A timeframe on the purchased/sold WMF vulnerability

February 15, 2006
The WMF vulnerability and how it got purchased/sold for $4000 was a major event during January, at least for me as for quite some time the industry was in the twilight zone by not going through a recently released report. But does this fact matters next to figuring out how to safeguard the security of your network/PC given the time it took the vendor to first, realize that it's real, than to actually patch it? Something else that made me an impression is that compared to the media articles and my post, was I the only one interested in who bought, instead of who sold it?

So here's a short timeframe on how it made it to to the mainstream media :
January 27 - Kaspersky are the first to mention the "purchase" in their research
January 30 I've started blowing the whistle and friends picked it up (even the guy that got so upset about it!)
January 31 Meanwhile, someone eventually breached AMD's forums and started infecting its visitors!
February 2 Microsoft Switzerland's Security blog featured it
February 2 LinuxSecurity.com republished it
February 2 DSLReports.com picked it up
February 2 Appeared at Slashdot
February 3 OSIS.gov(an unclassified network serving the intelligence community with open source intelligence) picked it up :)

What's the conclusion? Take your time and read the reports thoroughly, cheer Kaspersky's team for their research? For sure, but keep an eye on the Blogosphere as well!

Technorati tags :
Continue reading →

Detecting intruders and where to look for

February 15, 2006
CERT, just released their "Windows Intruder Detection Checklist" from the article :

"This document outlines suggested steps for determining whether your Windows system has been compromised. System administrators can use this information to look for several types of break-ins. We also encourage you to review all sections of this document and modify your systems to address potential weaknesses."

I find it a well summarized checklist, perhaps the first thing that I looked up when going through it was the rootkits section given the topic. It does provide links to free tools, but I feel they could have extended to topic a little bit. Overall, consider going through it. Another checklist I recently came across is the "11 things to do after a hack" and another quick summary on "10 threats you probably didn't make plans for".

Rootkits are gaining popularity, and with a reason -- it takes more efforts to infect new victims instead of keeping the current ones, at least from the way I see it. In one of my previous post "Personal Data Security Breaches - 2000/2005" I mentioned about a rootkit placed on a server at the University of Connecticut on October 26, 2003, but wasn't detected until July 20, 2005, enough for auditing, detecting attackers and forensics? Well, not exactly, still something else worth mentioning is the interaction between auditing, rootkits and forensics. There's also been another reported event of using rootkit technologies for DRM(Digital Right Management) purposes, not on CDs, but DVDs this time, so it's not enough that malware authors are utilizing the rootkit concept, but flawed approaches from companies where we purchase our CDs and DVDs from, are resulting in more threats to deal with!

Check CERT's "Windows Intruder Detection Checklist" and if interested, also go though the following resources on rootkits and digital forensics :

Windows rootkits of 2005, part one
Windows rootkits of 2005, part two
Windows rootkits of 2005, part three
Malware Profiling and Rootkit Detection on Windows
Timing Rootkits
Shadow Walker - Raising The Bar For Windows Rootkit Detection - slides
When Malware Meets Rootkits
Leave no trace - book excerpt
Database Rootkits
Rootkits and how to combat them
Rootkits Analysis and Detection
Concepts for the Stealth Windows Rootkit
Avoiding Windows Rootkit Detection
Checking Microsoft Windows Systems for Signs of Compromise
Implementing and Detecting Implementing and Detecting an ACPI BIOS Rootkit

Host-based Intrusion Detection Systems
Forensics Tools and Processes for Windows XP Clients
F.I.R.E - Forensic and Incident Response Environment Bootable CD
Forensic Acquisition Utilities
FCCU GNU/Linux Forensic Bootable CD 10.0
iPod Forensics :)
Forensics of a Windows system
First Responders Guide to Computer Forensics
Computer Forensics for Lawyers

Technorati tags:
, , , , , Continue reading →

Look who's gonna cash for evaluating the maliciousness of the Web?

February 14, 2006
Two days ago, SecurityFocus ran an article "Startup tries to spin a safer Web" introducing SiteAdvisor :

"A group of graduates from the Massachusetts Institute of Technology (MIT) aim to change that by crawling the Web with hundreds, and soon thousands, of virtual computers that detect which Web sites attempt to download software to a visitor's computer and whether giving out an e-mail address during registration can lead to an avalanche of spam.

The goal is to create a service that lets the average Internet user know what a Web site actually does with any information collected or what a download will do to a computer, Tom Pinckney, vice president of engineering and co-founder of the start-up SiteAdvisor, said during a presentation at the CodeCon conference here."

The concept is simply amazing, and while it's been around for ages, it stills needs more acceptance from decision makers that tend to stereotype on perimeter and antivirus defense only. Let's start from the basics, it is my opinion that users do more surfing than downloading, that is, the Web and its insecurities represent a greater threat than users receiving malware in their mailboxes or IMs. And not that they don't receive any, but I see a major shift towards URL droppers, and while defacement groups are more than willing to share these with phishers etc., a URL dropper is easily getting replaced by an IP one, so you end up having infected PCs infecting others through hosting and distributing the malware, so sneaky, isn't it? My point is that initiatives such as crawling the web for malicious sites, listing, categorizing and updating their status is a great, both security, and business sound opportunity. The way you know the bad neighbourhoods around your town, in that very same way you need a visualization to assist in research, or act as a security measure, and while its hard to map the Web and keep it up to date, I find the idea great!

So what is SiteAdvisor up to? Another build-to-flip startup? I doubt so as I can almost feel the smell of quality entrepreneurship from MIT's graduates, of course, given they assign a CEO with business background :) APIs, plugins, already tested the majority of popular sites according to them, and it's for free, at least to the average Internet user who's virtual "word of mouth" will help this project get the scale and popularity necessary to see it licensed and included within current security solutions. They simply cannot test the entire Web, and I feel the shouldn't even set it as an objective, instead map the most trafficked web sites or do so on-the-fly with the top 20 results from Google. I wonder how are downloads tested, are they run through VirusTotal for instance, and how significant could a "push" approach from the end users, thus submitting direct links to malicious files found within to domain for automatic analysis, sound in here?

I think the usefulness of their idea could only be achieved with the cooperation/acquisition of a leading search engine, my point is that some of the project's downsizes are the lack of on-the-fly ability(that would be like v2.0 and a major breakthrough in respect to performance), how it's lacking the resources to catch up with Google on the known web (25,270,000,000 according to them recently), how IP droppers instead of URL based ones totally ruin the idea in real-life situations(it takes more efforts to register and maintain a domain, compared to using a zombie host's capabilities to do the same, doesn't it?)

In one of my previous posts on why you should aim higher than antivirus signatures protection only I mentioned some of my ideas on "Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"?

Crawling for malicious content and making sense of the approaches used in order to provide an effective solutions is very exciting topic. As a matter of fact in one of my previous posts "What search engines know, or may find about us?" I mentioned about the existence of a project to mine the Web for terrorist sites dating back to 2001. And I'm curious on its progress in respect to the current threat of Cyberterrorism, I feel both, crawling for malicious content and terrorist propaganda have a lot in common. Find the bad neighbourhoods, and have your spiders do whatever you instruct them to do, but I still feel quality and in-depth overview would inevitably be sacrificed for automation.

What do you think is its potential of web crawling for malicious content, and by malicious I also include harmful in respect to Cyberterrorism PSYOPS (I once came across a comic PSYOPS worth reading!) techniques that I come across on a daily basis? Feel free to test any site you want, or browse through their catalogue as well.

You can also find more info on the topic, and alternative crawling solutions, projects and Cyberterrorism activities online here :

A Crawler-based Study of Spyware on the Web
Covert Crawling: A Wolf Among Lambs
IP cloaking and competitive intelligence/disinformation
Automated Web Patrol with HoneyMonkeys Finding Web Sites That Exploit Browser Vulnerabilities
The Strider HoneyMonkey Project
STRIDER : A Black-box, State-based Approach to Change and Configuration Management and Support
Webroot's Phileas Malware Crawler
Methoden und Verfahren zur Optimierung der Analyse von Netzstrukturen am Beispiel des AGN-Malware Crawlers (in German)

Jihad Online : Islamic Terrorists and the Internet
Right-wing Extremism on the Internet
Terrorist web sites courtesy of the SITE Institute
The HATE Directory November 2005 update (very rich content!)
Recruitment by Extremist Groups on the Internet

Technorati tags:
, , , , ,
Continue reading →

Recent Malware developments

February 13, 2006
In some of my February's streams :) "The War against botnets and DDoS attacks" and "CME - 24 aka Nyxem, and who's infected?" I covered some of the recent events related to malware trends in the first months of 2006. This is perhaps the perfect time to say a big thanks to everyone who's been expressing ideas, remarks and thoughts on my malware research. While conducting the reseach itself I realized that I simply cannot include everything I want it, as I didn't wanted to release a book to have its content outdated in less than an year, but a "stick to the big picture" representation of the things to come. The best part is that while keeping daily track of the trends and trying to compile a summary to be released at the end of the year, many more concepts that I didn't include come to my mind, so I feel I'll have enough material for a quality summary and justification of my statements. So what are some of the recent developments to keep in mind?

A lot of buzz on the CME-24 front, and I feel quite a lot of time was spent on speculating on the infected population out of a web counter whose results weren't that very accurate as originally though. And as vendors closely cooperated to build awareness on the destructive payload, I think that's the first victory for 2006, no windows of opportunity The best is that CAIDA patiently waited until the buzz is over to actually come up with reliable statistics on Nyxem.

It's rather quiet on the AV radars' from the way I see it, and quickly going through F-Secure's, Kaspersky's (seem to be busy analyzing code, great real-time stats!), Symantec's I came across the similarities you can feel for yourself in "the wild" :) Symantec's ThreatCon is normal, what's interesting to note is VirusTotal's flood of detected WMF's, which is perhaps a consequence of the *known* second vulnerability.

James Ancheta's case was perhaps the first known and so nicely documented on botnet power on demand. Recently, a botnet, or the participation in such shut down a hospital's network, more over I think StormPay didn't comply with a DDoS extortion attempt during the weekend?

Joanna Rutkowska provided more insights on stealth malware in her research (slides, demo) about "about new generation of stealth malware, so called Stealth by Design (SbD) malware, which doesn't use any of the classic rootkit technology tricks, but still offers full stealth. The presentation also focuses on limitations of the current anti-rootkit technology and why it’s not useful in fighting SbD malware. Consequently, alternative method for compromise detection is advocated in this presentation, Explicit Compromise Detection (ECD), as well as the challenges which Independent Software Vendors encounter when trying to implement ECD for Windows systems – I call it Memory Reading Problem (MRP). "

How sound is the possibility of malware heading towards the BIOS anyway? An "Intelligent P2P worm's activity" that I just across to also deserves to be mentioned, the concept is great, still the authors have to figure out how to come up with legitimate file sizes for multimedia files if they really want to fake its existence, what do you think on this?

Some recent research and articles worth mentioning are, Kaspersky's Malware - Evolution : October - December 2005 outlines the possibilities for cryptoviral extortion attacks, 0days vulnerabilities, and how the WMF bug got purchased/sold for $4000. There's also been quite a lot of new trojans analyzed by third-party researchers, and among the many recent articles that made me an impression are "Malicious Malware: attacking the attackers, part 1" and part 2, from the article :

"This article explores measures to attack those malicious attackers who seek to harm our legitimate systems. The proactive use of exploits and bot networks that fight other bot networks, along with social engineering and attacker techniques are all discussed in an ethical manner."

Internet worms and IPv6 has nice points, still I wish there were only network based worms to bother about. Besides all I've missed important concepts in various commentaries, did you? Malware is still vulnerabilities/social engineering attacks split at least for the last several months, still the increased corporate and home IM usage will inevitable lead to many more security threats to worry about. Web platform worms such as MySpace and Google's AdSense Trojan, are slowly gaining grounds as a Web 2.0 concept, so virus or IDS signatures are to look for, try both!

During January, David Aitel reopened the subject of beneficial worms out of Vesselin Bontchev's research on "good worms". While I have my reservations on such a concept that would have to do with patching mostly the way I see it, could exploiting a vulnerability in a piece of malware by considered useful some day, or could a network mapping worm launched in the wild act as an early response system on mapped targets that could end up in a malware's "hitlist"? And I also think the alternative to such an approach going beyond the network level is Johnny Long's (recent chat with him) Google Dorks Hacking Database, you won't need to try to map the unlimited IPv6 address space looking for preys. Someone will either do the job for you, or with the time, transparancy in IPv6, one necessary for segmented and targeted attacks will be achieved as well.

Several days ago, Kaspersky released their summary for 2005, nothing ground breaking in here compared to previous research on how the WMF vulnerability was purchased/sold for $4000 :) but still, it's a very comprehensive and in-depth summary of 2005 in respect to the variables of a malware they keep track of. I recommend you to go through it. What made me an impression? 
- on average, 6368 malicious programs detected by month

- +272% Trojan-Downloaders 2005 vs 2004

- +212% Trojan-Dropper 2005 vs 2004

- +413% Rootkit 2005 vs 2004

- During 2005, on average 28 new rootkits a month

- IM worms 32 modifications per month

- IRC worms are on -31%

- P2P worms are on -43%, the best thing is that Kaspersky labs also shares my opinion on the reason for the decline, P2P busts and general prosecutions for file-sharing. What's also interesting is to mention is the recent ruling in a district court in Paris on the "legality of P2P" in France and the charge of 5 EUR per month for access to P2P, but for how long? :) P2P filesharing isn't illegal and if you cannot come up with a way to release your multimedia content online, don't bother doing at all. In previous chats I had with Eric Goldman, he also makes some very good points on the topic.

- +68% Exploit, that is software vulnerabilities and the use of exploits both known or 0day's with the idea to easily exploit targeted PC, though I'm expecting the actual percentage to be much higher

- Internet banking malware reached a record 402% growth rate by the end of 2005 The Trojan.Passwd is a very good example, it clearly indicates that it is written for financial gains. E-banking can indeed prove dangerous sometimes, and while I'm not being a paranoid in here, I'd would recommend you go through Candid's well written "Threats to Consider when doing E-banking" paper

- A modest growth from 22 programs per month in 2004 to 31 in 2005 on the Linux malware front

I feel today's malware scene is so vibrant that it's getting more and more complex to keep track of possible propagation vectors, ecosystem here and there, and mostly communicating what's going on to the general public(actually this one isn't). 
What's to come and what drives the current growth of malware?
- money!
- the commercialization of the market for software vulnerabilities, where we have the first underground purchase of the WMF exploit, so have software vulnerabilities always been the currency of trade in the security world or they've started getting the necessary attention recently?
- is stealth malware more than an issue compared to utilizing 0day vulnerabilities, and is retaining current zombie PCs a bigger priority than to infecting new ones?
- business competitors, enemies, unethical individuals are actively seeking for undetected pieces of malware coded especially for their needs, these definitely go beneath the sensors
- Ancheta's case is a clear indication of a working Ecosystem from my point of view, that goes as high as to provide after-sale services such as DDoS strength consultations and 0day malware on demand

To sum up, malware tends to look so sneaky when spreading and zoomed out :) I originally came across the VisualComplexity project in one of my previous posts on visualization. Feel I've missed something that's worth mentioning during the last two months? Than consider expanding the discussion!
You can also consider going through the following resources related to malware :
Continue reading →

Who needs nuclear weapons anymore?

February 09, 2006
Excluding Iran and the potential of its nuclear program (no country that bans music should have such a power!), perhaps I should rephrase - who can actually use them nowadays, are they just a statement of power, does flexibility and beneath the radar concepts matter? I feel they do.

I just came across a news article from January on a new EMP warhead test, and while there have been speculations/or movie plots that Electromagnetic Pulse Weapons could be used by terrorists, I find this a bit of exaggerated statement that actually seeks further investment in current development of the concept I guess. I feel that compared to symmetric warfare, asymmetric warfare as a concept has greatly evolved during the years, and in today's interconnected society, military powers could be easily balanced. What's else to mention is the "cooperation" between the parties on which I came across in a report on Nuclear Electromagnetic Pulse, as of June 9, 2005, namely :

 "If we really wanted to hurt you with no fear of retaliation, we would launch an SLBM,'' which if it was launched in a submarine at sea, we really would not know for certain where it came from. ``We would launch an SLBM, we would detonate a nuclear weapon high above your country, and we would shut down your power grid and your communications for 6 months or so.'' The third-ranking communist was there in the country. His name is Alexander Shurbanov, and he smiled and said, ``And if one weapon would not do it, we have some spares.'' I think the number of those spares now is something like 6,000 weapons." 

 "the Russians had developed weapons that produced 200 kilovolts per meter. Remember, the effects in Hawaii were judged to be the result of five kilovolts per meter. So this is a force about 200 times higher. The Russian generals said that they believed that to be several times higher than the hardening that we had provided for our military platforms that they could resist EMP."

 ``Chinese military writings described EMP as the key to victory and described scenarios where EMP is used against U.S. aircraft carriers in the conflict over Taiwan.'' So it is not like our potential enemies do not know that this exists. The Soviets had very wide experience with this, and there is a lot of information in the public domain relative to this. ``A survey of worldwide military and scientific literature sponsored by the commission,'' that is the commission that wrote this report, ``found widespread knowledge about EMP and its potential military utility including in Taiwan, Israel, Egypt, India, Pakistan, Iran, and North Korea."

Still there's hope for preserving the global state of security instead of fuelling its insecurity :
"In 2004, the EMP Commission met with very senior Russian officers, and we showed that on the sign. They warned that the knowledge and technology to develop what they called super EMP weapons had been transferred to North Korea and that North Korea could probably develop these weapons in the near future, within a few years. The Russian officers said that the threat that would be posed to global security by a North Korean armed with super EMP weapons was, in their view, and I am sure, Mr. Speaker, in your view and mine, unacceptable."  

Foreign views of Electromagnetic Pulse (EMP) Attack reveals further details on other nations' ambitions etc. Perhaps one of the most famous commitments towards EMP is the The Trestle Electromagnetic Pulse Simulator that can also be seen at Google Maps, still, in my opinion it's a defensive initiative for an offensive purpose :(

Extending the topic even further, The Space Warfare arms race has been an active policy of key world's leaders for decades, and that's not good. The U.S, Russia and China as the main players are fuelling the growth in one way or other due to believing in perhaps :

- that the other sides are actively developing such capabilities, and they are, because they think the opposite => arms race
- growing trend towards asymmetric warfare
- cost-effectiveness compared to building a multimillion nuclear submarine as a statement of power?
In my opinion space warfare would directly influence everyone down here on Earth, and scenarios such as :
- hijacking?
- destroying

could become normal. Space is already getting crowded, if I were to forget one of my favourite quotes "But I guess I'd say if it is just us... seems like an awful waste of space". On the other, and in respect to securing critical infrastructure on Earth :) I find recent initiatives such as the Cyber Storm exercise more PR, than relevance oriented, my point is that how come you expect to have the critical infrastructure secured, when a global overload in traffic would again deny service, a critical one. 

My point is that, the Internet as the most pervasive and cost effective tool is often utilized for sensitive both, commercial, government and military operations, attacking the Internet affects pretty much everyone. Excluding the overall shift towards network-centric warfare and you've got a problem given commercial and public IP networks are used to handle the enormous bandwidth needed for sensitive operations.

To sum up, go through the following War Quotes, and perhaps consider how major problems on Earth stop major innovations in Space. I feel War is not a solution, but an excuse that should never be said! I know this post tried to combine several different issues, but I think given IP is at the bottom line, my readers wouldn't mind :) What's your attitude on Space Warfare arms race? Is it real, and how do you picture the future developments in here?

More resources on Electromagnetic Pulse Weapons, Space Warfare and Network-Centric Warfare are also available at :
Continue reading →

The War against botnets and DDoS attacks

February 09, 2006
In one of my previous posts talking about botnet herders I pointed out how experiments tend to dominate, and while botnets protection is still a buzz word, major security vendors are actively working on product line extensions. DDoS attacks are the result of successful botnet, and so are the root of the problem besides the distributed concept. Techworld is reporting that McAfee is launching a "bot-killing system", from the article :

"Unlike conventional DDoS detection systems based on the statistical analysis of traffic, the first layer of the new Advanced Botnet Protection (ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependent on whether or not it is “complete”. "

The best thing is that it's free, the bad thing is that it may give their customers a "false sense of security", that is, while the company is actively working on retaining its current customers, I feel "SYN cookies" and their concept has been around for years. Moreover, using a service provided by a company whose core competencies have nothing to do with DDoS defense can be tricky. Companies worth mentioning are Arbor Networks, and Cisco's solutions, besides the many other alternative and flexible ways of dealing with DDoS attacks.

In my research research on the Future trends of Malware, I pointed out some of the trends related to botnets and DDoS attacks, namely, DDoS extortion, DDoS on demand/hire, and with the first legally prosecuted case of offering botnet access on demand, it's a clear indication that of where things are going. Defense against frontal attacks isn't cost-effective given that at the bottom line the costs to maintain the site outpace the revenues generated for the time, hard dollars disappear, soft ones as reputation remain the same.

My advice is to take into consideration the possibility to outsource your problem, and stay away from product line extensions, and I think it's that very simple. A differentiated service on fighting infected nodes is being offered by Sophos, namely the Zombie Alert, which makes me wonder why the majority of AV vendors besides them haven't come up with an alternative given the data their sensor networks are able to collect? Moreover, should such as service be free, would it end up as a licensed extensions to be included within the majority of security solutions, and can a motivated system administrators successfully detect, block, and isolate zombie traffic going out of the network(I think yes!)? 

As far as botnets are concerned, there were even speculations on using "Skype to control botnets", now who would want to do that, and under what reason given the current approaches for controlling botnets, isn't the use of cryptography or security through obscurity("talkative bots", stripping IRCds) the logical "evolution" in here?

Something else worth mentioning is the trend of how DoS attacks got totally replaced by DDoS ones, my point is that the first can be a much more sneaky one and easily go beneath the radar, compared to a large scale DDoS attack. A single packet can be worth more than an entire botnets population, isn't it?

How do you think DDoS attacks should be prevented, active defense such as the solutions mentioned, or proactive solutions? What do you think?

You can also go though other resources dealing with DDoS attacks and possible solutions to the problem :
Technorati tags :
, , , , , , , Continue reading →

A top level espionage case in Greece

February 08, 2006
Starting shortly after the Olympic games in 2004 and up to March 2005, the mobile phones of : Prime Minister Costas Caramanlis, minister of foreign affairs, defense, public order and justice, top military officials, a number of journalists, and human rights activists (hmm?) have been tapped by an unknown party though the installation of "spy software" (that's too open topic) , mind you, Vodafone's central system, and were diverted to a pay-as-you-go mobile phone.

At the bottom line, who's behind it? Interested parties within the Greek government, or external ones? To me this is the job of a dead insider's job or someone who had the incentive to Vodafone's security, which I doubt. Though, it is disturbing how easily these mobile numbers could be obtained as the majority of media representitives already have them! My point is that you should count them as the weakest link, besides accessing a mobile provider's database and other sources. UPDATE : Vodafone's statement UPDATE 2 : Cryptome featured more info on the The Greek illegal wiretapping scandal: some translations and resources.

Another recent spy case was the rock transmitter found in a Moscow park and while the Russian president Putin is cheering the discovery and keeping it diplomatic, the FSB (a successor to the KGB) is taking a note on this one. You can actually go through a collection of videos and references on the case.

I guess it's the silence that's most disturbing in the "Silent War".
Technorati tags :
Continue reading →

Security Awareness Posters

February 07, 2006
Security is all about awareness at the bottom line. The better you understand it, the higher your chance of "survival", and hopefully progress!
 
Enjoy the following collections of witty and amusing security awareness posters :
1, 2, 3 (you may also be interested in going through my talk on security policies and awareness with K Rudolph from Native Intelligence as well), 4, 5, 6, 7, 8.
Technorati tags:
, , , Continue reading →

Hacktivism tensions

February 07, 2006
It was about time the freedom of the press and the democratic nature of joking with politicians takes its hit. But why with spiritual leaders? The contradictive Muhammad cartoons sparkled a lot of anger, and with the recent tentions in France all we needed was a hacktivism activity from angry muslims. Remember how the China vs U.S cyberwar was sparkled due to the death of a Chinese pilot crashing into an AWACS that was sort of "keeping it quiet"?

Zone-H is reporting on massive defacements of Danish sites, and if you take the time to go through the reported reasons you'll find out that :

"political reasons"
"just for fun"
"I just want to be the best defacer"
"revenge against that web site"
"patriotism"

tend to dominate. As far as defacements as concerned, in one of my previous posts "FBI's 2005 Computer Crime Survey - what's to consider?" you can see that according to the report, organizations lost approximately $10,395M due to web site defacements. Moreover, in some of my previous research on Cyberterrorism I've indicated the use of script kiddies for PSYOPS and how such defacements have a favorable psychologic effect on future initiatives.

And while they have the motivation to deface, I wonder would someone strike back and under what justification?

Technorati tags:
, , , , , , , , Continue reading →

The current state of IP spoofing

February 06, 2006
A week ago, I came across a great and distributed initiative to map the distribution of spoofable clients and networks - the ANA Spoofer Project, whose modest sample of 1100 clients, 500 networks and 450 ASes can still be used to make informed judgements on the overall state of IP Spoofing. I once posted some thoughts on "How to secure the Internet" where I was basically trying to emphasize on the fact that securing critical infrastructure by evaluating how hardened to attacks it really is, can be greatly improved as a concept. What if that infrastructure is secured, but the majority of Internet communications remain in plain-text, and are easily spoofable, which I find as one of the biggest current weaknesses. If you can spoof there's no accountability, and you can even get DDoSed by gary7.nsa.gov, isn't it? (in the original Star Trek series, Gary Seven was the covert operative who returned from the future to fix sabotage to the United States' first manned rocket to the moon moments before lift off).

On the other hand, according to Gartner IPSec will be dead by 2008, but I feel this is where its peak and maturity would actually be reached. IPv4 will evolve to IPv6, therefore IPSec will hopefully be an inseparable of the Internet.

So what's the bottom line so far?

- 366 million spoofable IP addresses out of 1.78 billion
- 43,430 spoofable netblocks
- 4700 spoofable ASes out of 18450
- NAT's and XP SP2's make their impact

The higher the population the scarier the numbers for sure! I have always believed in distributed computing and the power of the collective intelligence of thousands of people out there. Be it integrating powerful features whose results are freely available to the public through OEM agreements or whatsoever, I feel in the future more vendors will start taking advantage of their customers' base for

How you can contribute? Pick up your client, start spoofing, but make sure your actions don't raise someone's eyebrows, even though you simply wanted to contribute, that's just a couple of packets to a university's server that's looking forward to receiving them this time :)

Dshield.org - the Distributed Intrusion Detection System is a very handy and useful OSINT tool that is obviously being used by the NSA as well (check out the Internet Storm Center's post on this, and the photo itself) UPDATE : Cryptome also featured fancy pictures from the NSA's Threat Operations Wizardy.

What is your opinion on the current state of IP Spoofing on the web and the fact how handy this insecurity comes to DDoS attacks? What should be done from your point of view to tackle the problem on a large scale?

You can also consider going through many other distributed concepts :

The original DES Cracker Project
DJohn - Distributed John
Bob the Butcher distributed password cracker
Seti at Home
ForNet : A Distributed Forensics Network
Pandora - Distributed Multirole Monitoring System
FLoP - distributed Snort sensor
DNSA - DNS auditing tool
Despoof - anti packet spoofing

As well as read more info on IP Spoofing, Distributed concepts and related tools :

IP Spoofing - An Introduction
Distributed Tracing of Intruders
Distributed Phishing Attacks
MAC Distributed Security
IPv6 Distributed Security(draft)
Distributed Firewalls
Web Spoofing
The threats of distributed cracking

Technorati tags:
Continue reading →

What search engines know, or may find out about us?

February 03, 2006
Today, CNET's staff did an outstanding job of finding out what major search companies retain about their users. AOL, Google, Microsoft and Yahoo! respond on very well researched questions!

Whatever you do, just don't sacrifice innovation and trust in the current services for misjudged requests at the first place from my point of view.

At the bottom line, differentiate your Private Searches Versus Personally Identifiable Searches, consider visiting Root.net, and control your Clickstream. You can also go through Eric Goldman's comments on the issue and his open letter regarding Search Engines and China.

As a matter of fact, I have just came across a very disturbing fact that I compare with initiatives to mine blogs for marketing research, EPIC has the details on its front page. It was about time a private entity comes up with the idea given the potential and usability of the idea. Could such a concept spot, or actually seek for cyber dissidents in restrictive regimes with the idea to actually reach them, besides mining for extremists' data? I really hope so!
Technorati tags:  
Continue reading →

CME - 24 aka Nyxem, and who's infected?

February 02, 2006
Today, the F-Secure's team released a neat world map with the Nyxem.E infections. As you can see the U.S and Europe have been most successfully targeted, but I wonder would it be the same given the author started localizing the subject/body messages found within the worm to other languages? Who seeks to cause damage instead of controlling information and network assets these days? A pissed off commodities trader? :) or on request, as the original version of the worm "can perform a Denial of Service (DoS) attack on the New York Mercantile Exchange website (www.nymex.com)", still that's 2 years ago.

Tomorrow is the day when the worm should originally start deleting all all *.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd and *.dmp on an infected PC's, supposedly network drives as well, what I also expect is more devastation on the 3rd of March given the same happens every month. And while I doubt there's still someone out there unaware of this, perhaps, released under "revenge mode" malware, check out Internet Storm Center's summary, and know know your enemy, hopefully not until next month again! UPDATE : You can actually go through another post in order to update yourself with some recent malware developments.

Technorati tags : ,
Continue reading →

Suri Pluma - a satellite image processing tool and visualizer

February 02, 2006
I just came across a great satellite image processing software and decided to share it with my blog readers. Perhaps that's a good moment to spread the word about my RSS compatible feed, so consider syndicating it. To sum up :

"Suri Pluma is a satellite image processing tool and visualizer. It can open the most common image formats without importing to an internal format and minimizing the memory required for visualization. It is designed to be modular and extensible. It has a meassurement tool (distance and areas with error estimation) and geographical and map coordinate information."

Check out the screenshots and consider downloading it in case you're interested. Meanwhile, you can also go through a previous post that's again related to visualization.

Technorati tags : 
Continue reading →

January's Security Streams

January 31, 2006
It's been quite a busy month, still I've managed to keep my blog up to date with over 30 posts during January, here they are with short summaries. Thanks for the comments folks!

I often get the question, how many people is my blog attracting, the answer is quantity doesn't matter, but the quality of the visits, still, for January there were 7,562 unique visits and over 13,000 pageloads. I'm already counting over 400 .mil sub domains, have the majority of security/AV vendors(hi!) reading it, and the best is how long they spend on average, and how often they come back. To sum up, 60% of all visits come from direct bookmark of my blog, 30% through referers, and 10% from search engines. It is also worth mentioning my last referring link, notice the domain and what they are interested in.

1. What's the potential of the IM security market? Symantec thinks big" gives a brief overview of the wise acquisition Symantec did and a little something the IM security market.

2. "Keep your friends close, your intelligence buddies closer!" mentioning the release of a book excerpt and provides further resources on various NSA and intelligence related topics

3. "Security quotes : a FSB (successor to the KGB) analyst on Google Earth" is Google Earth or satellite imagery a national security threat? At least the Russian FSB thinks so!

4. "How to secure the Internet" discusses the U.S National Strategy to Secure Cyberspace and some thoughts on the topic

5. "Malware - Future Trends" the original announcement for the release of my research

6. "Watch out your Wallets!" gives more info on ID theft and talks about a case that left a 22 years old student in debt of $412,000

7. "Would we ever witness the end of plain text communications?" a released report on the growth of VPNs prompted me to open up the topic, recently, Yahoo! communicate over SSL by default which is a great progress from my point of view

8. "Why we cannot measure the real cost of cybercrime?" an in-depth summary of my thoughts on why we cannot measure the real cost of cybercrime, and why I doubt the costs outpace those due to drug smuggling

9. "The never-ending "cookie debate" tries to emphasize on how the Cookie Monster should worry about cookies only, and what else to keep in mind concerning further techniques that somehow invade your privacy

10. "The hidden internet economy" here I argue on what would the total E-commerce revenues be given those afraid to purchase over the Internet actually start doing it.

11. "Security threats to consider when doing E-Banking" provides a link to practical research conducted by a dude I happen to know :)

12. "Insecure Irony" is indeed an ironical event, namely how a private enterprise, one used to gather intelligence actually lost sensitive info belonging to the Intelligence Community

13. "Future Trends of Malware" the post mentioning my Slashdotted research and the rest of the people and respected sites that recognized it

14. "To report, or not to report?" how can you measure costs when the majority of companies aren't even reporting the breaches, cannot define a breach, or think certain breaches don't require law enforcement intervention?

15. "Anonymity or Privacy on the Internet?" argues on what exactly different individuals are trying to achieve, is it Anonymity, is it Privacy and provides further resources on the topic

16. "What are botnet herds up to?" gives a brief overview of recent botnet herds' activities the ways used to increase the revenues through affiliate networks, or domaining. It also provides good resources on the topic of Bots and Botnets

17. "China - the biggest black spot on the Internet’s map" a very recent and resourceful overview of Internet Censorship in China, that also provides further resources on the topic

18. "FBI's 2005 Computer Crime Survey - what's to consider?" one day after the release of the FBI's survey I summarized the key points to keep in mind

19. "Why relying on virus signatures simply doesn't work anymore?" a very practical post that argues and tries to build more awareness on how the number of signatures detected by a vendor doesn't actually matter, still there are other solutions that will get more attention with the time. I received a lot of feedback on this, both vendors and from folks I met through my blog, thanks for the ideas!!

20. "2006 = 1984?" gives more details on private sector companies innovating in the wrong field, and further resources on censorship and surveillance practices

21. "Cyberterrorism - recent developments" an extended overview of Cyberterrorism, and a lot of facts worth mentioning obtained through a recently released report on the topic

22. "Still worry about your search history and BigBrother?" Some humor, be it even a black one is always useful

23. "Homebrew Hacking, bring your Nintendo DS!" Homebrew hacking is slowly emerging and I see a lot of potential in the "do it yourself culture"

24. "Visualization, Intelligence and the Starlight project" a post worth checkin' out, it provides an overview of various visualization technologies and talks about the Starlight project

25. "The Feds, Google, MSN's reaction, and how you got "bigbrothered"?" I'm not coining new terms here, "bigbrothered" is slowly starting to be used be pretty much everyone, yet I try to give practical tips on why the whole idea was wrong from the very beginning, and how other distribution vectors should also be considered

26. "Personal Data Security Breaches - 2000/2005" I came across a great report summarizing the issue, and tried to highlight the cases worth mentioning, some are funny, others are unacceptable

27. "Skype to control botnets?!" good someone is brainstoring, but that's rather unpractical compared to common sense approaches botnet herders currently use

28. "Security Interviews 2004/2005 - Part 1" Grab a beer and start going through this great contribution, soon to appear at Astalavista itself!

29. "Security Interviews 2004/2005 - Part 2" Part 2

30. "Security Interviews 2004/2005 - Part 3" and Part 3

31. "Twisted Reality" Everything is not always as it seems, and it's Google I have in mind :(

32. "How we all get 0wn3d by Nature at the bottom line?" :)

33. "Was the WMF vulnerability purchased/sold for $4000?!" among the few vendors I actually trust released a nice summary no one seems to be taking into consideration, still I find it truly realistic given the potential of the 0day market for software vulnerabilities

Till next month, and thanks to all readers for taking their time to go through my research and contributions!

Technorati tags :
,
Continue reading →
Subscribe to: Comments (Atom)