Friday, January 26, 2007

Clustering Phishing Attacks

Clustering a phishing attack to get an in-depth and complete view on the inner workings of a major phishing outbreak or a specific campaign only - that's just among the many other applications of the InternetPerils. Backed up with neat visualization features, taking a layered approach, thus, make it easier for analysts do their jobs faster, its capabilities are already scoring points in the information security industry :

"InternetPerils has discovered that those phishing servers cluster, and infest ISPs at the same locations for weeks or months. Here's an example of a phishing cluster in Germany, ever-changing yet persistent for four months, according to path data collected and processed by InternetPerils, using phishing server addresses from the Anti-Phishing Working Group (APWG) repository. The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it."

Here are seven other interesting anti-phishing projects, and a hint to the ISPs who really want to know what their customers are (unknowingly) up to.

Visual Thesaurus on Security

In case you haven't heard of the Thinkmap Visual Thesaurus, it's an "interactive dictionary and thesaurus which creates word maps that blossom with meanings and branch to related words. Its innovative display encourages exploration and learning. You'll understand language in a powerful new way." With its current database size and outstanding usability build into the interface, it has a lot of potential for growth, and I'm sure you'll find out the same if you play with it for a little while.

Thursday, January 25, 2007

Testing Anti Virus Software Against Packed Malware

Very interesting idea as packed malware is something rather common these days, and as we've seen the recent use of commercial packers in the "skype trojan" malware authors are definitely aware of the concept. What the authors did was to pack the following malware using 21 different packers/software protectors - Backdoor.Win32.BO_Installer, Email-Worm.Win32.Bagle, Email-Worm.Win32.Menger, Email-Worm.Win32.Naked, Email-Worm.Win32.Swen, Worm.Win32.AimVen, Trojan-PSW.Win32.Avisa, Trojan-Clicker.Win32.Getfound, and scan them with various anti virus software to measure which ones excel at detecting packed malware. What some vendors are best at detecting others doesn't have a clue about, but the more data to back up your personal experience, the better for your decision-making.

Threats of Using Outsourced Software

Self-efficiency in (quality) software programming for security reasons -- yeah, sure :

"The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they write is hardly a new concern. But the DSB will say in its report that three forces — the greater complexity of systems, their increased connectivity and the globalization of the software industry — have combined to make the malware threat increasingly acute for the DOD. "This is a very big deal," said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function."

The billion-dollar weapons system will be unable to function in case of an ELINT attack, not a software backdoor taking the statistical approach.

There's an important point to keep in mind, during WWII, the U.S attacted Europe's brightest minds who later on set the foundations for the U.S becoming a super power. Still, you cannot expect to produce everything on your own, and even hope of being more efficient in producing a certain product in the way someone who specialized into doing this, can. Start from the basics, what type of OS does your Intelligence angency use in order not to have to build a new one and train everyone to use it efficiently? Say it with me.. Moreover, the sound module in your OS has as a matter of fact already been outsourced to somewhere else, if you try to control the process with security in mind, vendors will cut profit margin sales, as they will have to pay more for the module, will increase prices slowing down innovation. But of course it will give someone a very false feeling of security.

Fears due to outsourced software? Try budgeting with the secondary audits "back home" if truly paranoid and want to remain cost-effective. While it may be logically more suitable to assume "coded back home means greater security and less risk", you'll be totally wrong. All organizations across the world connect using standart protocols, and similar operating systems, making them all vulnerable to a single threats of what represent today's network specific attacks. And no one is re-inventing the OSI model either.

You can also consider another task force, one that will come up with layered disinformation channel tactics when they find out such a backdoor, as detecting one and simply removing it on such systems would be too impulsive to mention.

Who's Who on Information and Network Security in Europe

A very handy summary of Europe's infosec entities and contact details that come as a roadmap for possible partnerships or analyst's research :

"This Directory serves as the “Yellow pages” of Network and Information Security in Europe. As such, it is a powerful tool in everyday life of all European stakeholders and actors in Network and Information Security (NIS). By having access to all contact data and entry points for all European actors in one booklet, available on your desk, the “arm length’s rule” of access to information is becoming concrete. I am confident that this device of compiled Network and Information Security stakeholders, contacts, websites, areas of responsibility/activity of national and European Authorities, including organisations acting in Network Security and Information, serves our mission to enhance the NIS security levels in Europe well."

Compared to China's information security market on which I've blogged in a previous post, Europe's R&D efforts are still largely de-centralized on a country level, but hopefully, with the ongoing initiatives among member states innovation will prevail over bureaucracy.

The Zero Day Vulnerabilities Cash Bubble

The WMF was reportedly sold for $4000, a Vista zero day was available for sale at $50,000, and now private vulnerability brokers claim that they beat both the underground and the current incentive programs, while selling vulnerabilities in between $75,000 - $120,000.

"The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms--as well as the odd government agency--for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000. "I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview."

But the cash bubble is rather interesting. Zero day vulnerabilities are an over-hyped commodity and paying to get yourself protected from one, means you'll be still exposed to the next one while you could have been dealing with far more risky aspects of protecting your network, or customers. The (legitimate) business model breaks when every vendor starts offering a "bounty" for vulnerabilities while disintermediating the current infomediaries. It would be definitely more cost-effective for them, than improving someone's profit margins. Or they could really reboot their position in this situation by applying some fuzz logic on their own software at the first place.

Tuesday, January 23, 2007

Attack of the SEO Bots on the .EDU Domain

A university's Internet presence often results in very high pageranks for their site, therefore, if a malicious spammer would like to harness the possibilities of having the spammed message appear among the top 20 search results, he'd figure out a way to post direct http:// links on various .edu domains, especially on the wikis residing there. That's the case with PuppetID : Matias Colins -- of course collins is spelled with one L only --. Matias Colins is an automated attack script that's already hosting hundreds of spam pages on the .edu domain, mostly adult related, and it's worth mentioning that where access to a directory has been in place, the hosted pages blocked caching from any search engine, or hosted one on its own. Redirection is perhaps what the attacker is very interested in too. See how this link - - redirects to a site for whatever the page title says, and this is yet another one -

Here are two more examples of another bot using my blog post titles to generate subdomains or the like, and of bots abusing Ebay's reputation system by self-recommending themselves.

Social Engineering and Malware

With all the buzz over the "Storm Worm" -- here's a frontal PR attack among vendors -- it is almost unbelievable how hungry for a ground breaking event, the mainstream media is. And it's not even a worm. If you are to report each and every outbreak not differentiating itself even with a byte from previous "event-based" malware attacks, what follows is a flood of biased speculations -- too much unnecessary attention to current trends and no attention to emerging ones. With pre-defined subjects, static file names, one level based propagation vector, with the need for the end user to OPEN AN .EXE ATTACHMENT FROM AN UNKNOWN SOURCE, and with "the" Full_Movie.exe in 35kb, worldwide scale attacks such as the ones described here, are more of a PR strategy -- malware with multiple propagation vectors has the longest lifecycle, as by diversifying it's improving its chances of penetration. Don't misunderstand me, protecting the end user from himself is a necessity, but overhyping this simple malware doesn't really impress anyone with a decent honeyfarm out there. It doesn't really matter how aggressively it's getting spamed, what matters the ease to filter and enjoying the effective rules you've applied. No signatures needed. As a matter of fact I haven't seen a corporate email environment that's allowing incoming executable files in years, especially anything in between 0-50kb, have you? My point is that, the end user seems to be the target for this attack, since from an attacker's perspective, you have a higher chance of success if you try to infect someone who doesn't really know whether his AV is running, or cannot recall the last time an update was done to at least mitigate the risk of infection. These are the real Spam Kings.

At the beginning of 2006, I discussed the evolving concept of localizing malware attacks :

"By localization of malware, I mean social engineering attacks, use of spelling and grammar free native language catches, IP Geolocation, in both when it comes to future or current segmented attacks/reports on a national, or city level. We are already seeing localization of phishing and have been seeing it in spam for quite some time as well. The “best” phish attack to be achieved in that case would be, to timely respond on a nation-wide event/disaster in the most localized way as possible. If I were to also include intellectual property theft on such level, it would be too paranoid to mention, still relevant I think. Abusing the momentum and localizing the attack to target specific users only, would improve its authenticity. For instance, I’ve come across harvested emails for sale segmented not only on cities in the country involved, but on specific industries as well, that could prove invaluable to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones."

The current "events-based" malware is a good example here. If it were a piece of malware to automatically exploit the targeted PC, then you really have a problem to worry about. Meanwhile, Businessweek is running an interesting article on Why Antivirus Technology Is Ineffective, and stating "white-listing" is the future of malware prevention. Could be, if there wasn't ways to bypass the white-listing technology, or give a "white-listed" application a Second Life -- and of course there are.

In another piece of quality research written by Mike Bond and George Danezis, the authors take us through the temptation stage, monitoring, blackmail, voluntary propagation, involuntary propagation, and present nice taxonomies of rewards and blackmail.

And if you're still looking for fancy stats and data to go through, read this surprisingly well written paper by Microsoft - Behavioural Modelling of Social Engineering-Based Malicious Software. They've managed to spot the most popular patterns - generic conversation, non-english language used, virus alert/software patch required, malware found on your computer, no malware found, account information, mail delivery error, physical attraction, accusatory, current events, and free stuff.
Current events, free stuff, and malware on your computer are the most effective ones from my point of view as they all exploit wise psychological tactics. Current events because the Internet is a major news source and has always been, free stuff, due the myth of "free stuff" on the Internet, and the found malware putting the (gullible) end user in a "oops it was my turn to get a nasty virus" state of mind.

Wednesday, January 17, 2007

Collected in the Wild

Nothing special, looks like a downloader, tries to connect to *****.cc/getcommand.php?addtodb=1&uid=rtrtrele.CurrentU. to get the payload that's packed and repacked quite often. File length: 2829 bytes. MD5 hash: 2147eb874fefe4e6a90b6ea56e4d629a.

The next one is rather more interesting as it's a registry backdoor, creating a new service and opening up a listening port 5555. File length: 21504 bytes. MD5 hash: 406e3fc8a2f298a151890b3bee9d7b18.

Creates service "msntupd (msntupd)" as "C:\WINDOWS\SYSTEM32\regbd.sys".

Inside an Email Harvester's Configuration File

In previous posts on web application email harvesting, and the distributed email harvesting honeypot, I commented on a relatively less popular threat - the foundation for sending spam and phishing emails, namely collecting publicly available email addresses. The other day I came across an email harvester and decided to comment on its configuration file.

Type of file extensions to look in :

Domains to look in :

As you can see, this one is Europe centric.

Blacklisted usernames and domains :
@php;@zend; feedback;.lg;.lnx;@hostel;@relay;
.neolocation; @example;.kirov;.z2;.fido;.tula;
@intercom;@olli;@ozon; @bk;@lipetsk;@ygh;

F-Secure, Kaspersky, MessageLabs, Panda Software and McAfee are taken into consideration, but the best part is that the vendors themselves are visionary enought not to be using domains or email addresses associated with them, for spam and malware traps.

Thankfully, there're many spam poison projects where these crawlers get directed to a huge number of randomly generated email addresses. And while the results are evident, namely they're picking them up and poisoning their databases with non-existent emails it is questionable if that's the best way to fight spam, since the spammers are going to send their message to anyone, even to the non-existent email addresses causing network load. Something else worth mentioning, these email harvesters are starting to pick up [at] and [dot] type of obfuscation too.

Here are some more comments on the Spamonomics I recently made. Spammer's attitude has to do with "Busyness vs Business" factor of productivity mostly, their business model is broken, but they just keep on sending them without knowing it.

Monday, January 15, 2007

The Life of a Security Threat

Eye-catching streaming video courtesy of iDefense. In the past, iDefense got a lot of publicity due to their outstanding cyber intelligence capabilities, and quality reports among which my favorite is the one providing a complete coverage of the China vs U.S cyberwar due to the captured AWACS in case you remember. VeriSign, perhaps the last vendor you would think of, purchased the company with the idea to diversify its portfolio of services and further expand their market propositions, if critical infrastructure is what they manage, an IDS signature when there's no patch available and wouldn't be not even next Patch Tuesday, is invaluable and proactive approach for protecting a company's assets. Recently, iDefense offered another bounty on zero day vulnerabilities in Vista and IE7, but considering that Windows Vista is still not adopted on a large corporate and end user scale the way XP is, therefore a zero day exploit for Windows XP must have a higher valuation then a Windows Vista one. Proving Vista is insecure and iDefense taking the credit for it though, is a strategic business move rather then a move aiming to improve the overal security of their customers -- if only could iDefense purchase all the exploits from Month of the X Bugs initiatives. Moreover, a Vista zero day exploit was available for sale. Feel the hypo-meter about to explode. Think malicious attackers. Would someone pay $50,000 for an exploit of an OS whose adoption by corporate and home users is continuing to sparkle debates, while an IE6 zero days are offered in between $1000-2000?

In the time of blogging, there're numerous zero day vulnerabilities for sale out there, the way this commercialization of vulnerability research directly created the -- thankfully -- stil not centralized underground market for vulnerabilities by adding more value to what's a commodity from my point of view. Here's a complete coverage on how the WMF vulnerability got purchased for $4000 in case you want to deepen your knowledge into the topic.

Saturday, January 13, 2007

Security Lifestyle(S)

If Security is a state of mind, then so is brand loyalty.

Thursday, January 11, 2007

Head Mounted Surveillance System

It's so cheap and affordable even you can add it to your wish list :

"The new DV ProFusion is a cost effective alternative to the DV Pro. It is a lightweight, mobile, body worn video and audio solution. DV ProFusion has a built in screen allowing for live viewing and instant playback. DV ProFusion is available in either 30GB hard drive capacity, which provides up to 100 hours of video or 100GB offering 450 hours of video, depending on sampling bit rate. DV ProFusion enables the user to keep both hands free whilst recording exactly what they see and hear themselves. DV ProFusion is specifically designed to work with a number of optional accessories, including an extendable pole and additional lens options."

While it's very innovative idea, in five years the current models would look like the brick-size like Motorola cell phones you all know. I like the idea of storing the footage in the device compared to relying via air which makes me think of several scenarios for possible abuse or DoS attacks. In case you haven't heard public CCTV cameras are getting a boost with built-in speakers, so perhaps at a later stage it would come to someone's mind to include a speaker on the other side of the head too. Two clips to see it in action.

Transferring Sensitive Military Technology

Busted :

"China on Tuesday condemned US sanctions imposed last week on three Chinese companies for allegedly selling banned weapons to Iran and Syria, calling the accusations "totally groundless". "We strongly oppose this and demand the US side correct this erroneous action," foreign ministry spokesman Liu Jianchao said at a regular press conference. The Chinese firms are among 24 foreign entities from several countries hit with the sanctions, invoked under the 2005 Iran and Syria Nonproliferation Act."

Follow the connection, the U.S is doing business with the Chinese companies, who leak it to Iran and Syria, who leak it Hezbollah or pretty much everyone at the bottom of the food chain.

More comments - "Foreign Intelligence Services and U.S Technology Espionage" and "Hezbollah's use of Unmanned Aerial Vehicles - UAVs".

Artillery Rockets image courtesy of

Wednesday, January 10, 2007

It's all About the Vision and the Courage to Execute it

Great article on China's blogging market and the never-ending censorship saga. Meet Fang Xingdong, a banned journalist who decides to beat them by playing their own game, do the math yourself. While heading China's Bokee with 14 million bloggers and more than 10,000 new ones every day, he's appointed only 10 people to monitor the blogs :

"Of course, the authorities did not allow a completely wide-open system. Censorship is still practised, even at Mr. Fang's company. Among his 80 employees are 10 people who comb through the blogs every day, deleting anything deemed to be obscene or politically unacceptable. He hopes that the Chinese blogosphere will become self-regulating. "If it's more orderly, there will be less pressure on us," he says. "I think a blog should have a basic foundation of morality and law. I compare it to a person's home."

If I were in China, I'd register on his network.

Preventing a Massive al-Qaeda Cyber Attack

From the unpragmatic department :

"Colarik proposes "a league of cyber communities." The world's 20 largest economies would sign a treaty vowing to manage their own country's cyber activities. Member states would then deny traffic to any nation that refuses to crack down on cyber terrorists."

No, he really means it, totally forgetting on how a huge percentage of terrorist related web sites are hosted in the U.S. Here's the latest example. It gets even more shortsighted :

"Al-Qaeda also publishes a monthly magazine devoted to cyber-terrorism techniques."

If installing a VMware and PGP Whole Disk Encryption is a cyber-terrorism technique, we're all cyber terrorists without the radical mode of thinking and the Quran on the bookshelf.

Eyes in London's Sky - Surveillance Poster

Alcohol's bad, drugs are bad, surveillance is good for protecting your from the insecurities we made you become paranoid of, and so are head-mounted surveillance cams equipped police officers. Sure, but consider the social implications too. London may be one of the most important business centers in Europe -- next to Frankfurt and Rotterdam -- but I'm so not looking forward to living in what's turning into a synonym for 1984.

Tuesday, January 09, 2007

Still Living in the Perimeter Defense World

Whereas you'd better break out of the budget-allocation myopia and consider prioritizing your security investments, decreased spending on information security in certain regions means good old-fashioned malware and spam floods for the rest of regions doing it :

"Fewer small- and medium-sized enterprises (SMEs) in Taiwan will increase their spending on information security this year compared with last year, according to a report released Thursday by the Institute for Information Industry's Market Intelligence Center (MIC). The report said that only 12.9 percent of SMEs will increase their information security spending in 2007, compared with 16.2 percent in 2006."

Perimeter defense and host security is like the ABC of security, but since viruses and network attacks are "taken care of" all seems fine -- you wish.

"While more than 90 percent of SMEs have installed anti-virus software and firewall devices, only 11 percent have installed unified threat management products, according to Wang."

And while your organization is multitasking on how to budget with the anyway scarce resources due to legal requirements to do so, or visionary leaders realizing the soft and hard cash losses if you dare to pretend your organization wouldn't get breached into, regions around the world don't have the incentives to do so. If you bring too many people to a party someone always takes a *** in the beer, or so they say. Know when to spend, how much, on what, and is the timing for your investment the right one given the environmental factors of your company. A small size business doesn't really need a honeyfarm unless of course the admin is putting a personal effort in the job.

Data Mining Credit Cards for Child Porn Purchases

22 million customers had the privacy of their credit card purchasing histories breached for the sake of coming up with 322 suspects while looking for transactions to a single child porn web site - ingenious, absolutely ingenious :

"In the case under investigation, police were aware of a child pornography Web site outside of Germany that was attracting users inside the country. And they asked the credit-card companies to conduct a database search narrowed to three criteria: a specific amount of money, a specific time period and a specific receiver account."

I don't want to ruin the effect of the effort here, but why do you still believe child porn is located on the WWW, in the http:// field you're so obsessed with? Is the WWW the only content distribution vector for multimedia files you're aware of? Try the Internet Relay Chat, the concept of Fserve to be precise. Having found the low lifes who buy child porn over the Web is like picturing a pothead as the ├╝ber-dealer to meet your quotas, namely, efforts like these have absolutely no effect on the overal state of child pornography online. It's the wrong way to fight the war. Put the emphasis on fighting the very production process -- trafficking of children -- not the distribution one.

Insider Sentiments around L.A's Traffic Light System

Rember how the Hollywood Hackers were winning time while heading straight to Grand Central Station in NYC to outsmart the Plague's plan to cause a worldwide ecological disaster and cash in between? In pretty much the same fashion -- without the randomization of traffic lights -- two engineers in between their union's strike seems to have watched the movie too :

"They didn't shut the lights off, city transportation sources said. Rather, the engineers allegedly programmed them so that red lights would be extremely long on the most congested approaches to the intersections, causing gridlock for several days starting Aug. 21, they said."

Whether overal paranoia due to the sensitive nature of the workers' positions and the publicly stated intentions, insider sentiments prevail from my point of view.

Monday, January 08, 2007

Iran Bans Purchase of Foreign Satellite Data

Re-inventing the wheel :

"According to the bill, a copy of which has been sent to all ministries, organizations, state and revolutionary institutions, the purchase of information from foreign sources is deemed against the law. Specialists of the Defense Ministry have currently succeeded in initiating a project for obtaining satellite information online. For the first time in Iran, it is now possible to produce topographic maps, on a scale of 1/10,000, of a specific area for municipal and developmental projects, with the satellite images of very high resolution."

Guess they don't want others to know which locations of their country are still unknown to themselves, but with the bill definitely implemented as a national security measure, and to improve the nation's self-esteem, drop a line if they ever get close to producing such high-resolution image of their Natanz facility on their own.

Russia's Lawful Interception of Internet Communications

Don't fool yourself, they've been doing it for the time being, now they're legalizing it -- working for anything like the EFF in Russia means having the bugs in your place bugged. Citing Cyber-Terrorism Threat, Russia Explores Internet Controls :

"An estimated 20 percent of the Russian population now has access to the Internet. Whereas the Putin administration exerts tight control over the major domestic broadcast and print media, it does not currently restrict the content of Internet sites on a wide scale. Web sites such as and provide many of the articles and commentary that would normally otherwise appear in an opposition press. Several wealthy Russians living in political exile, including Boris Berezovsky and Vladimir Gusinsky, own Russian-language websites that publicize their anti-Putin views to Russian audiences. In August 2006, Russian right-wing extremists used the Internet to coordinate a bomb attack against illegal migrants from Asia."

Give me an excuse for data retention? No, give me another one besides the infamous "if you don't have anything to hide then why worry"? We all have things to hide, and things we don't want others to know, that's still called my privacy, and since when does this became a terrorist activity, or someone's just piggybacking on the overall paranoia created by the thought to be acting as government watchdog, media -- don't be a reporter, be a journalist! Winning the public support in different countries largely relies on the local attitudes towards the key buzzwords - terrorists are using the Net as a "safe heaven", and child pornographers are operating online, while people are unemployed and primitive deceases which should been dealth with years are a second economic priority, next to your first one - fighting your (political campaign) demons, or the (upcoming budget allocation) demons you put so much efforts into making me believe in. Start from the basics, why retain everyone's data, and intercept everyone's communications while forgetting that information is all about interpretation? How come you're assuming -- if you're even considering it -- that such a neatly centralized databases of private information would be protected from insiders, even outsiders which will inevitably be tempted to having access to such a database? A country's intelligence is the government's tool for protecting the national security or beyond, but over-empowering the watchers is so shortsighted, you'd better break through your black'n'white world only and start considering all other colours as equal. Don't slip on your values.

If you sacrifice privacy for security, you don't deserve both of them, and the utopian idea of having a 100% successful law enforcement as the panacea of dealing of crime reminds of a quote I recently find myself repeating very often - make sure what you wish for, so it doesn't actually happen.

Sunday, January 07, 2007

Visits to the White House Now Top Secret Information

Informative - White House visitor logs declared top secret :

"The five-page document dated May 17 declares that all entry and exit data on White House visitors belongs to the White House as presidential records rather than to the Secret Service as agency records. Therefore, the agreement states, the material is not subject to public disclosure under the Freedom of Information Act.
In the past, Secret Service logs have revealed the comings and goings of various White House visitors, including Monica Lewinsky during the Clinton administration."

I thought that's always been the case anyway, but it closes a loophole that could result in potentially embarrassing future developments -- or less accountability. Time will show. More info.

Sunday's Portion of Hahaha

While patiently waiting for the future adventures of Monica Furious, I came across a nice collection of cartoons. I'm sure you'll find these two very entertaining - "The Disabled Cookies" and "The Spam Prison".

Web Economy Buzz Words Generator

Whether looking for VC cash, or having a quota to meet being a salesman, some of these may come handy or pretty much make someone's morning.

Here are my favorite:
e-enable integrated mindshare
empower impactful infomediaries
architect compelling ROI
productize 24/7 e-services
recontextualize compelling ROI

Doesn't matter how well you project your success, if you don't have an elevator pitch worth someone's attention span, than you don't know what you're doing, but marely relying on the web economy's state of buzziness -- this is another one. Try some copywriting exercises too.

Four Years of Application Pen Testing Statistics

Invaluable :

"The article presents a unique opportunity to take a peek into the usually secluded data regarding the actual risk posed to Web applications. It shows a constant increase in risk level over the four years and an overwhelming overall percentage of applications susceptible to information theft (over 57%), direct financial damage (over 22%), denial of service (11%) and execution of arbitrary code (over 8%). The article analyzes results of first time penetration tests as well as repeat tests (retests) in order to evaluate the evolution of application security within Web applications over time."

Lots of figures respecting your busy schedule, and the authors' data pointing out how the lack of repeated testing, and the "security as a one time purchase" mentality, actually means a false sense of security. Having a secured web application doesn't mean the end user won't be susceptible to a client side attack, and having a secured end user doesn't mean the web application itself will be secured, ironic, isn't it? Perhaps prioritizing the platforms to be audited, namely the major web properties, could protect the always unaware end user to a certain extend -- from himself. Related comments.

Foreign Intelligence Services and U.S Technology Espionage

Talking about globalization, like it or not, perceive it as a threat to national security or a key economic benefit, it's happening and you cannot stop it. Nothing else will add more long-term value to a business or a military force than innovation, and when it comes to the U.S military's self-efficiency in R&D, it's pretty evident they've managed to achieve the balance and still dictate the rhythm.

The methods used aren't nothing new :

"The report says that foreign spies use a wide variety of techniques, ranging from setting up front companies that make phony business proposals to hacking computers containing information on lasers, missiles and other systems. But the most popular methods of attempting to obtain information was a simple “informational request” (34.2%) and attempts to purchase the information (32.2%). Attempts were also made using personal relationships, searching the Internet, making contacts at conferences and seminars, cultural exchanges."

What's new is the actual report in question - "Technology Collection Trends in the U.S. Defense Industry". OSINT is also an important trends gathering factor, and so is corporate espionage through old-fashioned malware approaches or direct intrusions, and it's great the report is considering the ease of execution on these and the possible network vulnerabilities in the contractors :

"DSS also anticipates an increase in suspicious internet activity against cleared defense contractors. The potential gain from even one successful computer intrusion makes it an attractive, relatively lowrisk, option for any country seeking access to sensitive information stored on U.S. computer networks. The risk to sensitive information on U.S. computer systems will increase as more countries develop capabilities to exploit those systems."

Then again, what's produced by the U.S but cannot be obtained from there, will be from other much more insecure third-party purchasers -- how did Hezbollah got hold of night vision gear? Or even worse, by obtaining the leftovers from a battle conflict for further clues.

The bottom line question - is the illegal transfer of U.S technology threat higher than the indirect leakage of U.S educated students taking their IQ back home, while feeling offended by their inability to make an impact were they a U.S citizen?

Thursday, January 04, 2007

Technical Analysis of the Skype Trojan

During December yet another trojan started making rounds, this time dubbed the Skype trojan -- SEO conspiracy. Was the trojan exploiting a zero day vulnerability in the Skype protocol? Absolutely not, as it was basically using Skype's messaging service as a propagation vector, thus, the gullible and in a Christmas mood end user was still supposed to interact with the malware by clicking on the link. And with required end user's interaction, the possibilities for major outbreaks were very limited. Perhaps the only development worth mentioning is the malware author's use of commercial anti-cracking software -- NTKrnl Secure Suite -- to make the unpacking harder, or at least theoretically improve the time needed to do so compared to using publicly obtainable, and much more easily detectable packers.

Two days ago, Nicolas Brulez from Websense Security Labs released a technical analysis of the trojan itself, and here's your proof for the logical possiblities of specific copy'n'paste malware modules :

"The main protection scheme I faced was the copy pasted from my Honeynet Scan of The month 33 Challenge. The breakpoint detection was 100% identical, even the numbers I had generated randomly. More importantly, the technique I had written based on SEH + cpuid/rdtsc was also copied. The only difference was that they used the EDX register to compare the timing.

Copy pasting protection code without even changing it a little, provides no security at all and allowed me to unpack it even quicker. (gotta love looking at code you wrote 2 years ago)

It apparently included some other tricks, that made it a little harder to unpack, and the file looked like it was corrupted at some point. In order to debug it and comment my disassembly in a readable way, I opted to use a userland debugger, and thus had to write a little shellcode for injection into the packed malware. Basically, it entailed abusing Windows Exception Handling (using a hook), to get past every check. After that, one could attach his favorite userland debugger to the malware and eventually find the Original Entry Point. Although the imports rebuilding for this protector isn't hard at all, it wasn't mandatory in this executable as it only imported one function: ExitProcess"

And while the average malware coder is using commercial tools to make his releases harder to analyze, the almighty jihadist is still living in the Hacker Defender world.

Were you Tracking Santa's Location?

As usual, NORAD were, but there's one minor issue to keep in mind and that's how during the Christmas and New Year holidays Santa Claus is the most successfully targeted victim of identity theft. Hopefully they were tracking the real Santa through the real Rudolph as the weakest link :

"The satellites have infrared sensors, meaning they can detect heat. When a rocket or missile is launched, a tremendous amount of heat is produced - enough for the satellites to detect. Rudolph's nose gives off an infrared signature similar to a missile launch. The satellites can detect Rudolph's bright red nose with practically no problem. With so many years of experience, NORAD has become good at tracking aircraft entering North America, detecting worldwide missile launches and tracking the progress of Santa, thanks to Rudolph."

All rest is a commodity but attitude.