Wednesday, February 28, 2007

Social Engineering the Old Media

While the Rules of the Thirds are partly in place, the floating fragnance and his depressed look provide some clues. The story is very interesting though as it has happened before. As Tim Nudd comments on Adfreak :

"In Switzerland, it doesn’t take much to be in a Gucci ad campaign. You photograph yourself naked, add a perfume bottle and the Gucci logo, send it to a weekly paper, and have them bill Gucci directly for the $50,000. They’ll fall for it every time."

How it could have been prevented? Coordinating the campaign with local Gucci representatives, ensuring payment is processed before the ad is featured, or let's just say look at his face to figure out he's anything but a professional model.

Storm Worm Switching Propagation Vectors

The storm started with mass mailings, then the malware switched to IM propagation, and now the infected PCs are further spreading through blog and forum posts :

"But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious Web site, said Alperovitch, who rates the threat as "high."We haven't seen the Web channel used before," he said. "In the past, we've seen malicious links distributed to people in a user's address book and made to look like it's an instant message coming from them."

The smart thing is that compared to situations where malware authors have to figure how to bypass the forum's CAPTCHA or mass spam and generate new blogs, in this case the (infected) end user is authenticating both himself and the malware. Here are some malware stats on social networking sites worth going through as well.

UPDATE: Symantec has a nice analysis with some screenshots of this variant.

Tuesday, February 27, 2007

Credit Card Data Cloning Tactic

First of all, she's too cute for someone to even have the slightest suspicion, and to be honest the posers paying their coffee with a credit card deserve it -- it leaves them without the opportunity to leave a change at least that's what they've thought.

XSS Vulnerabilities in E-banking Sites

The other day I came across to this summary with direct examples of various XSS vulnerabilities at E-banking sites, and I wonder why the results still haven't gotten the necessary attention from the affected parties :

"First of all you should realize, that this is not the first time, that we are doing such a website. The last time we hit a vast number of sites, mostly german banks. We have shown, that those sites, that should be most secure are not! Many visitors saw the site and also the banks seemed quite upset, nevertheless they fixed the problems, that we pointed at. You can check out the archive at: [English version] and [German version]. This project has been done as a direct reaction to the poll done in austria not long ago and which was reported at [this article] from Heise. For the english readers of you, this article basically says, that 9 of 10 people using online banking in austria trust the security, that their banks offer."

The best phishing attack at least from a technical perspective is the one that's using a vulnerability in the targeted's brand site to further improve its truthfulness, and believe it or not, certain phishing attacks are actually loading images directly from the victim's sites instead of coming up with the phish creative on their own.

Fake Terror SMS Sent to 10,000 People

This is serious, and while it was a hoax, it could have had much more devastating results acting as a propagation vector for malware, a phishing attack as the social engineering potential here for anything offline or online is huge :

"About 10,000 commuters who subscribe to the train operator's timetable messaging service received the threatening text message on Friday night after hackers broke into the system. The message, sent after 9.30pm (AEDT), reads: ALLAHU AKBR FROM CONNEX! our inspectorS Love Killing people - if you see one coming, run. Want to bomb a train? they will gladly help. See you in hell!"

ALLAHU AKBR means "God is the Greatest". Now which God is the greatest I'll leave up to your religious beliefs, though the Muslim motives are spooky and the attack directly undermines the citizens' confidence in their government's ability to protect them -- what I anticipate next are articles on how terrorists take control over the trains. I'm very interested in who's having acccess to the company's feature, and most importantly to what extend are they outsourcing, or was it an insider that used someone else's terminal to send the message? Here's a related post on the interest of various governments into developing an SMS disaster alert and warning systems and the related security/impersonation problems to consider.

Friday, February 23, 2007

A Review of SiteAdvisor Pro

During 2006, the company popped out like a mushroom in front of my desktop as you can read in a previous post, and on its acquisition two months later. In the typical detailed and extensive CNET Reviews style, here's what they have to say about SiteAdvisor Plus :

"SiteAdvisor Plus includes the ability to report suspicious links within IM and e-mail and can automatically block access to flagged sites. However, SiteAdvisor Plus lacks additional configuration options and doesn't work with Firefox or Opera, or with branded browsers from AOL and other services. In addition, the paid version on Internet Explorer appears to conflict with the free version installed on Firefox. Overall, we experienced greater flexibility and fewer hassles when using the free Netcraft toolbar, and we also liked the proactive nature of Linkscanner Pro better."

The niche filling competition is also reviewed, namely LinkScanner Pro. Niche filling in respect to the real-time sandboxing of results, a concept I'm sure is on its way at SiteAdvisor, or else the community has a lot to contribute as always. SiteAdvisor are however truly embracing a Web 2.0 business model on all fronts, and it's perhaps my favorite case study on commercializing an academic idea during the last year.

Characteristics of Islamist Websites

Excellent and recent analysis of the most common characteristics of islamist websites published by the Middle East Media Research Institute :

"The media platform favored by the Islamist organizations is the Internet, which they prefer for several reasons: firstly, for the anonymity it allows - anyone can enter and post to a site without divulging personal information; secondly, due to the medium's availability and low cost - all that is required is a PC and an Internet connection; and thirdly, due to the ability to distribute material to a great number of people over a wide geographic area in a matter of seconds.

The organizations use the Internet mainly for propaganda and indoctrination, but also for operational military needs.

This paper will discuss the distinguishing characteristics of the websites of Islamist organizations and their supporters; the various online activities through which terrorist organizations assist the mujahideen on the ground, both militarily and, especially, with propaganda; and the Internet polemics that these organizations conduct vis-à-vis their enemies."

The majority of articles you've probably read are doing nothing more than scratching the surface of the topic. Fundraising, propaganda, communications within steganographic images and the use of plain simple encryption, or the thriller type of scenarious where entire food supply chains get remotely controlled or where your next dose of Prozac may be a little bit more dangerous than it actually is, of course because terrorists may have the capacity to do so. In the post 9/11 world terrorist experts started emerging from all over the globe, universities realizied the potential and opened up educational courses, even degrees, security companies started pitching their offers with cyberterrorism in mind, and last but not least the mainstream media doesn't seem to stop piggybacking on historical events while actually doing terrorists the biggest marketing favour of them all - the media echo effect. Someone blows him or herself up in the Western world, and everyone forgets about all those little things people die from if you are to go through you local statistical institute and see the death rates, but starts requesting more information on what is your government doing to prevent this from happening. But compared to the same situation in the Middle East - it's part of the daily life, nothing ground-breaking besides a bunch of low lifes radicalizing online, looking for masters of brainwashing mentors, and most importantly looking for a mighty excuse for their pathetic existence. A terrorist organization uploads a video of shooting a soldier or anything that will shock someone's who's still getting shocked by the The Texas Chainsaw Massacre -- boring try the Evil Dead series -- and people become so outraged and get this feeling of being helpness in the situation that fear compared to reality drives the entire model of terrorism.

Terrorism is successful as both, a government's doctrine for re-election, and as a term mainly because it's a very open topic term these days. In some countries glorifying terrorism is illegal, but if you let you government convince you that it's not terrorizing you to protect you from an event that from a statistical point of view doesn't happen that very often, I think I will lose you as a reader of this blog. The world is losing the war on terrorism because it's rational, and terrorists aren't rational. In the very same fashion that companies don't compete with companies but with networks, a network that's anything but irrational isn't going to be beated by a network that's too bureaucratic and still waging departamental wars.

Go through many of my previous posts on cyberterrorism, a relevant collection of cases, and through the research which as a matter of fact is full with practical examples of various sites.

The RootLauncher Kit

After providing more insights on the WebAttacker Toolkit and the Nuclear Grabber, in this post I'll discuss the RootLauncher, a release courtesy of the same group behind WebAttacker. Something else worth mentioning is that a large percentage of the sites I'm monitoring are starting to use authentication, and on a trust-basis login access, perhaps it's due to the enormous coverage recent "underground" releases, namely phishing kits etc. got in the mainstream media. Therefore I'm doing my best to get as much information -- and screenshots -- before it dissapears and will blog on these releases as soon as my schedule allows me to. For instance, several months ago you could easily see over 50 publicly available control panels for the WebAttacker toolkit, now there're only several available through Google. The same goes for RootLauncher.

The RootLauncher kit is advertised -- Rusian to English automatic translation -- as follows :

"Just, we can offer you 3-version - D o w n l o a d e r-designed RootLauncher for the hidden load arbitrary WIN32 Exe-faila from a remote resource, followed by the launch of the file on the local hard disk. Obhodit all protection is not determined by any AV-Do not see fairvollah - Flexible settings - Periodic updates and supplements may download up to five exe files. Our team is not at the same point and develops all bolshe-bolshe for you dear friends services available to them closer you will be able to on our official website. We are also looking for people interested in partnership with us."

And while it's supposed to be nothing more then an average downloader, these "average downloaders" are actually starting to standardize features in respect to statistics and compatibility with other toolkits and malicious software.

In a previous post at WebSense's blog, they came across a web panel showing that the "total number of unique launchers is 155" now count these as infected PCs, but as you can see in the image attached, the sample could be much larger. This one I obtained from the following URL : http://www.inthost7.com/cgi-bin/rleadmin.cgi which is of course down, but was listing 1013 launchers already, here's an analysis of this very same URL.

IP cloaking when browing such sites and forums is important in order for you to remain as anonymous as possible. If you're on a Russian site make sure you're a Russian domain, if you're on a Chinese site make sure you're a Chinese domain, and most importantly don't directly translate through Google or Altavista, but copy and paste what's interesting to you so that you wouldn't let someone wonder why would a Russian domain translates a Russian text to English. Imagine the situation where security vendors browse them through their securityvendor.com subdomains, the results will follow shortly -- everything dissapears.

In respect to the WebAttacker, the kit is still widely used but the people using and updating it are starting to prevent Google from crawling and caching the control panels, which makes it harder to keep track of the sites in an OSINT manner -- my modest honeyfarm keeps me informed on URLs of notice though. Here's one of the very few instances of a Web-Attacker Control Panel still available at Google. Here's an analysis of the source code of the Web-Attacker kit as well -- and I thought I'm going full disclosure. More details on various newly released packers, multi-exploit infection toolkits, and standardized statistics with all the screenshots I've managed to obtain will follow next week.

Taking into consideration the big picture -- like you should -- the release and automation of phishing/exploit kits and lowering the entry barriers for script kiddies to generate enough noise to keep the real puppet masters safe, or at lease secretly pull the strings. I'd rather we operate in the time when launching a phishing attack required much more resources than it requires today.

Thursday, February 22, 2007

Image Blocking in Email Clients and Web Services

Handy graphs and best practices on the state of default remote image loading in desktop and online email clients -- a problematic issue from a security point of view, and a marketing heaven from an advertising perspective :

"Every client has its own default settings regarding displaying/hiding images. And while most email clients have a setting to turn images on or off, some offer conditional settings which are contingent upon known senders or other factors. The following table outlines the default settings of popular desktop- and webmail-clients."

Sometimes a spam email isn't sent with the idea to trick someone believe into something, but to act as a verification of that email's existence in the form of remote image -- web bug -- loading, and yes it could also act as a redirector to pretty much anything malicious. Go through related posts in case you're interested, and also see a common trade-off image spammers face.

Korean Zombies Behind the Root Servers Attack

More details on the recent DDoS attacks on the DNS root servers emerge, seems like the attacks originated from Sourth Korean infected PCs, but were orchestrated from a host server in Coburn, Germany :

"Citing data from the North American Network Operators' Group, the Korean government confirmed 61 percent of the problematic data was traced to South Korea. Yet, the Ministry of Information and Communication flatly rebuffs the suspicion that Korea was the main culprit behind the cyber attacks. ``We learned a host server in Coburg, Germany ordered a flurry of Korean computers to stage DOS assaults on the root servers,'' said Lee Doo-won, a director at the ministry. ``In other words, Korean computers affected by viruses made raids into the root servers as instructed by the German host server. Many of our computers acted like zombies,'' Lee said."

In a spoofable IPv4 Internet packet's authenticity is the most common flaw exploited on the front lines. The article points out that 61% of the problematic data came from South Korea, and it would be logical to conclude the other 39% came from Chinese and U.S based infected PCs, and while we can argue which country has the largest proportion of insecure end users -- or insecure end users with access to huge bandwidth -- that shouldn't be the point, but how ISPs should start considering how to stop the malicious traffic going out of their networks, compared to their current mindset of outside-to-inside network protection.

A battle lost for the botnet masters in their futile attempt to shut down three of the root servers, and a battle won for South Korea as they will definitely take this wake up call seriously. Meanwhile, S. Korea's CERT offers lots of interesting research reports on the local situation, particularly their latest Internet Incident Trend Report.

Graph courtesy of the ANA Spoofer Project.

Wednesday, February 21, 2007

The Phishing Ecosystem

Phishing is the efficient case of online social engineering. With the ease of sending phishing emails thanks to malware infected PCs -- spamonomics 101 -- as well as many other techniques for creating the pages and forwarders phishers use to trick users -- it's indisputable how much more profitable phishing is next to spam.

This is perhaps the most detailed summary of the emerging ecosystem I've read in a while. It walks the reader through the process of acquiring the resources for the attack and tracking down the results and provides overview of how malware authors, phishers and spammers work hand to hand due to the pressure put on their actions by the industry and, of course, the countless third-party researchers. Here's a summary :

"- Get an email list
- Develop the attack
- Locate sites to send phishing emails from
- Locate sites to host the phishing site
- Launch the attack
- Collect results
"

Around the industry, security researchers are again signalling the ongoing use of popular sites such as MySpace for hosting phishing pages, phishers are going Web 2.0 and starting to use Google Maps, and seems like Castle Cops the anti-phishing community witnessed a demonstration of DDoS bandwidth power which is definitely the result of the consolidated anti-phishing initiative that they manage to keep on expanding. Moreover, yet another evidence of the developing ecosystem is the fact that spam and defaced sites aren't what they used to be, namely are turning into malicious attack vectors. Despite that everyone's claiming the commercialization of this entire ecosystem, hacktivism is not dead!

The "best" is yet to come, and let's hope a more suspicious common sense on the users' part too.

Monday, February 19, 2007

Cuba's Internet Dictatorship

And you thought people in China suffer from the lack of free speech expression. Here's the cheap version of the great firewall of China, this time in Cuba :

"Cuba built an Internet search engine that allows users to trawl through speeches by Cuban leader Fidel Castro and other government sites, but does not browse Web pages outside the island. Cubans cannot buy computers and Internet access is limited to state employees, academics and foreigners. Cubans line up for hours to send e-mails on post office terminals that cannot surf the World Wide Web. Passwords are sold on the black market allowing shared Internet use for limited hours, usually at night."

With Fidel Castro now seriously ill, the speeches will sooner or later turn into historical ones, the question is, which think-tank across the world would come closer in its predictions of the situation in a post-Castro Cuba next to reality? On the other hand the U.S is starving Cuba's bandwidth hunger to death, and considering their inability to invest in alternative sources for connectivity, the extend of degrading the quality of their Internet connectivity is almost unbeliavable as :

"Cuba is forced to use a costly satellite channel with only 65 megabytes per second (mbps) for upload and 124 mbps for download, he said."

Even a France Telecom customer that has upgraded service to Fiber@Home will be able to ping-to-death Cuba's entire academic community. And while Cuba recently blamed the CIA for digital espionage, it would take them unnecessary amount of time to download sensitive material remotely given Cuba's bandwidth capacity. Several other interesting events in case you remember were when Kyrgyzstan got cut off from Internet by hacker attack, and when Zimbabwe's Internet was shut down because they forgot the pay their bill. Bandwidth matters, depending on the perspective of course.

The most recent report on Censorship in Cuba is also worth going through :

"To visit websites or check their e-mail, Cubans have to use public access points such as Internet cafes, universities and “Youth computing centers” where it is easier to monitor their activity. Then, the Cuban police has installed software on all computers in Internet cafes and big hotels that triggers an alert message when “subversive” key-words are noticed."

The only way to undermine censorship is to talk about it -- and mock it.

Sunday, February 18, 2007

Profiling Sergey Brin

Great weekend reading :

"Stepping through the sliding glass door into their office is like walking into a playroom for tech-savvy adults. A row of sleek flat-screen monitors lining one wall displays critical information: email, calendars, documents and, naturally, the Google search engine. Assorted green plants and an air purifier keep the oxygen flowing, while medicine balls provide appropriately kinetic seating. Upstairs, a private mezzanine with Astroturf carpeting and an electric massage chair afford Sergey and Larry a comfortable perch from which to entertain visitors and survey the carnival of innovation going on below. And there is ample space for walking around, which is absolutely essential for Sergey, who just can’t seem to sit still."

A story that proves for yet another time that nothing's impossible, the impossible just takes a little while. Here are some photos from Google's NYC headquarters, guess who likes to spoil its employees -- sorry Googlers -- most from all the tech companies these days? Say Google again!

Beyond Traditional Advertising Packages

Differentiate your value proposition or cease to exist. And hey, that's on Madison Avenue :

"As a startup carrier that hadn't yet hired a pilot, Virgin needed more than just slogans and 30-second commercials. That's about when Anomaly, a two-year-old startup, brought a pitch that sounded more like a takeover bid: Carl Johnson, Anomaly's 48-year-old co-founder, hauled out plans to design the interiors of Virgin's new A320s, fashion the flight attendants' uniforms, and create the content for a pay-per-view seat-back entertainment system."

You may also find the best and worst Super Bowl -- the U.S ad industry's favorite playground -- ads entertaining. Meanwhile, Pepsi is anticipating the DIY marketing culture and is asking everyone to help them build their next billboard on Times Square. When advertising does its job millions of people keep theirs, isn't it?

My Feed is on Fire, My Feed is on Fire!

I've never had so many people connected to me, perhaps it's the consequence of Feedburner detecting Google Readers as of this week, and yes the quality of the posts themselves. Here's an interesting opinion on the frequency of blog posting, I especially like the author's understanding of the readers' loyalty towards a blog. My ROI is still positive whatsoever -- part two of Forrester's series is also worth the read.

Friday, February 16, 2007

Delicious Information Warfare - Friday 16th

Here are some articles and blog posts worth reading plus the related comments. Previous summaries as well.


Islamic Terrorism from Clearguidance.com to Islamicnetwork.com -- very interesting reading regarding Daniel Joseph Maldonado, and a visionary quote "It takes a community to make a terrorist and it only take a handful of people to build and maintain such communities."

Former DuPont senior scientist pleads to corporate espionage -- fresh case of corporate espionage. As always I find it a totally biased opinion with companies falling in love with their trade secrets, even coming up with numbers as high as $400M

Information warfare, psyops, and the power of myth -- decent article on the topics in today's world of war on ideologies

Glitches plague NSA's effort to track terrorists online -- Tracking terrorists online courtesy of the NSA's Turbulence program is a another $500M failure to understand the dynamics of cyberterrorism. Thankfully, there're third-party organization the NSA is definitely listening to and obtaining its intelligence giving the lack of ethnical diversity in the U.S intelligence community, one that is crucial nowadays. The cuttest quote of the day "Inside the agency, Turbulence's sensitive activities are sequestered behind passwords known to few."

Panda Software Releases Malware Radar, the First Automated Malware Audit Service -- not necessarily the first as pretty much all vendors offer online malware scan, but it's a product line extension based on recent licensing deals of Panda with other vendors

Hackers target the home front -- great example of targeted email attacks, makes you wonder two things - what's the chance the attacks aren't really systematic but basically rather regular malware infection attempts, or the emails of top management or anyone @bank.com have been available to attackers wanting to take advantage of the insecurities of their home PCs

Turkish hacker strikes Down Under -- Why shared hosting is unserious from a security point of view

'Storm' Worm Touches Down on IM -- Storm Worm piece of malware switching vectors, interesting, but a fact demonstrating the novice experience of the malware author, as if it were an experienced one, the feature would have been build in the very first releases compared to mass mailings only

Top 10 Disrupters of 2006 -- catchy slide show and here's the full story

Russia's Ivanov slams U.S. missile shield plans in Europe -- the proposed U.S missile shield in Eastern Europe would give Russia the excuse to do something naughty like this

Cyber officials: Chinese hackers attack 'anything and everything' -- Chinese script kiddies generating noise so that the advanced and government backed espionage attempts remain to be sorted through the noise - predictable pattern

Cuban Information Minister Blasts US Digital Espionage -- Cuba to the U.S - Stop using OSINT and data aggregation techniques against us, as you see, we don't know how to Google

The Next Big Ad Medium: Podcasts -- unless measurability improves it's all shooting into the dark for advertisers, and ad budget allocation dream come true for publishers

How to Stalk Your Family -- start by self-regulation, everyone?

Text of Email to all Yahoos -- Yahoo's CFO to all Yahoos, now if an average Yahoo is able to understand the corporate talk I'll bring the beer

Google Agrees to Buy Adscape -- Google's getting into the emerging in-game advertising market. Would a gaming company find that the lack of ads in its game can turn into a competitive advantage in the long-term?

Yahoo co-founder Jerry Yang to donate $75 million to Stanford -- never forget who you are and where you came from. Jerry Yang is donating $75M to Stanford University which as a matter of fact is largely financed by ex-disruptors, and yes tuition fees. They even hold quite some Google shares

Terrorism and Encryption

Jihadist themed encryption tool -- using "infidel" algorithms :


"The program`s `portability` as an application (not requiring installation on a personal computer) will become an increasingly desirable feature, especially considering the high use of Internet cafe worldwide by pro-terrorist Islamic extremists,' said iDefense Middle East analyst Andretta Summerville. 'Mujahedin Secrets,' which can be downloaded for free, offers 'the five best encryption algorithms, with symmetrical encryption keys (256 bit), asymmetrical encryption keys (2048 bit) and data compression,' according to a translation of a Global Islamic Media Front`s announcement about the software on Jan. 1, provided by Middle East Media Research Institute."

I've previously covered in-depth the topic of steganography and terrorism, and provided an example while assessing the threat -- and hype -- level of the Technical Mujahid. Terrorists have this problem with the infidels, pretty much everything they use starting from the Internet and their cellphone, even software running on a computer is "Made in InfidelLand". So I presume someone's not really comfortable with even encrypting their data with a U.S made PGP software, so re-branding and adding a Jihadist theme seems to be the solution at least when PSYOPS count. More info on the topic.

Thursday, February 15, 2007

The Electronic Frontier Foundation in Europe

Couldn't get any better :


"The Electronic Frontier Foundation (EFF) opened a new office in Brussels today to work with various institutions of the European Union (EU) on innovation and digital rights, acting as a watchdog for the public interest in intellectual property and civil liberties policy initiatives that impact the European digital environment. The new EFF Europe office, made possible by the generous support of the Open Society Institute and Mr. Mark Shuttleworth of the Shuttleworth Foundation, will allow EFF to have an increased focus on the development of EU law. EFF also plans to expand its efforts in European digital activism and looks forward to working with many groups and organizations to fight effectively for consumers' and technologists' interests."

Finally EDRI got some serious back-up on the frontlines.

RFID Tracking Miniaturization

First it was RFID tracking ink, now with the introduction of the new generation Hitachi mu-chips, miniaturization proves for yet another time it has huge privacy implications :


"On February 13, Hitachi unveiled a tiny, new “powder” type RFID chip measuring 0.05 x 0.05 mm — the smallest yet — which they aim to begin marketing in 2 to 3 years. By relying on semiconductor miniaturization technology and using electron beams to write data on the chip substrates, Hitachi was able to create RFID chips 64 times smaller than their currently available 0.4 x 0.4 mm mu-chips. Like mu-chips, which have been used as an anti-counterfeit measure in admission tickets, the new chips have a 128-bit ROM for storing a unique 38-digit ID number."
I will spare you the acronym as I'm sure you know which intelligence agency is sitting on the world's largest budget, but just a wake up call that all technologies that are just getting commercialized or a first mention in the mainstream media have already been developed, even abondoned for more advanced alternatives by this agency years ago -- despite the fact that Hitachi is a Japanese company it's an U.S agency I'm talking about. OSI are definitely remembering the old school days now. Picture courtesy of Hitachi comparing the chip's size next to a grain of rice.
UPDATE: Slashdot picked up the story.

Wednesday, February 14, 2007

Censorship in China - An Open Letter

An open letter to Google's Founders regarding the censorship of search results in China :

"During the National Day holiday week in 2002, when Google.com was blocked in China for the first time, Chinese Google users made an online protest spontaneously. They appealed to free the purer search engine wave by wave. Its seemed its also the first time grassroots power was demonstrated in China on Internet. You can imagine how eager they are to have a complete Internet instead of a shrunken one. At last, people won, Google backed. However, after 4 years, we started to question whether we should continue to support Google. Many users here were disappointed when they found Google.cn filtered many keywords. The compromise remarks by you in Davos made us more frustrated. Seems you are adopting self-censorship which hurts those loyal users a lot which also devalue your motto of "non-evil"."

Issues to keep in mind:
- Yahoo and Microsoft are doing it too in order to continue their business operations in China
- Google is alerting the searcher that the results are filtered because the ghost of Mao is alive and kicking and said so
- Google's losing market share in China's search market next to Sina.com due to censorship concerns, while local users are forgetting that Sina.com too is censoring the results, even worse, not even crawling as deep as Google is in respect to the quality of search results
- U.S Congressman Chris Smith has the issue on his agenda
- Technology companies are seeking government assistance on how to stop the ongoing censorship themselves
- The complete list of censored search results is worth going through
- Google's and Yahoo's shareholders are fighting back
- The Great Firewall is cracking from within with banned journalists now running the largest blogging network in China

She Loves Me, She Loves Me Not

I'm in love, with myself at the first place, and while Saint Valentine's meant to reboot a relationship so to speak, every day should be a Saint Valentine's day in a relationship. Do you trip on love? Malware authors always do around the 14th of February.


Quote of the day - No promises, no demands, love is a battlefield -- or drug like addiction? Via Tech_Space.

Tuesday, February 13, 2007

Emerging DDoS Attack Trends

In a previous post I emphasized on the long-term trend of how DoS attacks have the potential to cause as much damage as a full-scale DDoS attack, and increase their chance of not getting detected while require less resources. Looks like Prolexic Technologies are thinking in the same direction and warning that :

"IT security bosses will have to be increasingly vigilant in 2007 as criminals exploit new ways of ensuring distributed denial of service (DDOS) attacks cause the maximum damage and circumvent filtering technology, according to DDOS protection specialist Prolexic.While there will continue to be large-scale consumption-based attacks this year, attackers have learned that smaller, customised attacks tailored to web servers' application logic can have similar effects but require smaller botnets to generate, according to Prolexic president Keith Laslop."The requests will bring your CPU usage up to 100 percent by doing things like registering as a new customer" he said. "There is a slow frequency of requests so it will not trigger third-party [detection] technology, and intrusion-detection systems are not designed to notice these attacks."

Attacks like these while not conducted by malicious parties, are already happening at Britain's Prime Minister web site, though these should have been anticipated earlier.

As always, assessing risk as if you are a part of a red team provides the best security for your network. Think malicious attackers. If they're able to fingerprint the software running on your boxes and get under the skin of your web applications, a surgical and specifically crafted DoS attack would not only require less resources compared to a DDoS one, but would also make it a little bit harded for incident forensic investigator to react in a timely manner. So while you're preparing for a constant Gbytes stream, attackers will shift tactics.

Here's more info on the recent -- totally futile -- attempt to attack the root domain servers.

Gender Based Censorship in the News Media

Great perspective. The author Dr. Agnes Callamard even got the data to prove it. Limiting the freedom of expression for the sake of securing political or economic investments - so realistic. When it comes to gender based censorship, things have greatly changed during the last decade if you keep an eye on Fortune's Most Powerful Women stats. Sexism is so old-fashioned, and diversity among top management has been taking place for a while, moreover, professional oriented women next to the family oriented ones are increasing -- my type -- but then again if all men are alike, and all women too, look for the exceptions. And by the way, since when does age became a benchmark for a quality point of view or a criteria for knowledge, stereotypes keep you -- the baby boomers -- blindly protected, now aren't they? Trouble is, some evolve faster then you'll ever do, because you are your own benchmark in times when opinionated self-starters make an impact on a daily basis. Success is a state of mind, gender doesn't matter and never did :

"In particular, the results of the GMMP 2005 show and ARTICLE 19’s own work confirms that censorship can be the handmaiden of gender-based power, discrimination and inequality and further, that this type of censorship may be exercised via and by the media. This gender-based censorship is comprised of dynamics that are both systematic and selective in nature, explicit and implicit by expression, intentional and unintentional in outcome and both deliberate and thoughtless in impact. It expresses itself in many shapes, colours, and voices. But ultimately, like all other forms of censorship, it alters reality, dis-empowers, controls, renders invisible, and silences."

I'm still sticking to my point that if girls/women didn't hate each other so much, or let's say be less jealous of one another they could rule the world -- they do rule the world as a matter of fact, but compared to posers media whoring on a daily basis, I'm convinced they're the true puppet masters behind the curtains, now aren't they? Just a thought.

Forensic Examination of Terrorists' Hard Drives

During the last year I presented my point of view on the topic in numerous posts, in order to debunk the common misunderstanding of Cyberterrorism as an offensive concept. And while real-time cyber intelligence can save lifes, a historical forensic examination like the this one may act as a case study to further model the behaviour of a terrorists before they strike. Here's a list worth looking up at Archive.org, courtesy of the now deceased Madrid bomber Jamal Ahmidan :


"The below is a list of web sites found to have been visited by Ahmidan or accomplices. The list is not inclusive, but merely represents those sites in the indictment the names of which the author recognized based on close to five years of routine monitoring of jihadist activity online. Quite a few of these sites were likely to have been "under surveillance" during the time when Ahmidan and/or his associates accessed them. Had their IP addresses been reported to Spanish authorities at the time these sites were accessed, and had the authorities in Spain then followed up on such reports, it is entirely reasonable to expect that the Madrid bombing of 11 March 2004 could have been prevented."

Cyberterrorism is so not overhyped, it's just a concept discussed from the wrong angle and that's the myth of terrorists using electronic means for killing people. A terrorists' training camp is considered a military target since it provides them the playground to develop their abilities. Sooner or later, it will feel the heat and dissapear from the face of the Earth, they know it, but don't care mainly because they've already produced and are distributing Spetsnaz type of video training sessions. So abusing information or the information medium itself is much more powerful from their perspective then destroying their means for communication, spread propaganda, and obviously recruit. Real-time open source intelligence and accurate risk assessment of specific situations to prioritize the upcoming threat given the growing Jihadist web, is what should get more attention compared to data retention and data mining.

Meanwhile, in the real world, events across the globe are sometimes reaching the parody stage. Know your enemy, and don't underestimate his motivation.

Monday, February 12, 2007

Overachieving Technology Companies

Great dataset by Forbes - The 25 Fastest-Growing Tech Companies :

"Our selection process: We require at least $25 million in sales, 10% annual sales growth for five consecutive years, profitability over the past 12 months and 10% estimated annual profit growth for the next three to five years. We exclude firms with significant legal problems or other open-ended liabilities and also consider accounting and corporate governance scores from Audit Integrity of Los Angeles in making our final cuts."

Growth has many dimensions, and with any market's cyclical pattern it's important to assess the potential for sustainable long-term growth based on easy to influence market factors, as the balance of power in the tech market can sometimes change very quickly. Being a pioneer doesn't always count as the best alternative, and it's the companies able to differentiate among fads and emerging trends, the ones worth assessing. Diversification in market sectors with higher liquidity such as anti virus and perimeter defense, or making a long-term investment, that is positioning yourself as the default destination for a need that's only emerging for the time being remain rather popular -- and predictable -- strategic business moves. Leadership, vision, and courage matter, but money when it comes to innovation doesn't. Let's discuss several companies worth mentioning whatsoever :

_Google
Don't say cheese, say Google. The company's continuing to please market analysts with steady profits, whose stock ratings bring more investors' cash into the GoogleMachine and with the re-emerging -- this time more mature -- online advertising market bidding for keywords in a world of searching will remain profitable, the question every wonders is - until when? The naysayers, or the ones who couldn't obtain any Google shares constantly talk about several buzz words - decline in online advertising, click fraud, and index poisoning. And despite the fact that Yahoo's web properties may be attracting more traffic than Google's, Google's KISS principle and their vision to set quality search results and up-to-date index of the Web as a core competency in times when the Web is growing faster than ever before, is an incentive for advertisers and users to both trust, and do business with the company. Google may not have a market capitalization as high as Microsoft, but the flow of soft dollars, Google's shares as a fringe benefit and a bargain are winning more respect, attracting quality HR, and if that's not enought, disrupting and making the world a much more transparent place to live in. Now that sounds much better than a company that's always been earning over 50% of its revenues from its oldest products -- that's boring profitability.

_Salesforce.com
The on demand concept in action. Need processing power? Outsource. Need a large snapshot of the Web? Outsource. The very idea of outsourcing a task to someone's that's specializing in the area is a more cost effective way then you'll ever do, is major driving force. Besides all, why create a new CRM system or even advertising system, when there're standardized and already developed and ready to use ones? Salesforce.com is a true case study signalling the trend, and with the company empowering developers to contribute concepts, it's a win-win-win situation for everyone involved. Read more here.

_WebEx Communications
Some Internet services are often taken for granted, and they should be, but the companies that provide these commoditized benefits such as video conferencing, are always in the position to generate steady cash flow. Take WebEx Communications. Video conferencing was supposed to revolutionize the way people communicate and do business. Have you seen a decline in 1st class business travel, or has your company kindly asked you to start video conferencing with potential customers in order to cut costs? Now, who'll do business with a salesforce whose elevator pitch cannot be verified in the elevator in a face-2-face meeting anyway? Trust me, not the type of people you'll feel proud and secure to do business with. It's all about the targeted audience and who'll benefit most from the service in a specific time, and in a specific market cycle. Seems like WebEx are either good at sensing the market, or it's the very nature of the service and the level of brand awareness they've achieved when it comes to online video conferencing.

_Websense
Web filtering was a rather hot market segment couple of years ago when there was much more transparency in the dark corners of the Web. An URL containing information corporate users didn't really needed to be more productive was easy to spot, and the static nature of the Web compared to today's dynamically changing malicious sites was making it easy for the vendor to filter out the bad sites. Real-time evaluation, or sandboxing a site came into play, Web 2.0 "wisdom of crowds" SiteAdvisor started getting acceptance, Scandoo is slowly gaining ground, vendors such as ScanSafe diversifying already. So how is Websense still able to generate such revenue flows? The secret is in their sales force able to not only acquire new customers, but to most importantly retain their major ones, and of course diversification in market sectors such as data theft prevention. And like companies such as Google, Amazon and Ebay, Database as the "Intel Inside" is a major differentiator and can close a lot of deals.

To sum up - don't disrupt in irrelevance.

Thursday, February 08, 2007

Receiving Everyone's Financial Statements

Bank institutions around the world - stay tuned for wannabe identity thieves requesting their statements while hoping you'll forward them everyone else's ones, in between. Smells like an over performing intern to me :

"An Aberdeen woman who asked for her bank statement was sent details of 75,000 other customers. Stephanie McLaughlan, 22, was sent the financial details by Halifax Bank of Scotland (HBOS). She received five packages each containing 500 sheets of 30 customers' names, sort codes and account details. HBOS apologised and said it was carrying out an investigation. The Information Commissioner's Office (ICO) said it would probe the "negligence."

Obviously, you can too play the U.S Department of Treasury requesting financial information from the SWIFT, but in this case - unintentionally.

Automated Detection for Patterns of Insecurities

While there're lots of pros and cons to consider when it comes to automated source code scanning, Fortify's pricey automated source code analysis tool has the potential to prevent the most common vulnerabilities while the software's still in the development phrase. Recently, they've added 34 new categories of vulnerabilities to their product :

"Thanks to this effort, Fortify Software continues to lead the industry by identifying over 150 categories of vulnerabilities in software.
The updated Secure Coding Rulepacks include: * Increased breadth: 34 new distinct vulnerability categories. * Enhanced support for .NET: 24 new vulnerability categories and coverage for five new third-party libraries, including the Microsoft Enterprise Library. * Expanded JSP support: Coverage for popular tag libraries, including JSTL and Apache Struts, for enhanced protection from cross-site scripting and SQL injection attacks. * Detection of persistent Cross-Site Scripting vulnerabilities: Fortify SCA now detects one of the most common and difficult to identify forms of cross-site scripting, which occurs when malicious data from an attacker is stored in a database and later included in dynamic content sent to a victim.
"

But how come small to middle size application vendors aren't really considering the use of such automated scanning tools? Overempowerment and trust in their developers' abilities? Not at all. The problem is the lack of incentives for them to do so, but what they're missing is a flow of soft dollars -- a PR boost -- if they were to communicate the efforts undertaken to ship their products audited, and hopefully, products free of brain-damaging bugs.

In respect to the relatively immature market segment for software auditing, Fortify is perfectly positioned to even start fuzzing applications for their customers enjoying their almost pioneer advantage. Or even better, perhaps their customers should consider the concept for themselves. All rest is the endless full disclosure debate, researchers pushing for accountability, and vendors -- legally -- thinking they're on war with them, fighting back however they can. You may also find a related post on how prevalence of XSS vulnerabilities by Michael Sutton informative, and the following posts worth the read as well.

The bottom line question - Can Source Code Auditing Software Identify Common Vulnerabilities? It sure can, but never let a scanner do a developer's job or forward secure coding practices to a third-party.

Tuesday, February 06, 2007

Interactivity by Default

Proud to be operating in a Web 2.0 world, I'm continuing to integrate features to make the reading of this blog more interactive, less time consuming, and much more easy to navigate. After del.icio.us and TalkR, here comes Snap :


"Snap Preview Anywhere enables anyone visiting your site to get a glimpse of what other sites you're linking to, without having to leave your site. By rolling over any link, the user gets a visual preview of the site without having to go there, thus eliminating wasted "trips" to linked sites."

Enjoy!

Friday, February 02, 2007

Attack of the Biting UAVs

Remotely controlled unmanned aerial vehicles have been shifting usability from defensive(reconnaissance) to offensive(weapons payload) for the last several years. Working prototypes in the shadows of secrecy reaching yet another long-range flight milestone are setting up the foundations for a different kind of warfare. And while the concept has the potential of saving lifes, and of course taking some while protecting the pilot, it will take several more years before fleets of drones are fully capable of integrating their benefits in the NCW field.
Here's an in-depth article on the evolution of UAVs to UCAVS :

"Robotic air vehicles are beginning to replace some of the Air Force’s manned combat aircraft. Soon, they will be handling a major share of the service’s strike mission. The first steps in this transition already have been taken in the field of fighter-class aircraft. Classified projects now in development seem sure to cut into the manned medium and heavy bomber roles, as well. The Predator MQ-1 is leading this transition. A familiar feature of Air Force combat operations for more than a dozen years, the spindly Predator has evolved dramatically. It is no longer simply a loitering “eye in the sky” but rather a versatile weapon system capable of destroying a couple of ground targets on its own or in collaboration with other aircraft. It is in great demand, and the Air Force is acquiring Predators as fast as it can absorb them. Now in early production is a souped-up version of the Predator, the MQ-9 Reaper. Its combat payload—missiles and bombs carried on underwing hardpoints—roughly equals that of an F-16 fighter. In the Reaper, the Air Force has found a craft that truly combines the powers of a potent strike fighter with the capabilities of a reconnaissance drone."

You may also be curious on why the U.S Department of Agriculture is interested in buying some the way I am -- perhaps a sci-fi insects invasion. What would the next logical evolution of UCAVs be? That's UCAVs capable of electronic warfare attacks, and with their flight durability and flexibility of operation, the idea will receive more acceptance as the technology matures. There's also something else to keep in mind, and that's the interest and active research of various terrorist organizations in UAVs. And while they wouldn't sacrifice $7M for a drone, even be able to get hold of one -- unless Iran supplies -- cheap alternatives such as the Spy X plane are already taken into consideration, at least for reconnaissance purposes. Yes they're cheap, and yes they're easy to jam, you can even hear them coming, but the trend is worth mentioning.

Thursday, February 01, 2007

The TalkRization of My Blog

The service is quite intuitive for a free one, and I must say I never actually got the time to run a podcast on my one, so TalkR seems like the perfect choice for those of you -- including me -- who want to listen to my blog posts. Here's the TalkR feed URL for you to syndicate, and several samples :

- Social Engineering and Malware
- The Life of a Security Threat
- Russia's Lawful Interception of Internet Communications
- Foreign Intelligence Services and U.S Technology Espionage
- Technical Analysis of the Skype Trojan
- Old Media VS New Media

By the way, when was the last time you met a girl who speaks stuff like this?

Old Media VS New Media

The never ending war of corporate interests between the old and the new media, seems to be re-emerging on a weekly basis. Obviously, newspapers don't really like Google picking up their content and making money without giving them any commissions -- they don't even have to -- and with more shortsighted local newspaper unions asking Google and Yahoo! to stop doing so, I'm so looking forward for the moment in the near future when we'll be discussing their will to get crawled again. You fear what you don't understand, and the old media doesn't like the way it got re-intermediated, thus losing its overhyped content generation exclusiveness. In a Web 2.0 world, everyone generates content, which later on gets mixed, re-mixed, syndicated and aggregated, what if newspapers really tried to adapt instead of denying the future? And isn't it ironic that the newspapers that want to be removed from any search engine's index, are later on using these search engines while investigating for their stories?

Here's a lengthy comment I recently made on the old media vs the new one.

PR Storm

Great to see that Mike Rothman and Bill Brenner know how to read between the lines. Here's a related point of view on the Storm Worm - Why do users still receive attachments they are not supposed to click on?

Meanwhile, Eric Lubow (Guardian Digital, Linuxsecurity.com) have recently joined the security blogosphere and I'll be keeping an eye on his blog for sure -- hope it's mutual. Two more rather fresh blogs worth reading are ITsecurity.com's one -- how's it going Kev -- and Panda Software's blog. And with PandaLabs now blogging, the number of anti virus vendors without a blog, namely still living in the press release world is getting smaller. I remember the last time I was responsible for writing press releases for a vendor I'd rather not associate myself with, and how Web 1.0 the whole practice was. If you really want to evolve from branding to communicating value, hire a blogger that's anticipating corporate citizenship given he's commissioned, and reboot your PR channels.