Who Wants to Advertise?

Dear blog readers,

Since December, 2005 my personal blog is one of the security industry's most popular and high traffic visited security publications with hundreds of high-profile visitors on a daily basis.

I'm currently offering and accepting serious advertising offers for permanent banner and a text link placement on my blog from vendors oflr organizations in this space where I can offer a pretty decent and good advertising inventory in terms of traffic and we can sign a monthly or yearly traffic acquisition and brand exposure agreement for your vendor or organization.

Are you interested? Drop me a line at dancho.danchev@hush.com to discuss.

Continue reading →

Dealing with Spam - The O'Reilly.com Way

While China feels that centralization is the core of everything, and is licensing the use of mail servers to fight spam, thus totally ignoring the evolution of spam techniques, the other day I came across to some recent Spam Statistics from Oreilly.com -- scary numbers!

"Our mail servers accepted 1,438,909 connections, attempting to deliver 1,677,649 messages. We rejected 1,629,900 messages and accepted only 47,749 messages. That's a ratio of 1:34 accepted to rejected messages! Here is how the message rejections break down:

Bad HELO syntax: 393284
Sending mail server masquerades as our mail server: 126513
Rejected dictionary attacks: 22567
Rejected by SORBS black list: 262967
Rejected by SpamHaus black list: 342495
Rejected by local block list: 5717
Sender verify failed: 4525
Recipient verify failed (bad To: address): 287457
Attempted to relay: 5857
No subject: 176
Bad header syntax: 0
Spam rejected (score => 10): 42069
Viruses/malware rejected: 2575
Bad attachments rejected: 1594"

Draw up the conclusions for yourself, besides shooting into the dark or general syntax errors, total waste of email traffic resulting in delayed email is the biggest downsize here, thankfully, non-commercial methods are still capable of dealing with the problem. At the bottom line, sending a couple of million email messages on the cost of anything, and getting a minor response from a "Hey this is hell of a deal and has my username on the top of it!" type of end users seems to keep on motivating the sender. Localized spam is much more effective as an idea, but much easier to trace compared to mass-marketing approaches, though I feel it would emerge with the time.

Browse through Spamlinks.net for anything anti-spam related, quite an amazing resource. Continue reading →

Web Application Email Harvesting Worm

This is a rare example of a web application vulnerability worm, targeting one of the most popular free email providers by harvesting emails within their 1GB mailboxes, and of course propagating further.

"Yahoo! on Monday has repaired a vulnerability in its email service that allowed a worm to harvest email addresses from a user accounts and further spread itself. The JS/Yamanner worm automatically executes when a user opens the message in the Yahoo Mail service. It uses JavaScript to exploit a flaw that until today was unpatched. Yahoo later on Monday fixed the vulnerability. "We have taken steps to resolve the issue and protect our users from further attacks of this worm. The solution has been automatically distributed to all Yahoo! Mail customers, and requires no additional action on the part of the user," Yahoo! spokeswoman Kelley Podboy said in an emailed statement."

Web application worms have the potential to dominate the malware threatscape given the amount of traffic their platforms receive, my point is that even within a tiny timeframe like this, one could achieve speed and efficiency like we've only seen in single-packet worms.

In a previous post related to the "Current State of Web Application Worms", you can also find more comments and resources on the topic. Rather defensive, the content spoofing exploiting the trust between the parties that I mentioned is nothing compared to the automated harvesting in this case. As there's naturally active research done in Bluetooth honeypots, IM honeypots, ICQ honeypots, Google Hacking honeypots, it's about time to start seeding your spam trap emails within free email providers or social networking providers.

The stakes are too high not to be exploited in one way or another, I hope we'll some day get surprised by a top web property coming up with a fixed vulnerability on their own. Realizing the importance of their emerging position as attack vector for malware authors is yet another issue to keep in mind. And the best part about web services is their push patching approach, you're always running the latest version, so relaying on end users is totally out of the question.

Find out more details on the worm, and comments as well.

UPDATE: Rather active month when it comes web application malware events, another Data-Theft Worm Targets Google's Orkut. Continue reading →

Bedtime Reading - Rome Inc.

If the Baby Business helped you envision the future, "Rome Inc - The Rise and Fall of the First Multinational Corporation" is going to help you perceive the past within today's corporate culture -- and Stanley Bing makes good points on every stage of the empire.

Basically, the book emphasizes on the "first multinational corporation" Rome, selling the ultimate product of its time - citizenship. Moreover, it goes in-depth into the concept of moguls and anti-moguls, and how their tensions indeed create an enterpreneurial and corporate culture in 120 A.D.

Every industry has moguls and anti-moguls, the behind the curtain disruptors at a specific stage. What are some of the characteristics of a mogul?

- Commision their PR
- Exercise power when feeling endangered -- elephants against the mice warfare
- Indirectly control the media that's "winning points" for quotations, and "credible" content
- Generally, tend to believe in being the Sun, when the universe tends to have so many dwarfs, and dimensions altogether
- Hide behind C-level positions
- Talk more than actually listen
- When they sneeze the whole industry gets cold

Certain societies, if not all, get obsessed with superficially creating heroes, so profesionally that at a certain point, the "hero" cannot deny any of the praises, but starts living with them and the load that comes altogether. Get hold of this masterpiece, you're gonna love it! Continue reading →

The Current State of Web Application Worms

Remeber the most recent Yahoo! Mail's XSS vulnerabilities, or the MySpace worm? I just read through a well written summary on Web Application Worms by Jeremiah Grossman, from WhiteHat Security, "Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense", an excerpt :



"Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal--browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, blogs, message boards, or any other web-based applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users. Especially when the malware originates from trusted websites and aggressive authors. In this white paper we will provide an overview of XSS; define XSS worms; and examine propagation methods, infection rates, and potential impact. Most importantly, we will outline immediate steps enterprises can take to defend their websites."



It provides an overview of Cross-Site Scripting (XSS), Methods of Propagation, comments on the First XSS Worm, a worst case scenario, and of course protection methods, nice graphs and overview of this emerging trend. In my "Future Trends of Malware" research I indeed pointed out on its emergence :



"How would a malware author be able to harness the power of the trust established between, let’s say, ComScore’s top 10 sites and their visitors? Content spoofing is the where the danger comes from in my opinion, and obvious web application vulnerabilities, or any bugs whose malicious payload could be exposed to their audiences. In case you reckon, a nasty content spoofing on Yahoo!’s portal resulted in the following possibility for driving millions of people at a certain URL, if I don’t trust what I see on Yahoo.com or Google.com, why bother using the Net at all is a common mass attitude of course. Any web property attracting a relatively large number of visitors should be considered as a propagation vector, for both, malware authors, and others such as phishers, or botnet brokers for instance."



Monetizing mobile malware is among the other trends I also indicated, and the RedBrowser seems to be the most recent example of this as it randomly chooses a premium-rate number from the following list, and sends a SMS message generating revenue for the attacker : 08293538938, 08001738938, 08180238938, 08229238938, 08441238938, 08287038938, 08187938938, 08189038938, 08217838938, 08446838938.



I summarized the key points back than as :

"The number and penetration of mobile devices greatly outpaces that of the PCs. Malware authors are actively experimenting and of course, progressing with their research on mobile malware. The growing monetization of mobile devices, that is generating revenues out of users and their veto power on certain occasions, would result in more development in this area by malicious authors. SPIM would also emerge with authors adapting their malware for gathering numbers. Mobile malware is also starting to carry malicious payload. Building awareness on the the issue, given the research already done by several vendors, would be a wise idea."



Among the first folks to discuss the topic of web application malware was Robert from CGISecurity.com in his "Anatomy of Web Application Worm" paper back in 2002, and with the easy and speed of discovering web application vulnerabilities in major portals it's up to the imagination of the attacker -- as the paper points out Samy only wanted to make 1 million friends, what if he wanted to do something else?



"Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense" also argues on Samy being the fastest worm, though single-packet UDP worms, according to a research on the "Top Speed of Flash Worm" by "Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line" rates.



Is it the speed or the size of the infected targeted group that matters, and what if Web 2.0 worms can achieve exactly the two of these?



More resources on the topic in case you are interested :
Web-based Malware & Honeypots - phpBB bots/worms
New MySpace XSS worm circulating
Description of a Yahoo! Mail XSS vulnerability
Evolution of Web-based worms
The Latest in Internet Attacks: Web Application Worms
Web Application Worms : Myth or Reality?
Analysis of Web Application Worms and Viruses
Paros - for web application security assessment Continue reading →

DIY Marketing Culture

Problem - big name advertising agencies, and self forgotten copywriters easily turn into an obstacle for a newly born startup, the way marketing researchers can easily base your entire service/product development efforts on a single survey's results. Generating content, thinking content is the king, trying to sense and understand your customers' needs or where the market is heading to for the sake of responding with profitable propositions, I think is a self-centered, in-the-box mode of thinking that would cease to exist with customers becoming more informed.



Solution - Don't get too "product-concept" centered, instead solve a problem profitably and retain their satisfaction for as long as possible. Let your customers dictate the rules, and perhaps even generate your entire marketing promotional efforts themselves -- literally. Did you know you could get yourself custom printed MM's? I recently found out I can, and I'm already expecting the packs.



Or how the successfully positioned as a secure alternative to IE, FireFox browser actually invested pennies in spreading the word about it? Moreover, a $5000 bounty can indeed promote creativity, given they are comfortable with the idea, and with the 280 user-generated ads generated at FireFox Flicks I think they did it again, no wait, their users did it. Take your time to go through the flicks, it's worthwhile.



Question the concepts, rethink them, and disrupt with whatever the outcome. Continue reading →

Distributed cracking of a utopian mystery code

If you have missed the opportunity to buy yourself a portable Enigma encryption machine, or didn't know you could devote some of your CPU power while trying to crack unbroken Nazi Enigma ciphers, now is the time to consider another distributed computing cracking initiative I just came across to - "Assault on the Thirteenth Labour", part of the utopian Perplex City alternate reality game.


More on the story itself :



"The story centers on a fictional metropolis known as Perplex City. The Receda Cube, a priceless scientific and spiritual artefact, has been stolen and buried somewhere on Earth, and the game offers a real-life $200,000 reward to whoever can find it."



As a matter of fact, ever heard of Hive7? This is where the future is going, as I think virtual worlds intrigues result in a more quality real life, don't they? Still, it can also result in security problems with stolen virtual goods. The trend, given the popularity of these, will continue to emerge -- people, both rich and poor are putting hard cash into virtual properties and DoS attacks and phishing practices are already gaining popularity as well.



Technorati tags:
Security, Cryptography, Perplex City, Virtual Worlds, Distributed, New Media Continue reading →

The "threat" by Google Earth has just vanished in the air

Or has it actually? In one of my previous posts "Security quotes : a FSB (successor to the KGB) analyst on Google Earth" I mentioned the usefulness of Google Earth by the general public, and the possibility to assist terrorists. The most popular argument on how useless the publicly available satellite imagery is that it doesn't provide a high-resolution images, and recent data as well -- that's of course unless you don't request one, but isn't it bothering you that here we have a street-side drive-by POC?



The recently introduced Windows Live Local Street-Side Drive-by (A9's maps have been around for quite a while), is setting a new benchmark for interactive OSINT -- if any as this is also a privacy violation that can be compared with efforts like these if it was in real-time. Having had several conversations with a friend that's way too much into satellite imagery than me, I've realized that starting from the basic fact of targeting a well known or a movie-plot location doesn't really requires satellite imagery. I find that today's sources basically provoke the imagination and the self-confidence -- and hopefully nothing more!


There have been numerous articles on the threat posed by Google Earth, and India seems to be the most concerned country about this for the time being :



"Chief of the Indian Army General J.J. Singh warns that Google Earth could endanger national security by providing high resolution photographs of strategic defense facilities. The software could prove especially useful to countries that do not have their own satellite capabilities. Singh called Google Earth a shared concern for all countries, requiring all countries to cooperate to address the issue. Indian President APJ Abdul Kalam has also expressed concerns over Google Earth and national security."



You can spend hours counting the cars in front of NSA's parking lot through public satellite imagery resources, still you would never get to see what's going on in there, I guess things have greatly changed since the days when tourists sent over the USSR, or exactly the opposite, to the U.S, would try to get hold of as many maps as possible finish the puzzle.



In some of my previous posts on Cyberterrorism, I said that terrorists are not rocket scientists until we make them feel so, and I'm still sticking to this statement, what about you? As a matter of fact, Schneier is inviting everyone to participate in the Movie-Plot Threat contest -- stuff like terrorist EMP warfare, Nuclear truck bombs (the same story from 3 years ago), and other science fiction scenarios worth keeping an eye on.



Terrorism is a profitable paranoia these days, that's constantly fuelling further growth in defense and intelligence spending, as satellite imagery is promoted for the bust of Bin Laden, whereas their infrastructure seems to pretty safe, isn't it? (More photos, 1, 2, 3, 4, 5, 6) I'd rather we have known parties as an adversary, the way it used to be during the Cold War, whose competition sent us in Space, and landed us on the Moon , instead of seeing terrorists everywhere and missing the big opportunity.



Technorati tags:
Security, Terrorism, Cyberterrorism, Privacy, Google Earth, Google Maps, Space, Microsoft Live, New Media Continue reading →

Visualization in the Security and New Media world

Information visualization seems to be a growing trend in today's knowledge driven, and information-overloaded society. The following represents a URL tree graph of the Security Mind Streams blog -- looks resourceful! Want to freely graph your site/blog? Take advantage of Texone's tree, just make sure you don't forget to press the ESC key at a certain point.



In my first post related to "Visialization, intelligence and the Starlight project" I introduced you a fully realistic and feasible solution to filtering important indicators whatever the reason. Moreover, I also came across a great visualization of malware activity in another post summarizing malware trends around February. What I'm truly enjoying, is the research efforts put in the concept by both, security/IT professionals, and new media companies realizing that the current state of the mature text-based Web.



Ever wanted to see how noisy connect() scans actually are? In early stage of its development, people are already experimenting with the idea, find more about while going through "Passive Visual Fingerprinting of Network Attack Tools" paper.


Things are getting much more quantitative and in-depth in another recommended reading on the topic "Real-Time Visualization of Network Attacks on High-Speed Links" whose purpose is to "show that malicious traffic flows such as denial-of-service attacks and various scanning activities can be visualized in an intuitive manner. A simple but novel idea of plotting a packet using its source IP address, destination IP address, and the destination port in a 3-dimensional space graphically reveals ongoing attacks. Leveraging this property, combined with the fact that only three header fields per each packet need to be examined, a fast attack detection and classification algorithm can be devised."



Presented at this year's BlackHat con "Malware Cinema, a Picture is Worth a Thousand Packets" will provide with much more fancy visualization concepts related to malware. Originally presented by Gregory Conti, you can also download the associated resources, and keep an eye on the audio in case you didn't attend the con.



As far as new media is concerned, I'm so impatient to witness more developments given how boring I find any of the browsers I've used so far -- and there're a lot of developments going on as always! Virtual worlds have the potential to change the face of the Web, the text/image based one the way we know it.



Remember how the federal agents were chatting face-in-face with the malicious attacker through the innovative and programmed for the masses browser, in NetForce? Hive7 is the alternative in 2006, and if you spend some with it, you'll be impressed by its potential -- say goodbye to the good old IRC?



UPDATE : LinuxSecurity.com picked up the post "Visualization in the Security and New Media world"



More resources can also be found at :

CAIDA Visualization Tools
NAV - Network Analysis Visualization
Digital Genome Mapping - Advanced Binary Malware Analysis
A Visualization Methodology for Characterization of Network Scans
NVisionIP : An Interactive Network Flow Visualization Tool for Security
Exploring Three-dimensional Visualization of Intrusion Detection Alerts and Network Statistics
Attacking Information Visualization System Usability Overloading and Deceiving the Human
Security Event Visualization and Analysis - courtesy of CoreLabs
A Visualization Paradigm for Network Intrusion Detection
FireViz: A Personal Firewall Visualizing Tool - the FireViz project



Technorati tags:
Security, Information Security, Monitoring, Visualization, Network, New Media Continue reading →