Skip to main content


Looking at a picture of my mother laying in her hospital chair taking her chemo medication makes me think about cyber. Our bodies are a network of connected computers. Blood and lymph are the communication channels that relay information between these computers. The mainframe, of course, is your brain, which is another highly connected network of computers.

When cancer invades it starts by infiltrating a system. The system is homomophic usually, which makes it easier for the cancer (cyber infiltrator) to gain its foothold. Sometimes the infiltrator moves fast and runs through multiple systems wrecking havoc. Yet there are those infiltrators who move slow, learning each system as it goes slowly through the entire system. Nonhodgkins Lymphoma is that slow hacker. That's what my mother has. She's had this for a very long time. Mostly ignored by her "doctors" 8, 12, maybe 30 years ago, finally they see the infiltration and recognize the need to respond.

Once the cancer becomes apparent, like the infiltrator, we struggle to figure out where it started. That's where we need to address the treatment otherwise we just move it around. That sounds exactly like the cat and mouse chase of counter infiltration. How do we backtrack?

None of the medical "doctors" who work on my mother are savvy enough to even think about this concept. They are mostly preoccupied with billing medicare and collecting their fee for their time. The nurses care, but they're so overwhelmed (like those network techs) that they don't have time to think deeply. Who can stomach a deep dive on the root cause when your system is about the suffer a catastrophic failure, right? Dead humans make for bad test subjects.

Let's work backwards from the visible evidence of infiltration. We see the "cancer" tumor which is the equivalent of a malware drop or data erase, or even a damn DNS exfil that the Cisco guy described. How the infiltrator get into that zone? We look at the path you would take, follow the network, the connected lymp tissue and where it could stage. Look for a similar exploit in that staging area and then again, backtrack. Like a worthy infiltrator, you eventually find rings of exploit that lead back to themselves. That's the frustrating part, and it's the part where most just stop looking. There's always a trail, often some escape that transcends the homomorphic nature of the system.

So you jump across system barriers too. Instead of on a Windows system, you look into the Linux network that has a physical separation (maybe it was your IB HPC network). This is akin to looking into the circulatory system (blood) where it intersects with the lymphatic system, i.e. the liver. The liver would be another computing system with an embedded switch. You look for signs of collateral infiltration, for instance signs of renal cancer (she had that a few years ago).

In all of this backtracking you keep looking for the infiltrator. There is a fingerprint out there, there is always a fingerprint. No matter if it's cancer or a hacker, each infiltrator leaves its mark where it started. Not even the most fantastic NSA red team hacker is immune to leaving a trace. Not every trace is measured in the system they infiltrator.

I am a firm believer that most cancers are the result of viral infection that goes unstopped by an immune system. Sometimes that IPS doesn't know how to handle the foreign "zero day" known as cancer. Maybe one day I will be able to reconnect with Travis, the virology cohort I knew during my SERS experience.

Until then, somebody still needs to collect on the $100 challenge. How many neutrons does it take to make a black hole? My hundo awaits...

Popular posts from this blog

How To Cancel ATT Uverse

I was a subscriber to the AT&T Uverse service for a little over 2 years. In that time, we had experienced good service for the first year, and then it sucked. After 12 months, or there in, the service degraded quickly, and would stop working all together at times. At first it would die for a short period of time, usually when we were not home. Then it would get progressively worst, until there was an entire week of no service. We had technicians at the house trying to fix the service, but it would repeat the behavior quite consistently.

On January 15th we finally gave up and switched to a lesser service, COX TV and Internet. In the past we had cable service and it was always reliable, but not as good as the AT&T digital service. COX doesn't have nearly as many HD channels, but that's not enough. We needed internet to be reliable, and AT&T couldn't deliver that.

Cancelling the AT&T service was a nightmare. Try to find anything about such things on their web si…

Splunk To root or Not To root

Today I added some add-ons to my splunk and did some sysadmin on the server. Restarted and noted the splunkd was not running. Ahh, well, that's typical. Starting the splunk daemon is easy enough:

Start Splunk - from the people who made splunk.

There are two ways to start splunk, as you can read from above. One is to run the "splunk" process from your root shell after logging in. This will run splunk as root. The other is to use the nifty systemctl service script to daemonize the process.

Prior to today, I had the same problem and ran the splunk process as root. This was foolish. If you happen to have once started splunk as root, and then successfully started splunk as the "splunk" user, you will find that your splunk login page is empty. You get the background picture, but no input controls.

Damn. Google that, nada. Damn again.

Today, I learned alot more about selinux and permissions and labels, so I investigated the "web_service" log (/opt/splunk/var/…

Whiskey Tango Foxtrot

Today is one of those Whiskey Tango Foxtrot kind of days. I've been tracking a real November Sierra since December, and even reported it. I figured it was a bug, so I submitted it to the security folks. Their response? "We're not the team for this problem." ok.

Now today I see two data points, one weird-o one-timer kind of probe. Yup, for real, a solo IP in the gigabytes of logs that my splunk eats. Yet this IP correlates with another IP that has been on my radar.

So I get out my splunk and pull a "deny" query on this IP. Not only does it generate IPS hits from my desktop, outbound to destination, but I see inbound activity from this IP (also denied, of course).

(2017-03-29T17:56:44) firewall:msg_id="3000-0150" Deny1-Trusted0-External9840tcp2064 [desktop_ip]