Then you are welcome to buy your own comms server.

As soon as we have something that is barely stable we'll show you. It's SOOOO cool!! [OK we can all see you're really excited about it, but please contain yourself - Ed]

[C]heers!
 RT




No comments:

Post a Comment