Wednesday, September 13, 2006

Prosecuting Defectors and Appointing Insiders

In the year 2006, those who control Russia's energy reserves control a huge portion of the world's energy market -- renewable energy is the future. And as you can imagine they're for sure not controlled by some newly born Russian millionaires -- a great benchmark for how vibrant a country's economy or level of corruption really is. Seems like the long-term effects of a planned economy are still a political doctrine, and the invisible hand of the market is still short enough to feel the Russian energy sector as Russian intelligence chief's son has been named adviser to oil company chairman :

"A son of the head of Russia's main intelligence agency has been named an adviser to the chairman of state oil company OAO Rosneft, the daily newspaper Kommersant reported Wednesday, citing an unidentified source on Rosneft's board of directors. Andrei Patrushev, the 25-year-old son of Federal Security Service (FSB) director Nikolai Patrushev, had previously been an FSB official himself, working in the department that keeps tabs on the Russian oil industry, according to Kommersant."

The courage to rise above shown by Mikhail Khodorkovsky has its own butterfly effect, and it's so easily predictable one. Here's a Google bomb for you -- it means enemy of the people. Here's another. Враг народа or a vivid protectionist?

Malware on Diebold Voting Machines

Continuing the previous post on "How to Win the U.S Elections" seems like malware is indeed diebold voting machines compatible -- related videos.

The main findings of the study are:

- Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.

- Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.

- AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.

- While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security.


IP enabled, Windows running ATM's with anti-virus, IPv6 enabled fridges with anti-virus, smart phones with anti-virus, Play Stations with anti-virus, birds as early warning systems for an epidemic, so where's my signature, dude?

Vulnerabilities in Emergency SMS Broadcasting

There's been a recent test of emergency cell phone alert in the Netherlands -- original article was here -- and while broadcasting supposidly reaches the largest number of people in the surrounding area, timing and countless number of factors also matter :

"Cell phones throughout a downtown hotel beeped simultaneous Tuesday with an alert: there is a suspicious package in the building. It was a drill, run by Dutch authorities testing an emergency "cell broadcasting" system that sends a text message to every mobile phone in a defined area. Representatives from 21 national governments, New York City and the U.S. Federal Emergency Management Agency, or FEMA, watched the signal go out to cell phones throughout the Sofitel hotel in Amsterdam. About half the people in the building then followed instructions and evacuated. "We want to see what worked and what didn't," said David Webb, of FEMA's Urban Search and Rescue Program. "The EU (European Union) is really leading the way with this technology."

What if :

- Even in case that key emergency personal were to use a seperate communication network, radio for instance, broadcasting to anyone accepting could result in significant delays, and even though the message is sent, it doesn't mean it would take advantage of the momentum

- cell phone jammers are often used by hotels to preserve the unique atmosphere and undisturbed conference meetings can prove contradictive, excluding the fact that the parties supposidly plotting the attack don't use one by themselves

- despite the fact that one in five will pick up their mobile during sex, how many obsessively check for newly arrived sms messages?

- how would a tourist know how the successfully authenticate the local authories at the first place, in case of emergencies watch out for an sms from 010101, now I assume you know how easily I can sms you from the same number and impersonate the number

- what should the user be mostly aware of be aware of, mobile malware, SMSishing, or "call this 0 900 or else I won't tell you where's the attack" type of messages

- from a multilingual point of view, will it be using English by default, and how many would be still enjoying their meals while everyone's leaving

Great idea, but it may prove challenging to evaluate the actual results in a timely manner. Sent doesn't mean received or read on time, even actioned upon.

Recommended reading:
SMS disaster alert and warning systems - don't do it !
Revisiting SMS during Disasters
Concept Paper on Emergency Communications during Natural Disasters
Exploiting Open Functionality in SMS- Capable Cellular Networks
The Role of Mobiles in Disasters and Emergencies

Testing Intrusion Prevention Systems

Informative testings results of various IPSs such as Juniper IDP 200, Cisco IPS 4240, eSoft ThreatWall 200, ForeScout ActiveScout 100, McAfee IntruShield 2700.

Here's how they tested :

"In order to create a base environment in which to compare the different appliances, we set up a single system within our test network to be the target of Core Impact’s simulated attacks. We chose a system running the most vulnerable operating system we could think of—Windows 2000 Service Pack 2 with no additional service packs or security updates. We temporarily opened the channels on the test network’s firewall and installed Core Impact on a system outside the network. We then proceeded to detect and “attack” the Windows 2000 system to identify its vulnerabilities. Of the hundreds of attack modules available, we picked 85 of the most applicable. Knowing how our target system was vulnerable and the attacks we could launch against it, we connected each IPS in turn according to its recommended configuration. We then allowed each IPS to function in a real-world network environment for a day or more. Eventually we rebooted the Windows 2000 machine and ran Core Impact to simulate a barrage of intrusions. Finally, we adjusted the security profiles of each IPS and ran the tests one more time. The result was a complete picture of how effective each IPS was at preventing attacks—both out of the box and after fine-tuning. The good news is, we were able to tweak each IPS to completely shut down the Core Impact attacks."

There are, however, hidden costs related to IPSs, and that's increased maintainance and reconfiguration time, possible decline in productivity. The key is understanding the pros and cons of your solution, educating the masses of users, and run a departamental, compared to a comany-wide enforcement at the first place as far as host based IPS are concerned. Network based IPSs sensitivity is proportional to the level of false alerts generated, so figure out how to balance and adapt the solution to your network.

Suspicious system behaviour is such an open topic term to the majority of end users, keep it in mind whatever you do when dealing with HIPS. And do your homework of course.

Google Anti-Phishing Black and White Lists

Can the world's most effective search engine manage to keep questionable sites away from the search results of its users? Seems like its toolbar users are also warned about such. Google for sure got the widest and most recent snapshot of the Web to draw up conclusions from, and seems like starting from the basics of keeping a black and white list with questionable sites/URLs is still taken into consideration. Googling Google proves handy sometimes and you can stumble upon interesting findings such as Google's Black -- cache version -- and White lists of phishing and possible fraudelent sites -- there's still a cached version of the White list available and the white domains as well.

As I often say that the host trying to 6667 its way out of the network today, will be the one sending phishing and spam mails tomorrow, therefore in order to verify I took a random blacklisted host such as http://219.255.134.12/fdic.gov/index.html.html and decided to first test it at TrustedSource, and of course, at the SORBS to logically figure out that the host's has been indeed :

"Spam Sending Trojan or Proxy attempted to send mail from/to from= to="

What's ruining the effect of black and white lists? With today's modular malware -- and DIY phishing toolkits -- the list of IP's currently hosting phishing sites can become a decent time-consuming effort to keep track of, namely black lists can be sometimes rendered useless given how malware-infected hosts increasingly act as spamming, phishing, and botnet participating ones -- if ISPs were given the incentives or obliged to take common sense approaches for dealing with malware infected hosts, it would make a difference. As far as the white lists are concerned, XSS vulnerabilities on the majority of top domains, and browser specific vulnerabilities make their impact, but most of all, it's a far more complex issue than black and white only.

Another recent and free initiative I came across to, is the Real-Time Phishing Sites Monitor, which may prove useful to everyone interested in syndicating their findings.

Third-party anti-phishing toolbars, as well as anti-phishing features build within popular toolbars are not the panacea of dealing with phishing attacks. A combination of them and user awareness, thus less gullible user is the way.