Powered by Blogger.
RSS

Analysis of the Technical Mujahid - Issue One

An OSINT conducted, a tax payer's buck saved somewhere.

Last week, the mainstream media was abuzz with the release of the first jihadist e-zine discussing hacking, information hiding, of course in between the lines of radical propaganda, whereas no one was providing more information on the exact nature of the articles, but the SITE institute. So I decided to take a peek at the Technical Mujahid for myself, in order to break through the FUD, or not see the "threat sliced on pieces" by different news sources.

According to the official release, the magazine's download locations seem to be slowly becoming useless, besides the Rapidshare link which seems to be still fully working -- the Internet Haganah reasonably points out that owning a copy of it might get you in trouble in some countries, so don't.

Despite that I don't speak any Arabic languages, and I pressume neither do you, the e-zine is rich on visual materials and you can pretty much grasp the big picture. Namely, that it's practical compared to theoretical source of information, it's targeting mixed audiences, and it's keeping it very simple. So I've decided to compile a summary of the key sections and topics in the articles covered for future references. In one sentence - its simplicity is not to be feared, but its practicality.

The release of the magazine is an indication of the ongoing use of the Internet for mass-education -- economies of scale -- through videos and visual howto's, but much more advanced information related to information security could be obtained from public sources. The cellphone triangulation in Iraq, and the demonstration of Hacker Defender are worth mentioning, but overall, concepts such as information warfare or online PSYOPS remain unstructured and abstract ideas to the average jihadist - for now. Notice the multimedia file used as an example for the alternate data stream as well and draw up the conclusions on your own.

Don't exclude the logical possibility of on purposely disinforming the general public and various intel folks across the world on a relatively primitive inforwar practices such as using PGP and alternate data streams.

Here are the articles themselves :

01. Article One - Alternate Data Streams - steganography example given, rootkits - hacker defender covered, examples provided, abomosab.jpg used as an example

02. Article Two - Satellite Communications and the importance of GPS, handheld GPS, explains triangulation, mentions satellite imagery's power, and satellite transfer speeds, mentions 1575 and 1227 as carrier frequencies and Digital Sequence Spread Specturm - DSSS, mentions handheld GPS receiver, includes photos of 3G data card, laptop. It then discusses a locked device with a "WARNING" sign on it

03. Article Three - Visual HOWTO on Install VMware

04. Article Four - Article on digital media players, the different formats, subtitles, and the NTSC and PAL systems, recording basics as it looks like

05. Article Five - Introduction to PGP - Zimmerman is quoted, explanation of the RSA algorithm, recommending the use of PGP Whole Disk, features warning message that trial versions of PGP Whole Disk will self-decrypt

And SITE Institute's comments on the propaganda side in the introduction and conclusion :

"For future issues, the editors urge members of the jihadist Internet community to submit articles in the field of technology for publishing. They write: “My kind, technical Mujahid brother, the magnitude of responsibility which is placed upon you is equal to what you know in the regard of information. Do not underestimate anything that you know; perhaps a small article that you write and publish can benefit one Mujahid in the Cause of Allah or can protect a brother of yours in Allah. This way you will gain the great reward with the permission of Allah."

If you perceive the Technical Mujahid magazine as a threat to the national security of any country, old issues of Phrack magazine must be giving you the nightmares.

Have a productive week everyone, and stay informed!

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Full List of Hezbollah's Internet Sites

Some of the propaganda is so catchy it can easily compete with the Soviet propaganda posters during the Cold War visualizing the evil forces from their point of view. Great case studies on Internet psychological operations, and Hezbollah's understanding of Cyberterrorism.

Here's a list of the URLs mentioned :
moqawama.org
moqawama.tv
ghaliboun.net
hizbollah.org
nasrollah.org
hizbollah.tv
moqawama.info
moqawama.net
moqawama.org
moqavemat.com
moqavemat.ir
shiaweb.org
manartv.com.lb
almanar.com.lb
islamicdigest.net
manartv.com.lb
al-nour.net
intiqadonline.com
alintiqad.com
alahed.org
wa3ad.org
islamicdigest.net
somod.org
bintjbeil.com
altaybeh.net
deirqanounalnahr.jeeran.com
alshahid.org
almahdiscouts.org
jihadbinaa.org
samirkuntar.org
groups.msn.com/justiciadivinavenezuela
es.groups.yahoo.com/group/Hezboallah_latino
groups.msn.com/autonomiaislamicawayuu
groups.msn.com/Hezbollahelsalvador
hezboallahpartidoislamico.blogspot.es

And the IPs for your network reconnaissance pleasure :

82.137.205.249
82.137.205.247
202.75.42.155
205.178.189.131
216.21.229.196
202.71.104.241
209.85.5.112
203.121.71.217
82.137.205.249
82.137.205.249
69.10.136.210
207.44.244.117
66.98.225.220
209.172.35.181
209.85.5.113
208.64.28.10
66.199.236.147

Related posts:
Analysis of the Technical Mujahid Magazine - Issue One
Hezbollah's DNS Service Providers from 1998 to 2006
Hezbollah's use of Unmanned Aerial Vehicles - UAVs

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Digital Terrorism and Hate 2006 CD-ROM

In some of my previous investigative posts "Tracking Down Internet Terrorist Propaganda", "Arabic Extremist Group Forum Messages' Characteristics", "Cyber Terrorism Communications and Propaganda", "Steganography and Cyber Terrorism Communications", "A Cost-Benefit Analysis of Cyber Terrorism", I extensively blogged about Cyberterrorism and emphasized on the defensive use of it, communication channels under the shadow of SCADA devices and critical infrastructure getting attacked. Perspectives like these often ruin someone's self-mythology, but the Pupper Master too made a point when saying that your desire to remain what you're is what limits you, so evolve, or end up on the verge of extinction.

Here's a little something for everyone thinking cyberterrorism is surreal. Considering for a while that even primitive forms of existence such as street gangs utilize the Internet for propaganda, wouldn't a much better financed terrorist organization be compelled to participate? In fact they've been doing so even before 9/11, but I feel it's the good guys' cavalier attitude that ended up in the now, mature cyberterrorism platform.

A great source for open source intelligence to anyone interested in, here's a summary :

"This sixth and newest version of the Simon Wiesenthal Center's annual report of problematic websites exposes the growing use of the Internet as a key propaganda weapon, marketing tool and fundraising engine by terrorist groups such as Al Qaeda and Hamas, in addition to its continuing assessment of traditional extremist groups such as the KKK and neo-Nazis. "Although they swear to destroy the West, extremists and terrorists have taken to using Western technology to recruit, finance and plan their insidious actions," said Mark Weitzman, Director of the Simon Wiesenthal Center's Task Force Against Hate."

Now what would an intelligence agency do when knowing exactly where to look? Shut them down and prosecute someone, or adapt deep within the community to gather as much OSINT as possible. Whatever the outcome, keep in mind on the possibility of indirect intelligence engineering, as the way you're watching them, the same way they're watching you, watching them.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Current State of Internet Jihad

Very good article on various geopolitical issues related to the Middle East vs the West, and most importantly an overview of the current state of online jihad. Excluding webcasts, video howto's, and video games as a commodity in the big picture, what's left at the bottom line is easily accessible open source intelligence, and tactical warfare practices such as this one :

"Some of the techniques of evasion are disarmingly simple. Rather than send emails, some jihadists simply write and save draft emails, storing them in an account with a password that's known to other members of the cell. Because they are never actually sent, they can't be detected by intelligence agencies."

Can you intercept an email that's never been sent? And what if a legitimate user's account end up as a dead box? Moreover, the article points out to the recently released Technical Mujahid magazine :

"Raisman points to a recent publication by the al-Fajr group, another communications arm of al-Qaeda and its fellow travellers. He said it contained a very sophisticated manual on internet security, how to avoid hackers, secure personal files and ensure any computer that is captured is of little value to Western authorities."

Going through the magazine itself as I indeed obtained a copy and will publish a summary of it anytime now, there's nothing really that very sophisticated to be afraid of, unless you know nothing about installing a virtual machine, or what triangulation is all about.

A handy summary of the article and things to keep in mind :

- There are over 5000 militant Islamic websites, up from less than a dozen in 1998 -- these are only the static ones compared to hundreds more temporary campaign ones

- They are an extremely effective way for terrorist groups to plan operations, recruit followers, raise funds and distribute propaganda -- centralization of forces and services is exactly what a terrorist organization isn't into. Diversification and autonomous management for the sake of improving the continuity of the site in operation is what really matter, namely you'll have the propaganda platform spreading online details on how to donate cash on a site that's been set up for this purpose only. By the time there's been a leak in the "good guys" covert competitive intelligence efforts, the donation site will dissapear and reappear somewhere else, while the central propaganda platform remains fully active. Take the other perspective, if the "bad guys" are aware the "good guys" are reading, they may logically leave a decoy to later on analyze how it's being processed and disinform on what may seem a very decent first-hand information gathered through open source intelligence.

- Their mastery of the web could extend to cyber-terrorism, such as disabling the communication systems that underpin key sectors such as banking and energy -- any government's single biggest mistake is stereotyping about cyberterrorism, namely that it's the offensive use of cyberterrorism to worry about, whereas the defensive, or passive concepts are already maturing.

- Western agencies are almost powerless to stop the jihadists' internet activities -- of course they aren't, and stopping compared to monitoring is totally wrong, the enemy's location you know is better than the enemy's location you don't know.

- Western governments have been very slow to respond and are only now turning their attention to combating the potent "story" promulgated over the internet -- they wouldn't be that very slow in responding if they actually knew how many people read and got brainwashed by it, thus what conversion rate can we talk about from a reader, to collaborator, to wannabe terrorist, come up with metrics and raise eyebrows.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Censoring Seductive Child Behaviour

define:seductive
define:unaware
define:immature
define:maturing

"Covert pedophilia in the Victorian society". Is that a good line, or is that a good line? Censorship as a matter of viewpoint - as of recently Globe and Mail want you to purchase the article without realizing the click-through rates for both, Doubleclick serving the ads at their site and them, if it were distributing it for free, but anyway guess they should have told Google either :

"The Legards' central thesis is that the debate over children and sexual imagery has been dominated and distorted by two opposing myths: one is "the quasi-religious conception of childhood innocence," which involves "the irrational denial of childhood sexuality"; the other is "the ideology" of the artist as someone "possessing mystical abilities and unique rights" that should not be constrained by the state."

After thoughtcrime and intention-crime policing, it's about time behaviour-policing starts taking place, now wouldn't that be truly outrageous? Something no one is again going to do anything about, thinking he's either the only one seeing it, or perhaps prefers to keep playing in his own corner?

Anyway, discussions like these should only happen after the real problem, with real child porn online gets solved. And that wouldn't happen by fighting the distribution channels as they're too many to control and police, but by making sure the production stage never happens at the first place.

Another article on the topic "Clothed Child Porn Online?". By the way, are you finally seduced now? A rocket scientist doesn't seem to be, throughout the "decade of dedicating downloading". Such a collection can now definitely acts as a new digitally fingerprinted database to keep track of.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Symantec's Invisible Burglar Game

Cheers to Symantec's PR folks for coming up with such an entertaining promotion of Norton 360, so that "if everything gets too much hit the spacebar to activate the Norton 360 force field to destroy everything in sight."

Good one!

Try the infamous Airport security flash game too, and search everyone for exploding toothpastes, and other dangerous substances as they become dangerous throughout the game.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

The end of passwords - for sure, but when?

My first blog post "How to create better passwords - why bother?!" back in December, 2005, tried to briefly summarize my thoughts and comments I've been making on the most commonly accepted way of identifying yourself - passwords.

Bill Gates did a commentary on the issue, note where, at the RSA Conference, perhaps the company that's most actively building awareness on the potential/need for two-factor authentication, or anything else but using static passwords for various access control purposes. Moreover, it was again Bill Gates who wanted to integrate the Belgian eID card with MSN Messenger (Anonymity or Privacy on the Internet?) Microsoft are always reinventing the wheel, be it with antivirus, or their Passport service, and while they have the financial obligations to any of their stakeholders, I feel it's a wrong approach on the majority of occasions.

What I wonder is, are they forgetting the fact that over 95% of the PCs out there, run Microsoft Windows, and not Vista, and how many would continue to do so polluting the Internet at the bottom line. My point is that MS's constant rush towards "the next big thing" doesn't actually provides them with the resources to tackle some of the current problems, at least in a timely manner. What do you think? What could Microsoft do to actually influence the acceptance of two-factor authentication, and moreover, how feasible is the concept at the bottom line?

Technorati tags :
security, microsoft, authentication, passwords

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

A timeframe on the purchased/sold WMF vulnerability

The WMF vulnerability and how it got purchased/sold for $4000 was a major event during January, at least for me as for quite some time the industry was in the twilight zone by not going through a recently released report. But does this fact matters next to figuring out how to safeguard the security of your network/PC given the time it took the vendor to first, realize that it's real, than to actually patch it? Something else that made me an impression is that compared to the media articles and my post, was I the only one interested in who bought, instead of who sold it?

So here's a short timeframe on how it made it to to the mainstream media :
January 27 - Kaspersky are the first to mention the "purchase" in their research
January 30 I've started blowing the whistle and friends picked it up (even the guy that got so upset about it!)
January 31 Meanwhile, someone eventually breached AMD's forums and started infecting its visitors!
February 2 Microsoft Switzerland's Security blog featured it
February 2 LinuxSecurity.com republished it
February 2 DSLReports.com picked it up
February 2 Appeared at Slashdot
February 3 OSIS.gov(an unclassified network serving the intelligence community with open source intelligence) picked it up :)

What's the conclusion? Take your time and read the reports thoroughly, cheer Kaspersky's team for their research? For sure, but keep an eye on the Blogosphere as well!

Technorati tags :

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Detecting intruders and where to look for

CERT, just released their "Windows Intruder Detection Checklist" from the article :

"This document outlines suggested steps for determining whether your Windows system has been compromised. System administrators can use this information to look for several types of break-ins. We also encourage you to review all sections of this document and modify your systems to address potential weaknesses."

I find it a well summarized checklist, perhaps the first thing that I looked up when going through it was the rootkits section given the topic. It does provide links to free tools, but I feel they could have extended to topic a little bit. Overall, consider going through it. Another checklist I recently came across is the "11 things to do after a hack" and another quick summary on "10 threats you probably didn't make plans for".

Rootkits are gaining popularity, and with a reason -- it takes more efforts to infect new victims instead of keeping the current ones, at least from the way I see it. In one of my previous post "Personal Data Security Breaches - 2000/2005" I mentioned about a rootkit placed on a server at the University of Connecticut on October 26, 2003, but wasn't detected until July 20, 2005, enough for auditing, detecting attackers and forensics? Well, not exactly, still something else worth mentioning is the interaction between auditing, rootkits and forensics. There's also been another reported event of using rootkit technologies for DRM(Digital Right Management) purposes, not on CDs, but DVDs this time, so it's not enough that malware authors are utilizing the rootkit concept, but flawed approaches from companies where we purchase our CDs and DVDs from, are resulting in more threats to deal with!

Check CERT's "Windows Intruder Detection Checklist" and if interested, also go though the following resources on rootkits and digital forensics :

Windows rootkits of 2005, part one
Windows rootkits of 2005, part two
Windows rootkits of 2005, part three
Malware Profiling and Rootkit Detection on Windows
Timing Rootkits
Shadow Walker - Raising The Bar For Windows Rootkit Detection - slides
When Malware Meets Rootkits
Leave no trace - book excerpt
Database Rootkits
Rootkits and how to combat them
Rootkits Analysis and Detection
Concepts for the Stealth Windows Rootkit
Avoiding Windows Rootkit Detection
Checking Microsoft Windows Systems for Signs of Compromise
Implementing and Detecting Implementing and Detecting an ACPI BIOS Rootkit

Host-based Intrusion Detection Systems
Forensics Tools and Processes for Windows XP Clients
F.I.R.E - Forensic and Incident Response Environment Bootable CD
Forensic Acquisition Utilities
FCCU GNU/Linux Forensic Bootable CD 10.0
iPod Forensics :)
Forensics of a Windows system
First Responders Guide to Computer Forensics
Computer Forensics for Lawyers

Technorati tags:
, , , , ,

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Look who's gonna cash for evaluating the maliciousness of the Web?

Two days ago, SecurityFocus ran an article "Startup tries to spin a safer Web" introducing SiteAdvisor :

"A group of graduates from the Massachusetts Institute of Technology (MIT) aim to change that by crawling the Web with hundreds, and soon thousands, of virtual computers that detect which Web sites attempt to download software to a visitor's computer and whether giving out an e-mail address during registration can lead to an avalanche of spam.


The goal is to create a service that lets the average Internet user know what a Web site actually does with any information collected or what a download will do to a computer, Tom Pinckney, vice president of engineering and co-founder of the
start-up SiteAdvisor, said during a presentation at the CodeCon conference here."

The concept is simply amazing, and while it's been around for ages, it stills needs more acceptance from decision makers that tend to stereotype on perimeter and antivirus defense only. Let's start from the basics, it is my opinion that users do more surfing than downloading, that is, the Web and its insecurities represent a greater threat than users receiving malware in their mailboxes or IMs. And not that they don't receive any, but I see a major shift towards URL droppers, and while defacement groups are more than willing to share these with phishers etc., a URL dropper is easily getting replaced by an IP one, so you end up having infected PCs infecting others through hosting and distributing the malware, so sneaky, isn't it? My point is that initiatives such as crawling the web for malicious sites, listing, categorizing and updating their status is a great, both security, and business sound opportunity. The way you know the bad neighbourhoods around your town, in that very same way you need a visualization to assist in research, or act as a security measure, and while its hard to map the Web and keep it up to date, I find the idea great!

So what is SiteAdvisor up to? Another build-to-flip startup? I doubt so as I can almost feel the smell of quality entrepreneurship from MIT's graduates, of course, given they assign a CEO with business background :) APIs, plugins, already tested the majority of popular sites according to them, and it's for free, at least to the average Internet user who's virtual "word of mouth" will help this project get the scale and popularity necessary to see it licensed and included within current security solutions. They simply cannot test the entire Web, and I feel the shouldn't even set it as an objective, instead map the most trafficked web sites or do so on-the-fly with the top 20 results from Google. I wonder how are downloads tested, are they run through VirusTotal for instance, and how significant could a "push" approach from the end users, thus submitting direct links to malicious files found within to domain for automatic analysis, sound in here?

I think the usefulness of their idea could only be achieved with the cooperation/acquisition of a leading search engine, my point is that some of the project's downsizes are the lack of on-the-fly ability(that would be like v2.0 and a major breakthrough in respect to performance), how it's lacking the resources to catch up with Google on the known web (25,270,000,000 according to them recently), how IP droppers instead of URL based ones totally ruin the idea in real-life situations(it takes more efforts to register and maintain a domain, compared to using a zombie host's capabilities to do the same, doesn't it?)

In one of my previous posts on why you should aim higher than antivirus signatures protection only I mentioned some of my ideas on "Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"?

Crawling for malicious content and making sense of the approaches used in order to provide an effective solutions is very exciting topic. As a matter of fact in one of my previous posts "What search engines know, or may find about us?" I mentioned about the existence of a project to mine the Web for terrorist sites dating back to 2001. And I'm curious on its progress in respect to the current threat of Cyberterrorism, I feel both, crawling for malicious content and terrorist propaganda have a lot in common. Find the bad neighbourhoods, and have your spiders do whatever you instruct them to do, but I still feel quality and in-depth overview would inevitably be sacrificed for automation.

What do you think is its potential of web crawling for malicious content, and by malicious I also include harmful in respect to Cyberterrorism PSYOPS (I once came across a comic PSYOPS worth reading!) techniques that I come across on a daily basis? Feel free to test any site you want, or browse through their catalogue as well.

You can also find more info on the topic, and alternative crawling solutions, projects and Cyberterrorism activities online here :

A Crawler-based Study of Spyware on the Web
Covert Crawling: A Wolf Among Lambs
IP cloaking and competitive intelligence/disinformation
Automated Web Patrol with HoneyMonkeys Finding Web Sites That Exploit Browser Vulnerabilities
The Strider HoneyMonkey Project
STRIDER : A Black-box, State-based Approach to Change and Configuration Management and Support
Webroot's Phileas Malware Crawler
Methoden und Verfahren zur Optimierung der Analyse von Netzstrukturen am Beispiel des AGN-Malware Crawlers (in German)

Jihad Online : Islamic Terrorists and the Internet
Right-wing Extremism on the Internet
Terrorist web sites courtesy of the SITE Institute
The HATE Directory November 2005 update (very rich content!)
Recruitment by Extremist Groups on the Internet

Technorati tags:
, , , , ,

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Recent Malware developments

In some of my February's streams :) "The War against botnets and DDoS attacks" and "CME - 24 aka Nyxem, and who's infected?" I covered some of the recent events related to malware trends in the first months of 2006. This is perhaps the perfect time to say a big thanks to everyone who's been expressing ideas, remarks and thoughts on my malware research. While conducting the reseach itself I realized that I simply cannot include everything I want it, as I didn't wanted to release a book to have its content outdated in less than an year, but a "stick to the big picture" representation of the things to come. The best part is that while keeping daily track of the trends and trying to compile a summary to be released at the end of the year, many more concepts that I didn't include come to my mind, so I feel I'll have enough material for a quality summary and justification of my statements. So what are some of the recent developments to keep in mind?

A lot of buzz on the CME-24 front, and I feel quite a lot of time was spent on speculating on the infected population out of a web counter whose results weren't that very accurate as originally though. And as vendors closely cooperated to build awareness on the destructive payload, I think that's the first victory for 2006, no windows of opportunity The best is that CAIDA patiently waited until the buzz is over to actually come up with reliable statistics on Nyxem.

It's rather quiet on the AV radars' from the way I see it, and quickly going through F-Secure's, Kaspersky's (seem to be busy analyzing code, great real-time stats!), Symantec's I came across the similarities you can feel for yourself in "the wild" :) Symantec's ThreatCon is normal, what's interesting to note is VirusTotal's flood of detected WMF's, which is perhaps a consequence of the *known* second vulnerability.

James Ancheta's case was perhaps the first known and so nicely documented on botnet power on demand. Recently, a botnet, or the participation in such shut down a hospital's network, more over I think StormPay didn't comply with a DDoS extortion attempt during the weekend?

Joanna Rutkowska provided more insights on stealth malware in her research (slides, demo) about "about new generation of stealth malware, so called Stealth by Design (SbD) malware, which doesn't use any of the classic rootkit technology tricks, but still offers full stealth. The presentation also focuses on limitations of the current anti-rootkit technology and why it’s not useful in fighting SbD malware. Consequently, alternative method for compromise detection is advocated in this presentation, Explicit Compromise Detection (ECD), as well as the challenges which Independent Software Vendors encounter when trying to implement ECD for Windows systems – I call it Memory Reading Problem (MRP). "

How sound is the possibility of malware heading towards the BIOS anyway? An "Intelligent P2P worm's activity" that I just across to also deserves to be mentioned, the concept is great, still the authors have to figure out how to come up with legitimate file sizes for multimedia files if they really want to fake its existence, what do you think on this?

Some recent research and articles worth mentioning are, Kaspersky's Malware - Evolution : October - December 2005 outlines the possibilities for cryptoviral extortion attacks, 0days vulnerabilities, and how the WMF bug got purchased/sold for $4000. There's also been quite a lot of new trojans analyzed by third-party researchers, and among the many recent articles that made me an impression are "Malicious Malware: attacking the attackers, part 1" and part 2, from the article :

"This article explores measures to attack those malicious attackers who seek to harm our legitimate systems. The proactive use of exploits and bot networks that fight other bot networks, along with social engineering and attacker techniques are all discussed in an ethical manner."

Internet worms and IPv6 has nice points, still I wish there were only network based worms to bother about. Besides all I've missed important concepts in various commentaries, did you? Malware is still vulnerabilities/social engineering attacks split at least for the last several months, still the increased corporate and home IM usage will inevitable lead to many more security threats to worry about. Web platform worms such as MySpace and Google's AdSense Trojan, are slowly gaining grounds as a Web 2.0 concept, so virus or IDS signatures are to look for, try both!

During January, David Aitel reopened the subject of beneficial worms out of Vesselin Bontchev's research on "good worms". While I have my reservations on such a concept that would have to do with patching mostly the way I see it, could exploiting a vulnerability in a piece of malware by considered useful some day, or could a network mapping worm launched in the wild act as an early response system on mapped targets that could end up in a malware's "hitlist"? And I also think the alternative to such an approach going beyond the network level is Johnny Long's (recent chat with him) Google Dorks Hacking Database, you won't need to try to map the unlimited IPv6 address space looking for preys. Someone will either do the job for you, or with the time, transparancy in IPv6, one necessary for segmented and targeted attacks will be achieved as well.

Several days ago, Kaspersky released their summary for 2005, nothing ground breaking in here compared to previous research on how the WMF vulnerability was purchased/sold for $4000 :) but still, it's a very comprehensive and in-depth summary of 2005 in respect to the variables of a malware they keep track of. I recommend you to go through it. What made me an impression? 

- on average, 6368 malicious programs detected by month

- +272% Trojan-Downloaders 2005 vs 2004

- +212% Trojan-Dropper 2005 vs 2004

- +413% Rootkit 2005 vs 2004

- During 2005, on average 28 new rootkits a month

- IM worms 32 modifications per month

- IRC worms are on -31%

- P2P worms are on -43%, the best thing is that Kaspersky labs also shares my opinion on the reason for the decline, P2P busts and general prosecutions for file-sharing. What's also interesting is to mention is the recent ruling in a district court in Paris on the "legality of P2P" in France and the charge of 5 EUR per month for access to P2P, but for how long? :) P2P filesharing isn't illegal and if you cannot come up with a way to release your multimedia content online, don't bother doing at all. In previous chats I had with Eric Goldman, he also makes some very good points on the topic.

- +68% Exploit, that is software vulnerabilities and the use of exploits both known or 0day's with the idea to easily exploit targeted PC, though I'm expecting the actual percentage to be much higher

- Internet banking malware reached a record 402% growth rate by the end of 2005 The Trojan.Passwd is a very good example, it clearly indicates that it is written for financial gains. E-banking can indeed prove dangerous sometimes, and while I'm not being a paranoid in here, I'd would recommend you go through Candid's well written "Threats to Consider when doing E-banking" paper

- A modest growth from 22 programs per month in 2004 to 31 in 2005 on the Linux malware front

I feel today's malware scene is so vibrant that it's getting more and more complex to keep track of possible propagation vectors, ecosystem here and there, and mostly communicating what's going on to the general public(actually this one isn't). 
What's to come and what drives the current growth of malware?
- money!
- the commercialization of the market for software vulnerabilities, where we have the first underground purchase of the WMF exploit, so have software vulnerabilities always been the currency of trade in the security world or they've started getting the necessary attention recently?
- is stealth malware more than an issue compared to utilizing 0day vulnerabilities, and is retaining current zombie PCs a bigger priority than to infecting new ones?
- business competitors, enemies, unethical individuals are actively seeking for undetected pieces of malware coded especially for their needs, these definitely go beneath the sensors
- Ancheta's case is a clear indication of a working Ecosystem from my point of view, that goes as high as to provide after-sale services such as DDoS strength consultations and 0day malware on demand

To sum up, malware tends to look so sneaky when spreading and zoomed out :) I originally came across the VisualComplexity project in one of my previous posts on visualization. Feel I've missed something that's worth mentioning during the last two months? Than consider expanding the discussion!
You can also consider going through the following resources related to malware :

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Who needs nuclear weapons anymore?

Excluding Iran and the potential of its nuclear program (no country that bans music should have such a power!), perhaps I should rephrase - who can actually use them nowadays, are they just a statement of power, does flexibility and beneath the radar concepts matter? I feel they do.

I just came across a news article from January on a new EMP warhead test, and while there have been speculations/or movie plots that Electromagnetic Pulse Weapons could be used by terrorists, I find this a bit of exaggerated statement that actually seeks further investment in current development of the concept I guess. I feel that compared to symmetric warfare, asymmetric warfare as a concept has greatly evolved during the years, and in today's interconnected society, military powers could be easily balanced. What's else to mention is the "cooperation" between the parties on which I came across in a report on Nuclear Electromagnetic Pulse, as of June 9, 2005, namely :

"If we really wanted to hurt you with no fear of retaliation, we would launch an SLBM,'' which if it was launched in a submarine at sea, we really would not know for certain where it came from. ``We would launch an SLBM, we would detonate a nuclear weapon high above your country, and we would shut down your power grid and your communications for 6 months or so.'' The third-ranking communist was there in the country. His name is Alexander Shurbanov, and he smiled and said, ``And if one weapon would not do it, we have some spares.'' I think the number of those spares now is something like 6,000 weapons." 

"the Russians had developed weapons that produced 200 kilovolts per meter. Remember, the effects in Hawaii were judged to be the result of five kilovolts per meter. So this is a force about 200 times higher. The Russian generals said that they believed that to be several times higher than the hardening that we had provided for our military platforms that they could resist EMP."

``Chinese military writings described EMP as the key to victory and described scenarios where EMP is used against U.S. aircraft carriers in the conflict over Taiwan.'' So it is not like our potential enemies do not know that this exists. The Soviets had very wide experience with this, and there is a lot of information in the public domain relative to this. ``A survey of worldwide military and scientific literature sponsored by the commission,'' that is the commission that wrote this report, ``found widespread knowledge about EMP and its potential military utility including in Taiwan, Israel, Egypt, India, Pakistan, Iran, and North Korea."

Still there's hope for preserving the global state of security instead of fuelling its insecurity :
"In 2004, the EMP Commission met with very senior Russian officers, and we showed that on the sign. They warned that the knowledge and technology to develop what they called super EMP weapons had been transferred to North Korea and that North Korea could probably develop these weapons in the near future, within a few years. The Russian officers said that the threat that would be posed to global security by a North Korean armed with super EMP weapons was, in their view, and I am sure, Mr. Speaker, in your view and mine, unacceptable."  

Foreign views of Electromagnetic Pulse (EMP) Attack reveals further details on other nations' ambitions etc. Perhaps one of the most famous commitments towards EMP is the The Trestle Electromagnetic Pulse Simulator that can also be seen at Google Maps, still, in my opinion it's a defensive initiative for an offensive purpose :(

Extending the topic even further, The Space Warfare arms race has been an active policy of key world's leaders for decades, and that's not good. The U.S, Russia and China as the main players are fuelling the growth in one way or other due to believing in perhaps :

- that the other sides are actively developing such capabilities, and they are, because they think the opposite => arms race
- growing trend towards asymmetric warfare
- cost-effectiveness compared to building a multimillion nuclear submarine as a statement of power?
In my opinion space warfare would directly influence everyone down here on Earth, and scenarios such as :
- hijacking?
- destroying

could become normal. Space is already getting crowded, if I were to forget one of my favourite quotes "But I guess I'd say if it is just us... seems like an awful waste of space". On the other, and in respect to securing critical infrastructure on Earth :) I find recent initiatives such as the Cyber Storm exercise more PR, than relevance oriented, my point is that how come you expect to have the critical infrastructure secured, when a global overload in traffic would again deny service, a critical one. 

My point is that, the Internet as the most pervasive and cost effective tool is often utilized for sensitive both, commercial, government and military operations, attacking the Internet affects pretty much everyone. Excluding the overall shift towards network-centric warfare and you've got a problem given commercial and public IP networks are used to handle the enormous bandwidth needed for sensitive operations.

To sum up, go through the following War Quotes, and perhaps consider how major problems on Earth stop major innovations in Space. I feel War is not a solution, but an excuse that should never be said! I know this post tried to combine several different issues, but I think given IP is at the bottom line, my readers wouldn't mind :) What's your attitude on Space Warfare arms race? Is it real, and how do you picture the future developments in here?

More resources on Electromagnetic Pulse Weapons, Space Warfare and Network-Centric Warfare are also available at :

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

The War against botnets and DDoS attacks

In one of my previous posts talking about botnet herders I pointed out how experiments tend to dominate, and while botnets protection is still a buzz word, major security vendors are actively working on product line extensions. DDoS attacks are the result of successful botnet, and so are the root of the problem besides the distributed concept. Techworld is reporting that McAfee is launching a "bot-killing system", from the article :

"Unlike conventional DDoS detection systems based on the statistical analysis of traffic, the first layer of the new Advanced Botnet Protection (ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependent on whether or not it is “complete”. "

The best thing is that it's free, the bad thing is that it may give their customers a "false sense of security", that is, while the company is actively working on retaining its current customers, I feel "SYN cookies" and their concept has been around for years. Moreover, using a service provided by a company whose core competencies have nothing to do with DDoS defense can be tricky. Companies worth mentioning are Arbor Networks, and Cisco's solutions, besides the many other alternative and flexible ways of dealing with DDoS attacks.

In my research research on the Future trends of Malware, I pointed out some of the trends related to botnets and DDoS attacks, namely, DDoS extortion, DDoS on demand/hire, and with the first legally prosecuted case of offering botnet access on demand, it's a clear indication that of where things are going. Defense against frontal attacks isn't cost-effective given that at the bottom line the costs to maintain the site outpace the revenues generated for the time, hard dollars disappear, soft ones as reputation remain the same.

My advice is to take into consideration the possibility to outsource your problem, and stay away from product line extensions, and I think it's that very simple. A differentiated service on fighting infected nodes is being offered by Sophos, namely the Zombie Alert, which makes me wonder why the majority of AV vendors besides them haven't come up with an alternative given the data their sensor networks are able to collect? Moreover, should such as service be free, would it end up as a licensed extensions to be included within the majority of security solutions, and can a motivated system administrators successfully detect, block, and isolate zombie traffic going out of the network(I think yes!)? 

As far as botnets are concerned, there were even speculations on using "Skype to control botnets", now who would want to do that, and under what reason given the current approaches for controlling botnets, isn't the use of cryptography or security through obscurity("talkative bots", stripping IRCds) the logical "evolution" in here?

Something else worth mentioning is the trend of how DoS attacks got totally replaced by DDoS ones, my point is that the first can be a much more sneaky one and easily go beneath the radar, compared to a large scale DDoS attack. A single packet can be worth more than an entire botnets population, isn't it?

How do you think DDoS attacks should be prevented, active defense such as the solutions mentioned, or proactive solutions? What do you think?

You can also go though other resources dealing with DDoS attacks and possible solutions to the problem :
Technorati tags :
, , , , , , ,

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

A top level espionage case in Greece

Starting shortly after the Olympic games in 2004 and up to March 2005, the mobile phones of : Prime Minister Costas Caramanlis, minister of foreign affairs, defense, public order and justice, top military officials, a number of journalists, and human rights activists (hmm?) have been tapped by an unknown party though the installation of "spy software" (that's too open topic) , mind you, Vodafone's central system, and were diverted to a pay-as-you-go mobile phone.

At the bottom line, who's behind it? Interested parties within the Greek government, or external ones? To me this is the job of a dead insider's job or someone who had the incentive to Vodafone's security, which I doubt. Though, it is disturbing how easily these mobile numbers could be obtained as the majority of media representitives already have them! My point is that you should count them as the weakest link, besides accessing a mobile provider's database and other sources. UPDATE : Vodafone's statement UPDATE 2 : Cryptome featured more info on the The Greek illegal wiretapping scandal: some translations and resources.

Another recent spy case was the rock transmitter found in a Moscow park and while the Russian president Putin is cheering the discovery and keeping it diplomatic, the FSB (a successor to the KGB) is taking a note on this one. You can actually go through a collection of videos and references on the case.

I guess it's the silence that's most disturbing in the "Silent War".
Technorati tags :

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Security Awareness Posters

Security is all about awareness at the bottom line. The better you understand it, the higher your chance of "survival", and hopefully progress!
 

Enjoy the following collections of witty and amusing security awareness posters :
1, 2, 3 (you may also be interested in going through my talk on security policies and awareness with K Rudolph from Native Intelligence as well), 4, 5, 6, 7, 8.
Technorati tags:
, , ,

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Hacktivism tensions

It was about time the freedom of the press and the democratic nature of joking with politicians takes its hit. But why with spiritual leaders? The contradictive Muhammad cartoons sparkled a lot of anger, and with the recent tentions in France all we needed was a hacktivism activity from angry muslims. Remember how the China vs U.S cyberwar was sparkled due to the death of a Chinese pilot crashing into an AWACS that was sort of "keeping it quiet"?

Zone-H is reporting on massive defacements of Danish sites, and if you take the time to go through the reported reasons you'll find out that :

"political reasons"
"just for fun"
"I just want to be the best defacer"
"revenge against that web site"
"patriotism"

tend to dominate. As far as defacements as concerned, in one of my previous posts "FBI's 2005 Computer Crime Survey - what's to consider?" you can see that according to the report, organizations lost approximately $10,395M due to web site defacements. Moreover, in some of my previous research on Cyberterrorism I've indicated the use of script kiddies for PSYOPS and how such defacements have a favorable psychologic effect on future initiatives.

And while they have the motivation to deface, I wonder would someone strike back and under what justification?

Technorati tags:
, , , , , , , ,

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS