SOI Lite
I've been toying around with creating an open source version of sphere of influence for some time now. The only real barrier that stops soi from being open source is our database from maxmind has to be licensed for commerical redistrubution. I'm in talks with them right now and probably will go with one suggestion. That is to have an open source version (using geolite from maxmind) which will be recompiled by me each month so the .exe will have that months latest maxmind database and also to have a "professional" version. The professional version will ship with geolite but have a link for users to upgrade to geoip (maxminds commercial dataset). The profession version will also contain a new idea I have for a communication system for security analysts.
The BASIC (stress basic...im going to update it...) SOI lite is available open source on sourceforge under the GPL license at
http://www.sourceforge.com/projects/soilite
The idea is that we can all communicate any scans/activity via TAR's (Tactical Awareness Reports)...we can feed our TARS into a cerntralized database, anonymously if needed, and can take a feed from that database and populate our own soi via a encrypted RSS feed that is dynamicaly built from our requirements (filters). We can upload images or any other data to support our findings in our TAR. I like this idea a lot....
Professional versions will, as always, be available to edu's, government agencies etc for free.
I was watching CNN's report of the cyberwarfare scenario....a piece of malware infected phones, that started to download video's from a russian web server....it clogged the network and ground humanity to a halt. Interesting but not really fatal I thought...a simple ACL outbound would have blocked it (unless they used a FQDN rather than IP..but still even the malware would have been easy to spot as they didn't mention the worm was polymorphic ..)
AND of course using SOI ...it would have been easy to spot....your entire phone network tracking off to Russia...would be a nice visual
So although attackers use our differences against us, we can use this knowledge to spot them. After all they know its pretty hard for me to call up a chinese ISP to tell them they have been conducting a scan against me for 2 days. The Chinese machine may not even be the people responsible for the attack, they are being used because the attackers know that it will be harder to trace an attack coming from China. (language barrier, political differences, expertise level etc). But although they may not be the source of the attack, the fact that they are coming from outside my sphere of influence makes them easier to spot. If the attacker moves to hide from this fact they will be moving to a country that I may be able to track them better.
The example is that if im a health company in the US. I see scans from China. Now I block China. The attacker has to move to another country, Maybe they try and hide inside or sphere of influence. But if the attack is spotted, not only can i possible mitigate it, but now I can liase with law enforcement to get the real attackers.
That is what I like about SOI.....its simple...
The BASIC (stress basic...im going to update it...) SOI lite is available open source on sourceforge under the GPL license at
http://www.sourceforge.com/projects/soilite
The idea is that we can all communicate any scans/activity via TAR's (Tactical Awareness Reports)...we can feed our TARS into a cerntralized database, anonymously if needed, and can take a feed from that database and populate our own soi via a encrypted RSS feed that is dynamicaly built from our requirements (filters). We can upload images or any other data to support our findings in our TAR. I like this idea a lot....
Professional versions will, as always, be available to edu's, government agencies etc for free.
I was watching CNN's report of the cyberwarfare scenario....a piece of malware infected phones, that started to download video's from a russian web server....it clogged the network and ground humanity to a halt. Interesting but not really fatal I thought...a simple ACL outbound would have blocked it (unless they used a FQDN rather than IP..but still even the malware would have been easy to spot as they didn't mention the worm was polymorphic ..)
AND of course using SOI ...it would have been easy to spot....your entire phone network tracking off to Russia...would be a nice visual
So although attackers use our differences against us, we can use this knowledge to spot them. After all they know its pretty hard for me to call up a chinese ISP to tell them they have been conducting a scan against me for 2 days. The Chinese machine may not even be the people responsible for the attack, they are being used because the attackers know that it will be harder to trace an attack coming from China. (language barrier, political differences, expertise level etc). But although they may not be the source of the attack, the fact that they are coming from outside my sphere of influence makes them easier to spot. If the attacker moves to hide from this fact they will be moving to a country that I may be able to track them better.
The example is that if im a health company in the US. I see scans from China. Now I block China. The attacker has to move to another country, Maybe they try and hide inside or sphere of influence. But if the attack is spotted, not only can i possible mitigate it, but now I can liase with law enforcement to get the real attackers.
That is what I like about SOI.....its simple...
Comments