Old physical security threats still working

March 16, 2006
In "The Complete Windows Trojans Paper" that I released back in 2003 (you can also update yourself with some recent malware trends!) I briefly mentioned on the following possibility as far as physical security and malware was concerned :



"Another way of infecting while having physical access is the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM, it automatically starts with some setup interface; here's an example of the Autorun.inf file that is placed on such CD's:
[autorun]open=setup.exeicon=setup.exe So you can imagine that while running the real setup program a trojan could be run VERY easily, and as most of you probably don't know about this CD function they will get infected and won't understand what happened and how it's been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following: Start Button -> Settings -> Control Panel ->System -> Device Manager -> CDROM -> Properties -> Settings"



and another interesting point :


"I know of another story regarding this problem. It's about a Gaming Magazine that used to include a CD with free demo versions of the latest games in each new edition. The editors made a contest to find new talents and give the people programming games the chance to popularise their productions by sending them to the Editors. An attacker infected his game with a new and private trojan and sent it to the Magazine. In the next edition the "game" appeared on the CD and you can imagine the chaos that set in."


Things have greatly changed for the last three years, while it may seem that global malware outbreaks are the dominant trend, slow worms, 0day malware and any other "beneath the AVs radar" concepts seem to be the next pattern.



It's "great" to find out that age-old CD trick seems to be fully working, whereas I can't reckon someone was saying "Hello World" to WMF's back then! TechWorld wrote a great article two days ago titled "Workers duped by simple CD ruse", an excerpt :



"To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind. By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared. When a user ran the disc, the code on it prompted a browser window that opened a Web site, Chapman said. The site then tried to load an image from another Web site, Chapman said."



While we can argue how vulnerable to security theats and end user is these days, compared to physical security ones, there are lots of cases pointing out the targeted nature of attacks, and the simple diversification of attack methods from what is commontly accepted as current trend. My point is that if you believe the majority of threats are online based ones, someone will exploit this attitude of yours and target you physically.


And while I feel the overall state of physical security in respect to end users and their workstations has greatly improved with initiatives such as ensuring the host's integrity and IPSs, what you should consider taking care of is - who is capable of peeping behind your back and what effect may it have on any of your projects? 3M's Privacy Filters are a necessity these days, and an alternative to the obvious C.H.I.M.P. (monitor mirror). Be aware!



UPDATE - this post recently appeared at LinuxSecurity.com - Old physical security threats still working



More resources on physical security can also be found at :

19 Ways to Build Physical Security into a Data Center
Securing Physical Access and Environmental Services for Datacenters
CISSP Physical Security Exam Notes
Physical Security 101
SANS Reading Room's Physical Security section



Technorati tags :
, , Continue reading →

Security vs Privacy or what's left from it

March 15, 2006
My latest privacy related posts had to do with "The Future of Privacy = don't over-empower the watchers!" and "Data mining, terrorism and security" in respect to the the still active TIA and the hopes for the effectiveness out of data mining. While these are important topics I feel every decent citizen living in the 21st century should be aware of -- many still "think conspiracies" than real-life scenarios. At the bottom line, privacy violations for the sake of your security and civil liberties are a common event these days!



Today, I came across an article "Google must capitulate to DoJ, says judge" in relation to the DoJ's subpoena trying to get access to random sites and searches in order to justify its statement that anti-porn filters do not protect young children online.


The NYtimes is also a running a story on this. What I truly liked is US District Judge James Ware's comment that he was reluctant to give the Justice Department everything it wanted because of the "perception by the public that this is subject to government scrutiny" when they type search terms into Google.com, that's right, but you would be also right to conclude that such requests would turn into a habit given Google's data aggregation power. It's s a complex process to run the world's most popular search engine when everyone wants to take a bite from you, at least they have hell of motto to sort of guide them in future situations like this, but is it?



This time it's a misjudged online porn request that gets approved, next time, it would be Google against the terrorists, again, for the sake of your Security, one backed up by a little bit of glue as on the majority of occasions!



Technorati tags :
, , Continue reading →

DVD of the Weekend - The Immortals

March 10, 2006
The Lawnmower Man : Beyond Cyberspace was among the several other classic techno thrillers I was watching and mostly remembering pleasant times from the past. I actually got in touch with SFAM from the CyberpunkReview.com, and intend to contribute with another point of view to his initiative I highly recommend you to keep an eye on.



This weekend, I want to recommend you one of the best European film productions ever, namely Enki Bilal's adaptation of his Nikopol Trilogy - The Immortals.



Here's an excerpt from a review, and another one :
"New York City, year 2095. A floating pyramid has emerged in the skies above, inhabited by ancient Egyptian Gods. They have cast judgment down upon Horus, one of their own. Now he must find a human host body to inhabit, and search for a mate to continue his own life. Below, a beautiful young woman with blue hair, blue tears and a power even unknown to her, wanders the city in search of her identity. Reality in this world has a whole new meaning as bodies, voices and memories converge with Gods, mutants, extra-terrestrials and mortals."



The Matrix did shock, and set a new benchmark by combining Hollywood's passion for entertainment, and Japan's culture, still, European productions such as the 5th Element, and The Immortals, are on my hall of fame for effects and the stories themselves. Enjoy it!



Technorati tags :
, , , , , , , Continue reading →

Where's my 0day, please?

March 07, 2006
A site I was recently monitoring disappeared these days, so I feel it's about time I blog on this case. I have been talking about the emerging market for software vulnerabilities for quite some time, and it's quite a success to come across that the concept has been happening right there in front of us. Check out the screenshots. The International Exploits Shop I came across to looks like this :



It appears to be down now, while it has simply changed its location to somewhere else. Google no longer has it cached, and the the only info on this wisely registered .in domain, can be found at Koffix Blocker's site.



A lot of people underestimate the power of the over-the-counter(OTC), market for 0day security vulnerabilities. Given that there isn't any vulnerabilities auction in place that would provide a researcher with multiple proposals, and the buyers with a much greater choice or even social networking with the idea to possibly attract skilled HR, the seller is making personal propositions with the idea to get higher exposure from the site's visitors. Whoever is buying the exploit and whatever happens with it doesn't seem to bother the seller in this case.



As there's been already emerging competition between different infomediaries that purchase vulnerabilities information and pay the researchers, researchers themselves are getting more and more interested in hearing from "multiple parties". Turning vulnerability research, and its actual findings into an IP, and offering financial incentives is tricky, and no pioneers are needed in here!



There's been a lot of active discussion among friends, and over the Net. I recently came across a great and very recent research entitled "Vulnerability markets - what is the economic value of a zero-day exploit?", by Rainer Boehme, that's worth the read. Basically, it tries to list all the market models and possible participants, such as :



Bug challenges
- Bug challenges are the simplest and oldest form of vulnerability markets, where the producer offers a monetary reward for reported bugs. There are some real-world examples for bug challenges. Most widely known is Donald E. Knuth’s reward of initially 1.28 USD for each bug in his TEX typesetting system, which grows exponentially with the number of years the program is in use. Other examples include the RSA factoring challenge, or the shady SDMI challenge on digital audio watermarking



Bug auctions
-Bug auctions are theoretical framework for essentially the same concept as bug
challenges. Andy Ozment [9] first formulated bug challenges in the terms of auction theory,
in particular as a reverse Dutch auction, or an open first-price ascending auction. This allowed him to draw on a huge body of literature and thus add a number of eciency enhancements to the original concept. However, the existence of this market type still depends on the initiative of the vendor


Vulnerability brokers
-Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are
built around independent organizations (mostly private companies) who oer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club


-Cyber Insurance
Cyber-insurance is among the oldest proposals for market mechanisms to overcome the security market failure. The logic that cures the market failure goes as follows: end users demand insurance against financial losses from information security breaches and insurance companies sell this kind of coverage after a security audit. The premium is assumed to be adjusted by the individual risk, which depends on the IT systems in use and the security mechanisms in place.



Let's try define the market's participants, their expectations and value added through their actions, if any, of course.



Buyers
-malicious (E-criminals, malware authors, competitors, political organization/fraction etc.)
-third party, end users, private detectives, military, intelligence personnel
-vendors (either through informediary, or directly themselves, which hasn't actually happened so far)



Sellers
-reputable
-newly born
-questionable
-does it matter at the bottom line?



Intermediaries
-iDefense
-ZeroDayInitiative-Digital Armaments



Society
-Internet
-CERT model - totally out of the game these days?



As iDefense simply had to restore their position in this emerging market developed mainly by them, an offer for $10,000 was made for a critical vulnerability as defined by Microsoft. I mean, I'm sort of missing the point in here. Obviously, they are aware of the level of quality research that could be sold to them.


Still I wonder what exactly are they competing with :



- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?



- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?



- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?



- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?



A lot of research publications reasonably argue that the credit for the highest social-welware return goes to a CERT type of a model. And while this is truly, accountability and providing a researcher with the highest, both tangible, and intangible reward for them is what also can make an impact. As a matter of fact, is blackmailing a nasty option that could easily become reality in here, or I'm just being paranoid?



To conclude, this very same shop is definitely among the many other active out there for sure, so, sooner or later we would either witness the introduction of a reputable Auction based vulnerabilities market model, or continue living with windows of opportunities, clumsy vendors, and 0day mom-and-dad shops :) But mind you, turning vuln research into IP and paying for it would provide enough motiviation for an underground 0bay as well, wouldn't it?



14.03.2006

OSVDB's Blog - Where's my 0day, please?
OSVDB's Blog - Vulnerability Markets



11.03.2006

LinuxSecurity.com - Where's my 0day, please?
FIRST - Where's my 0day, please?



10.03.2006 - Sites that picked up the story :

Net-Security.org - Where's my 0day, please?
MalwareHelp.org- The International Exploits Shop: Where's my 0day, please?
Security.nl - Internationale Exploit Shop levert 0days op bestelling
WhiteDust.net - Where's my 0day, please?
Reseaux-Telecoms.net - Danchev sur l'Achat de failles
Informit Network - 0-Days for Sale



09.03.2006 - Two nice articles related to the issue appeared yesterday as well, "Black market thrives on vulnerability trading", from the article :



"Security giant Symantec claims that anonymous collusion between hackers and criminals is creating a thriving black market for vulnerability trading. As criminals have woken up to the massive reach afforded to their activities thanks to the Internet, hackers too are now able to avoid risking prison sentences by simply selling on their findings. Graeme Pinkney, a manager at Symantec for trend analysis, told us: 'People have suddenly realised that there's now a profit margin and a revenue stream in vulnerabilities... There's an element of anonymous co-operation between the hacker and criminal.'"



and "The value of vulnerabilities", a quote :



“ There are no guarantees, and therefore I think it would be pretty naive to believe that the person reporting the issue is the only one aware of its existence. That in itself is pretty frightening if you think about it. "



Technorati tags:
, , , , , , , Continue reading →

The Future of Privacy = don't over-empower the watchers!

March 07, 2006
I blog a lot about privacy, anonymity and censorship, mainly because I feel not just concerned, but obliged to build awareness on the big picture the way I see it. Moreover, I find these interrelated and excluding any of these would result in missing the big picture, at least from my point of view. Some posts I did, worth mentioning are : "Anonymity or Privacy on the Internet?", "China - the biggest black spot on the Internet’s map", "2006 = 1984?", "Still worry about your search history and BigBrother?", "The Feds, Google, MSN's reaction, and how you got "bigbrothered?", "Twisted Reality", "Chinese Internet Censorship efforts and the outbreak", and the most recent one, "Data mining, terrorism and security".



Yesterday, I read a very nice essay by Bruce Schneier "The Future of Privacy" and while I feel it has been written for the general public to understand, you can still update yourself on some of the current trends he's highlighting, mostly the digital storage of our life activities, and how possible it really is.


Some comments that made me an impression though :

"The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video." - scary stuff, but so true!



"Today, personal information about you is not yours; it's owned by the collector." - if you were to question the practices of each and every "collector" you wouldn't be able to properly function in the 21st century.



"The city of Baltimore uses aerial photography to surveil every house, looking for building permit violations." - typical Columbian style, still applicable in here.

"In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it isto pass laws regulating its generation, use and eventual disposal."



I agree on regulation, given someone follows and it's actually implemented, still, I feel it's all about balancing the powers of the public and the rulling parties. The more a government is empowered to invade privacy in one way or another, the higher the risk of them abusing their power, or even worse, having their communications infrastructure wiretap-ready for third parties.



UPDATE - this post recently appeared at LinuxSecurity.com - The Future of Privacy = don't over-empower the watchers!



Technorati tags :
, , Continue reading →

5 things Microsoft can do to secure the Internet, and why it wouldn't?

March 06, 2006
In my previous post on Internet security, I was just scratching the surface of "How to secure the Internet", and emphasized that plain text communications, insecure by design, and our inability to measure the costs of cybercrime, are among the things to keep in mind.



Now, If I were asked about monocultures, "ship it now, patch it later" attitudes or slow reactive approaches, I would quickly ask is it Microsoft you're talking about? It's a common weakness to blame the most popular or richest companies before rethinking the situation, or even worse, waiting for someone else to secure you, instead of you trying to figure out how to achieve the balance. Is Linux, or, OS X more secure than Microsoft's Windows, or they are just not popular enough to achieve the scale of vulnerabilities, even interest in exploiting their weaknesses?



Important questions arise as always :

- Are Microsoft's products insecure by default, or what is insecure in this case?
- Should Microsoft's number of known vulnerabilities act as a benchmark for commitment towards security, quality of the software, or should this be totally excluded given the tempting target Microsoft's products really are?
- Should a vendor be held liable for not releasing a patch in a timely fashion, and what are the acceptable timeframes, given how quickly malware authors take advantage, and "worm the vulnerability"?



These and many other points led me to the idea of brainstorming on what Microsoft could do to secure the Internet as a whole, and contribute to the social welfare of the society(a $100 laptop powered by a hand crank, is so much better than a smartphone, given it's education, and not entertainment you're looking for! ). This is not an anti-microsoft oriented post, they've got enough anti-trust legislations and Vista issues to deal with, yet, it's a summary of my thoughts while going through Slashdot's chat with Mike Nash VP of security, and some Microsoft's comments on today's state of the market for software vulnerabilities.



1. Think twice before reinventing the security industry



What is the first thing that comes across your mind when you picture Microsoft as a security vendor? A worst case scenario for the Internet as a whole? Just kidding, but still, with such a powerful brand, BETA products, and their legal monopoly from my point of view, is quite a good foundation besides constant acquisitions. Microsoft is a software company, software innovation is among their core competencies. Yet, today’s fast growing information security market opens up many more profitable opportunities. Though, I’d rather they stick to their current OEM licensing agreements by the time they actually come up with something truly unique. Acquiring companies indeed improves competitiveness, but is it just me seeing the irony of entering the security industry without first dealing with the idea internally? The introduction of a OS build-in firewall, and bi-directional and fully working with IPSec for Vista would immediately provide Microsoft with a great opportunity to start serving certain market segments, while it would leave them in experimental mode while MS is gaining the experience.



Why it wouldn’t?

Because the information security market is growing so steadily, that if Microsoft doesn’t take a piece of the pie, it would be a totally flawed business logic. And they want to do it as independently, thus more profitably, as possible. The recent FBI’s 2005 Computer Crime Survey indicated that the majority of security dollars are spent on antivirus, antispyware, and perimeter based security solutions, no one would miss that opportunity. While you can acquire competitive advantage, and actually buy yourself an anti virus vendor, you cannot do the same with core competencies, moreover, I once said "less branding, but higher preferences", and you might end up making the right decision for the time being. Moreover, to operate in today’s anti virus market you need a brand name and if you don’t have it, there’s a great chance you wouldn’t be able to gain any market share, of course if you you don’t somehow capitalize on a niche, and introduce innovative competitive features. The rest is all about OEM agreements and licensing technologies or the opportunity to provide a service, still, it's Microsoft's brand and market development practices to worry about. Passport, Trustworthy Computing, InfoCard it's all under Microsoft's Brand umbrella.



2. Become accountable, first, in front of itself, than, in front of the its stakeholders

What is accountability in this case anyway? Releasing a patch given a vulnerability is known within a predefined timeframe? Set, report and improve its own benchmark on a fast response towards a security threat? Overall commitment as a whole? You cannot simply say “hold on” when the entire world is waiting for you to release a patch, any excuse in such a situation should be considered as lack of responsibility. And given that no vendor has been held liable for not releasing a patch in a timely manner, why would they bother to be the benchmark? I think the problem isn’t the lack of resources, but understanding the importance of it. Microsoft is so huge and powerful that’s its clumsiness is in direct proportion with this fact, isn't it. Can Elephants Indeed Dance in this case? Microsoft’s VP of Security Mike Nash, made a lot of comments for a Slashdot interview that made me an impression, such as :



“Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time.” – I can argue that nothing has changed since then, can you?



Why it wouldn’t?

Mainly because of the actual commitment, though I feel Microsoft could evolve if it manages to find the balance between being a software company with ambitions in the security industry. First, the clear benefits should be understood, and they obviously aren’t. I greatly feel that until a customer, or a legal party doesn’t start questioning various practices, this self-regulation is not getting us anywhere. Gratefully, the are independent researchers out there that have a point way faster than the vendor itself. I think exchanging information in a way that satisfies both parties would be the best thing to do. Employees training without successful evaluation of the progress is useless, and while seeking accountability from a programmer has been greatly discussed, I feel that outsourcing the auditing is always an option worth keeping in mind. Would confidentiality of the ultra-secret Microsoft’s code be breached? I doubt so given they implement close activities monitoring and the Manhattan project style operations and cooperation between teams.



Don’t get me wrong, Microsoft’s software will always be blamed for being insecure, but instead I feel its defacto position as an OS turns it into an exciting daily research topic, whereas its anti-trust compliance practices such as sharing technical details so that competitors could – puts them in a very unfavourable $279.83B market capitalization position. Security shouldn’t be something to live with as if it’s normal, instead it should be provoked by means of active testing and proactive solutions. I feel what they are missing is a legal incentive to promptly comply with patch releases, while on the other hand can you picture the outcome of a minor tax deduction in case a milestone in the release of proactive security vulnerabilities is reached, and watch them securing!



3. Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities

Have you even imagined Microsoft releasing proactive patches to fix 0day vulnerabilities it has managed to find out though third-party code auditing practices, or within its internal quality assurance departments? Sounds too good to be true, but reaching the proactive level is an important step, so hold your breath, the did it with Vista already! Still, their practices with dealing with the reactive response are questionable, and as it often happens, the window of opportunity due to their efforts to testing and localizing the patches for all their customers(the entire world) is causing windows of opportunities that I could argue drive the security industry.



Why it wouldn’t?

Resources and commitment, though the first can be successfully outsourced. What I greatly feel the company is missing is a clear strategy towards understanding the benefits, and eventually the commitment to do it. Microsoft isn’t insanely obsessed with the idea to provide bugs free software, but features rich one. And the way MSN is not going to get more allocated budget compared to MS Office, it’s going to take a while by the time they realize the importance and key role they play as being on the majority of PC and servers worldwide. Some comments again :



"I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time."



4. Introduce an internal security oriented culture, or better utilize its workforce in respect to security

Google’s 70/20/10 rule is an example, and while Microsoft tends to position itself as THE software company, to some it may be competing with other major software vendors, or the Open Source threat, it actually competes on IQ basis. Flame them, talk whatever you want, they are still able to attract the smartest people on Earth to work for them. My point is, that introducing a Google style culture, where engineers and anyone from their employees spend 10% of their time on personal projects, this time towards security, it would inevitable make an impact on finding the balance between usability and security on any of its products. Devoting any percentage of work time towards security related projects and initiatives would.



Why it wouldn't?

They pretend they have their own corporate citizenship methods, and moreover, they hate Google with a reason. Or is it about the culture, spending time on security/hacking cons to find out that's driving the industry, or basically stop shipping products with the majority of features turned on by default with the idea to "show off" their features?



5. Rethink its position in the security vulnerabilities market



Would this mean there would be more monopolistic sentiments? I’m just kiddin’ of course though it’s still questionable. Would a Microsoft’s initiative to recruit outstanding vulnerability researchers and actually purchase their research have any effect at all? It would definitely help them I cannot actually imagine Microsoft paying for 0day IE vulnerabilities, but I can literally see them catching up with week delay on the WMF vulnerability. But the usefulness and the potential of this approach are enormous, and the intelligence gathered will provide them with unique business development opportunities, given they actually take advantage of them.



Microsoft has stated numerous time that it doesn’t agree with the practice of buying security vulnerabilities, and while I also don’t agree that commercializing the current state of the process of discovering, exploiting, and patching is the smartest thing to do, picture a $250k bounty for information leading to the arrest of virus writers being spent on secure code auditing, or push/pull software vulnerabilities approach with reputable researchers only – it would make a change for sure.



Why it wouldn't?

Because the biggest problem of a 800 pound gorilla is its EGO with capital letters. We are not interested in pulling intelligence from you, we are interested in pushing you the final results branded with Microsoft’s logo. Is it profitable? It is. Is it realistic in today’s collective intelligence dominated Web? It isn’t, and the whole concept has to go beyond Live.com from my point of view. Until, then, let’s still say a big thanks for playing such a vital role in our society’s progress, but no one seems to tolerate the security trade-offs anymore, that’s a fact.



To conclude, as I’ve said I think it isn’t the lack of resources, but understanding the importance of the issue. What do you think, what else can Microsoft do, and why it wouldn’t? :)



Technorati tags :
, Continue reading →

Data mining, terrorism and security

March 06, 2006
I've been actively building awareness on what used to feel like an unpopular belief only - Cyberterrorism, and also covered some recent events related to Cyberterrorism in some of my previous posts.



Last week, The NYTimes wrote about "Taking Spying to Higher Level, Agencies Look for More Ways to Mine Data", and I feel that avoiding the mainstream media for the sake of keeping it objective is quite useful sometimes. From the article :



"On the wish list, according to several venture capitalists who met with the officials, were an array of technologies that underlie the fierce debate over the Bush administration's anti-terrorist eavesdropping program: computerized systems that reveal connections between seemingly innocuous and unrelated pieces of information. The tools they were looking for are new, but their application would fall under the well-established practice of data mining: using mathematical and statistical techniques to scan for hidden relationships in streams of digital data or large databases."



Interest in harnessing the power of data mining given the enormous flow of information from different parties would never cease to exist. What's more to note in this case, is the Able Danger scenario as a key indicator for usefulness of outdated information, given any has been there at the first place. Conspiracy theorists would logically conclude that the need for evidence of the power of data mining for tracking terrorists would inevitably fuel more investments in this area. So true, and here's a recent event to keep the discussing going - "Suit airs Able Danger claims: Two operatives in secret program say their lawyers were barred at hearings"



While on one hand wars are getting waged with the idea to eradicate terrorist deep from its roots, and sort of building "local presence" thus improving assets allocation and intelligence gathering, I feel the fact that a reliable communication channel could be estalibshed by a terrorist network over the Net is already gaining a lot of necessary attention. However, TIA's ambitions have always been desperately megalomaniac, what about some marginal thinking in here folks, you cannot absorb all the info and make sense out of it, and who says it has to be all of it at the first place?!



The Total Information Awareness program was prone to be abused in one way or another, like pretty much any data mining system from my point of view. And while it's supposidely down due to budget deficits and privacy violations outbreak, government legislation and ensuring key networks remain wiretaps-ready seems to be a valuable asset for any future data mining projects. TIA is still up and running folks, or even if it's not using the same name, the concept is still in between the lines of DHS's budget for 2006 and would always be, and with the majority of corporate sector's participants are opening up their networks to comply with "legal requirements", the lines between privacy and the war against terrorism, and what to exchange for what, seems to be getting even more shady these days.



In my previous posts, I also mentioned about the power of the Starlight project as existing initiative to data mine data from different and media-rich sources alltogether, and most importantly, visualize the output. If you fear BigBrother, don't fear the Eye, but fear the Eyeglasses :)



More resources on Data Mining and Terrorism :

Data Mining : An Overview
Data Mining and Homeland Security : An Overview (updated January 27, 2006)
Using data mining techniques for detecting terror-related web activities
Data mining and surveillance in the post-9.11 environment
The Dark Web Portal: Collecting and Analyzing the Presence of Domestic and International Terrorist Groups on the Web
Workshop on Data Mining for Counter Terrorism and Security
TRAKS: Terrorist Related Assessment using Knowledge Similarity
The Multi-State Anti-Terrorism Information Exchange (MATRIX)
A Knowledge Discovery Approach to Addressing the Threats of Terrorism - w00t
Gyre's Data Mining section
Eyeballing Total Information Awareness
Able Danger blog
EPIC's TIA section
EFF's TIA section



Technorati tags : , , , , Continue reading →

Anti Phishing toolbars - can you trust them?

March 06, 2006
A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive.


How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? As far as trends are concerned, according to the AntiPhishingGroup's latest report :



• Number of unique phishing reports received in December: 15244
• Number of unique phishing sites received in December: 7197
• Number of brands hijacked by phishing campaigns in December: 121
• Number of brands comprising the top 80% of phishing campaigns in December: 7
• Country hosting the most phishing websites in December: United States
• Contain some form of target name in URL: 51 %
• No hostname just IP address: 32 %
• Percentage of sites not using port 80: 7 %
• Average time online for site: 5.3 days
• Longest time online for site: 31 days


In case you haven't came across to this research "Do Security Toolbars Actually Prevent Phishing Attacks?" you'll find that it has very good points and actual evidence. Antiphishing filters and toolbars protection are gaining popularity, and many popular companies are fighting for market share of the end users'


desktop, but keep in mind that :



"We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars’ warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be."



The topic of phishing and fighting the problem has been again greatly extended by the researcher Min Xu, while writing the thesis "Fighting Phishing at the User Interface" and introducing a solution that measures a site's reputation and trustfulness. While, this is among the simplest ways Google uses to while assigning PageRank's, I find this a common sense warning. Still, with the constant flood of Web 2.0 companies, does it matter? :) Check out some screenshots from this outstanding thesis, and get the point :


Localizing the attacks, taking advantage of the momentum, or a software vulnerability within a popular browser or site itself, as well as taking advantage of malware, are among the most common practices these days. Moreover, I feel that fighting phishing the wrong way could erode the end user's trust in the Web on the other hand, so do your homework on the social impact on anything you do. NetCraft's Anti Phishing toolbar, whatsoever, is my favorite combination of them all, still, awareness and lack of naivety when it comes to transactions or authentication is the perfect tool, what about yours?



Some resources worth mentioning are :

Candid's “Phishing in the middle of the stream” Today’s threats to online banking
Know your Enemy : Phishing
Phishing attacks and countermeasures
The Phishing Guide
Distributed Phishing Attacks
Phishiest Countries
MailFrontier Phishing IQ Test
Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures



Technorati tags :
, , , Continue reading →

February's Security Streams

March 06, 2006
It's about time I summarize all my February's Security Streams, you can of course go through my January's Security Streams as well, in case you're interested in what was inspiring me to blog during January. The truth is - you, the 4,477 unique and 580 unique visitors returning during the entire February, and as this blog is melting down due to its audience and content, thanks for your time! As a matter of fact, it's been a while since I've last participated in students' thesis, but who knows these days :)



1. "Suri Pluma - a satellite image processing tool and visualizer", treat tool I recommended to everyone interested in that type of tools, as a matter of fact, I also got many other suggestions for alternatives. More on visualization



2. "CME - 24 aka Nyxem, and who's infected?" a small update on the Nyxem threat if any during February

3. "What search engines know, or may find out about us?"" a commentary on a CNET's Q&A with leading search engines on how they deal with subpoenas and user's privacy, further resources and opinions on the topic are provided as well. Anything that can be linked will be one way or another.



4. "The current state of IP spoofing" introducing the ANA Spoofer Project, commentary on the current state according to their sample, and many other distributed concepts again related to security are mentioned



5. "Hacktivism tensions" A brief coverage of the mass defacements of Danish sites out of the Muhamad's cartoons distribution over Europe, and of course, over the Net. I also mentioned a previous rather more severe case or Nation2Nation cyberwarfare PSYOPS attacks



6. "Security Awareness Posters" a small list with links to free security awareness posters worth using or enjoying their witty messages



7. "A top level espionage case in Greece" With the great possibility of an insider's job, the eavesdropping of major government officials and citizens was indeed the second case that made me an impression, next to the stone transmitter found in a Moscow's park



8. "The War against botnets and DDoS attacks" A post covering the introduction of McAfee's bot killing system, The ZombieAlert Service, some comments and lots of external resources on fighting and protecting against Botnets and DDoS attacks



9. "Who needs nuclear weapons anymore?" An in-depth article I wrote while coming across a news article on a recent EMP warhead test, with the idea to bring more awareness on the potential of EMP weapons, some of the current trends, and the emerging weaponization of Space . A reader also mentioned a Mig-25 found on Google Maps



10."Recent Malware developments" a post summarizing various events right in the middle of February, discussing some of the emerging trends to keey an eye on, a a commentary on Kaspersky's summary for 2005, worth checking out as well



11. "Look who's gonna cash for evaluating the maliciousness of the Web?" Crawling for malware and evaluating the maliciousness of the Web with automated patrol for sites distribution it is a very hot and feasible topic you can learn more about by reading this post



12. "Detecting intruders and where to look for" comments and external resources related to rootkits and forensics



13. "A timeframe on the purchased/sold WMF vulnerability" as requested by readers



14. "The end of passwords - for sure, but when?" As my first blog post was related to passwords security and why bother given their major insecurities, in this post I commented Bill Gate's remarks. I think they don't know what they are really up to at the bottom line



15."Smoking emails" Would you pay millions to avoid paying billions and keep a clean image? Of course you will!



16. "DVD of the weekend - The Lone Gunmen" the first post related to DVDs worth watching over the weekend



17. "How to win 10,000 bucks until the end of March?" Find a critical, as defined by Microsoft's security bulletins, vulnerability, participate in the market for software vulnerabilities - the future 0bay, and sell it to iDefense for 10,000 bucks, but what about the social outcome out of the process, if any?



18. "Chinese Internet Censorship efforts and the outbreak" recent events related to the Chinese efforts to monitor and censor the web, the the "West's'"reactions. I did quite a lot of quality posts on the topic during January and February mainly because I feel that the higher the publicity for the problem, the higher the pressure towards starting talks on the future of these efforts



19. "Master of the Infected Puppets" comments on botnets communication provoked out of a nice research I came across to



20. "Give it back!" Mixed signals from the CIA, DIA and the DoJ on secrecy



21. "One bite only, at least so far!" a brief coverage of the OS X trojan and the InqTana worm



22. "DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection" weekend two, second DVD



23. "Get the chance to crack unbroken Nazi Enigma ciphers" another distributed concept this time cracking unbroken Nazi messages



Technorati tags :
, Continue reading →

DVD of the (past) weekend

March 06, 2006
Hi folks, as I've been down for a couple of days, I'm actively updating my blog, so watch out for some quality posts later on and apologies for the downtime. Thanks for the interest and the questions received whatsoever!





So, after the "Lone Gunmen", and "The Outer Limits - Sex And Science Fiction Collection" it was about time we go beyond cyberspace with the second part of the "Lawnmower man" a classic techno thriller, with a lot of VR, Cyberpunks, and futuristic scenarious.





Favo quote from part one - "I find a way out, or I die in this diseased main frame" which is also worth watching as a matter of fact. I'm so excited of seeing Ray Kurzweil's views of the future in a DVD box. I am especially interested into Cyberware, and the biological adaptation with technologies. As a matter of fact, there have already been reported cases of people with implanted RFID chips, and while they wish they had Johnny Mnemonic's view of the Internet, that must be some kind of a joke. Picture yourself scanned and monitored wherever you go while walking around with a false sense of security. RFID is a lot of buzz, I feel the potential for information sharing, and resources cutting is outstanding, still, the levels of security or lack of understanding on the privacy implications is the biggest downsize so far.



Would we someday build an AI that would crawl the Universe forever colonizing the obeying the morale we learnt "it" to? I find this such a great idea :)





Some resources on Cyberware and Cyberpunks :

The Cyberpunk Project
Cyberpunk
"Cyberpunks in Cyberspace"
Cyberanarchists, Neuromantics and Virtual Morality
Cyberpunks and their online activities
Cyberpunk - Ebook

Cyberware Technology
Realistic and Affordable Cyberware Opponents for the Information Warfare BattleSpace
Cyberware Implants





Technorati tags :
, , , , , Continue reading →

Get the chance to crack unbroken Nazi Enigma ciphers

February 27, 2006
Nice initiative I just came across to. From the "M4 Message Breaking Project" :



The M4 Project is an effort to break 3 original Enigma messages with the help of distributed computing. The signals were intercepted in the North Atlantic in 1942 and are believed to be unbroken. Ralph Erskine has presented the intercepts in a letter to the journal Cryptologia. The signals were presumably enciphered with the four rotor Enigma M4 - hence the name of the project.


This project has officially started as of January 9th, 2006. You can help out by donating idle time of your computer to the project. If you want to participate, please follow the client install instructions for your operating system:

Unix Client Install
Win98 Client Install
Win2000 Client Install
WinXP Home Client Install
WinXP Pro Client Install



The first message is already broken as a matter of fact, and looks like that :



Ciphertext :

nczwvusxpnyminhzxmqxsfwxwlkjahshnmcoccakuqpmkcsmhkseinjus
blkiosxckubhmllxcsjusrrdvkohulxwccbgvliyxeoahxrhkkfvdrewezlx
obafgyujqukgrtvukameurbveksuhhvoyhabcjwmaklfklmyfvnrizr
vvrtkofdanjmolbgffleoprgtflvrhowopbekvwmuqfmpwparmfha
gkxiibg



Deciphered and in plain text :

From Looks:Radio signal 1132/19 contents:Forced to submerge during attack, depth charges. Last enemy location08:30h, Marqu AJ 9863, 220 degrees, 8 nautical miles, (I am) following(the enemy). (Barometer) falls (by) 14 Millibar, NNO 4, visibility 10.



You no longer need the NSA to assist in here, still they sure have contributed a lot while "Eavesdropping on Hell", didn't they?



Distributed Computing is a powerful way to solve complex tasks, or at least put the PC power of the masses in use. It's no longer required to hire processing power on demand from any of these jewels, but download a client, start participating, or find a way to motivate your future participants. In my previous post "The current state of IP spoofing" I commented on the ANA Spoofer Project and featured a great deal of other distributed projects. Meanwhile, the StartdustAThome project also started gaining grounds, so is it ETs, Space dust, global IP spoofing susceptibility, or unbroken Nazi's ciphers - you have the choice where to participate!



Technorati tags :
, , , Continue reading →

DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection

February 25, 2006
"A sextet of sci-fi tales opens with Alyssa Milano as a woman whose "close encounter" leaves her with an insatiable lust in "Caught in the Act"; the sole survivor of a nuclear holocaust gets some computer-generated companionship in "Bits of Love," with Natasha Henstridge; Sofia Shinas is "Valerie 13," a robot whose emotions become all-too-human; a man who's lived his life onboard a mysterious spaceship meets his female counterpart in "The Human Operators," with Jack Noseworthy and Polly Shannon; a nerd becomes a ladies man via a high-tech "image enhancer" in "Skin Deep," with Antonio Sabato, Jr. and Adam Goldberg; and an alien plant becomes a deadly and
seductive "Flower Child," with Jud Taylor."



Get it, find out more, and listen to the wisdom from previous episodes. Continue reading →

One bite only, at least so far!

February 24, 2006
Apple's OS X has always been positioned as a juicy target even though it's market share is almost non-existent compared to Microsoft's domination. And while converting iPod customers into MAC users hasn't shown any progress so far and I doubt it would, malware authors are as always actively experimenting or diversifying the threatscape. One question remains unclear, why would someone want to own a MAC, compared to owning hundreds of thousands of Windows PCs out there? To me, it's not about achieving the scale necessary for a Botnet, rather, experiment, show that it's possible through POC releases, or basically start attacking the living in a safe heaven until for now, MAC users.



Recently, an OS X trojan appeared, second (nice attitude from Apple on embracing the inevitable!), one followed, and besides "worming" a vulnerability and experimenting with propagation methods, I don't really think it's the big trend everyone is waiting for, a standard POC(Cabir), whose core function would empower a generation of variants for years to come.



I just came across this from Trifinite's blog :



"Trifinite.group member Kevin has published a paper detailing the techniques he used in the development of the InqTana Bluetooth worm that targets vulnerable Mac OS X systems. There has been significant confusion surrounding this worm, so here are some salient points:



- The concurrent release of the OS X Leap.A and InqTana.A worms is coincidental


- There is no conspiracy, AV vendors and Apple were notified about Kevin's progress in developing this worm in advance of making details publicly available


- Both 10.3 and 10.4 systems are vulnerable until patched with APPLE-SA-2005-05-03 and APPLE-SA-2005-06-08


- InqTana prompts before infecting *by design*, Kevin was just trying to be nice, but the worm could easily spread silently



Kevin's paper is available at http://www.digitalmunition.com/InqTanaThroughTheEyes.txt. Comments can be directed to the BlueTraq mailing list. Our sympathies to those organizations who were affected by the false-positive signatures published by overzealous AV companies."



It clarifies a lot I think, mostly that, while architecture and OS popularity have a lot to do with security and incentives for attacks, "InqTana.A itself has absolutely nothing to do with Leap.A. My work was done completely independent of the author of Leap. The day after I sent out queries to the AV companies about my code I was shocked to see another OSX worm had already been in the news. While my worm sat in the mail spools of several AV companies they were busy writing about the "First Trojan/Worm for OSX"."



Leakage of IP, or I'm being a paranoid in here? Wired also has some nice comments.



Technorati tags :
, , , , , , Continue reading →

Give it back!

February 24, 2006
According to a recent article "Secret program reclassifies documents" :



"Researcher Matthew Aid has discovered a secret reclassification program that has moved thousands of declassified pages out of the National Archives and Records Administration's facility in Maryland. Some groups, such as George Washington University's Nation Security Archive, are fighting to end the program, arguing that the government has no right take back information it has published. The reclassification has been ongoing since 1999 as the Central Intelligence Agency, the Defense Intelligence Agency, and the Defense and Justice departments take back information they say had been inadvertently published. The National Security Archive describes some of the documents that have been reclassified as uninteresting and mundane."



And from The National Security Archive :



"Washington, D.C., February 21, 2006 - The CIA and other federal agencies have secretly reclassified over 55,000 pages of records taken from the open shelves at the National Archives and Records Administration (NARA), according to a report published today on the World Wide Web by the National Security Archive at George Washington University."



OSINT has greatly evolved from President Nixon's remark in respect to the CIA “What use are they? They’ve got over 40,000 people over there reading newspapers.”, whereas Secrecy is a major weakness to the national security of a country in a very complex way. I feel that sometimes, you need the average citizen's unbiased opinion on a major issue, but I guess I'm not into politics, just figuring out what is going on at the bottom line!



More on Secrecy, Intelligence, Misc :

Making Intelligence Accountable
Why Spy? The Uses and Misuses of Intelligence (1996)
Intelligence Analysis for Internet Security : Ideas, Barriers and Possibilities
U.S. Electronic Espionage : A Memoir
Terrorism prevention in Russia : one year after Beslan
Crypto Law Survey
Cryptome
Project on Government Secrecy
Shhh!!: Keeping Current on Government Secrecy



Technorati tags :
, Continue reading →

Master of the Infected Puppets

February 24, 2006
In some of my previous posts, "What are botnet herds up to?", "Skype to control Botnets", "The War against Botnets and DDoS attacks", and "Recent Malware Developments", I was actively providing resources and updating my blog readers (thanks for the tips and the info sharing, I mean it!) related to one of the most relevant threats to the Internet ( more trends and bureaucracy ) - Botnets.





I recently came across a well researched report giving a very in-depth overview and summary of important concepts related to Botnets. Recommended bed time reading, and here's an excerpt :





"In this paper we begin the process of codifying the capabilities of malware by dissecting four widely-used Internet Relay Chat (IRC) botnet codebases. Each codebase is classified along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our study reveals the complexity of botnet software, and we discusses implications for defense strategies based on our analysis"





Some of the findings that I also came across in my "Malware - future trends" search worth mentioning are :







- "The overall architecture and implementation of botnets is complex, and is evolving toward the use of common software engineering techniques such as modularity." Namely, no one is interested in reinventing the wheel again, and the Simple Botnet/Malware Communication Protocol I've once mentioned (originally came across the concept here) could give the malware scene an impressive scale, but could it also put AV vendors and researchers in favorauble position where exploiting protocol weaknesses is more beneficial than current approaches?







- "Shell encoding and packing mechanisms that can enable attacks to circumvent defensive systems are common. However, Agobot is the only botnet codebase that includes support for (limited) polymorphism"







Smart! Mainly because of the fact that "The malware delivery mechanisms used by botnets have implications for network intrusion detection and prevention signatures. In particular, NIDS/NIPS benefit from knowledge of commonly used shell codes and ability to perform simple decoding. If the separation of exploit and delivery becomes more widely adopted in bot code (as we anticipate it will), it suggests that NIDS could benefit greatly by incorporating rules that can detect follow-up connection attempts."



-"All botnets include a variety of sophisticated mechanisms for avoiding detection (e.g., by anti-virus software) once installed on a host system."






Retention instead of acquisition of new zombies would tend to dominate from my point of view. Patching the hosts themselves, hiding presence, dealing with the easy to detect idle zombie's presence, TCP obfuscations, tests for debuggers, are among the current methods used.





Botnets will continue to dominate due to their concept and potential for growth, and while monitoring and doing active research is still feasible, encrypted communications as a logical development should also be researched as a concept, but how many *public* IRC servers, if such are used, support SSL encryption?







Technorati tags :
, , , Continue reading →

Chinese Internet Censorship efforts and the outbreak

February 24, 2006
In some of my January's Security Streams, I did some extensive blogging expressing my point of view on the current Internet censorship activities, and tried to emphasize on the country whose Internet population is about to outpace the U.S one - China. In my posts "China - the biggest black spot on the Internet’s map", "2006 = 1984?", "Twisted Reality", you can quickly update yourself on some of the recent developments related to the topic, but what has changed ever since?


Government bodies such as the DoJ seem to favour the amount of data the most popular and advanced search engine Google holds and tried to obtain information for the purpose of "social responsibility". What's more to consider are some of the weak statements made, namely :



"House Government Reform Committee Chairman Tom Davis (R-VA) has criticized Google for refusing to hand search records over to the US Justice Department while cooperating with China in censoring certain topics. Justice sought the records to bolster its case against a challenge to online anti-pornography laws, but Google refuses to submit the records on privacy grounds. Davis does not expect a standoff between Google and the government, but hopes an agreement can be reached, allowing Google to supply the records without frightening users that their searches may be examined."



and in case you're interested, some of my comments, :



"Is it just me or that must be sort of a black humour political blackmail given the situation?! First, and most of all, the idea of using search engines to bolster the online anti-pornography laws created enough debate for years of commentaries and news stories, and was wrong from the very beginning. Even if Google provide the data requested it doesn’t necessarily solve the problem, so instead of blowing the whistle without any point, sample the top 100 portals and see how they enforce these policies, if they do. As far as China is concerned, or actually used as a point of discussion, remember the different between modern communism, and democracy as a concept, the first is an excuse for the second, still, I feel it’s one thing to censor, another to report actual activity to law enforcement. I feel alternative methods should be used, and porn “to go” is a more realistic threat to minors than the Net is to a certain extend, yet the Net remains the king of content as always."



Google indeed issued a statement, sort of excusing the censorship under the statement of "the time has come to open ourselves to the Chinese market", and while their intentions make business sense, the outbreak had very positive consequences from my point of view - build more awareness and have the world's eyes on the Chinese enforcement of censorship practices, but is it just China to blame given "Western" countries do censor as well, or is it China's huge ambitions of maintaining a modern communism in the 21st century that seem to be the root of the problem?



In an article "A day in the life of a Chinese Internet Police Officer" I read some time ago, you can clearly see the motivation, but also come across the facts themselves : you cannot easily censor such a huge Internet population, instead, guidance instead of blocking, and self-regulation(that is limiting yourself with fear of prosecution) seem to be the current practice, besides jailing journalists! And while sometimes, you really need to come up with a creative topic worth writing about, free speech is among the most important human rights at the bottom line.



Chris Smith, Chairman of the House subcommittee that oversees Global Human Rights, proposed a discussion draft "The Global Online Freedom Act of 2006" "to promote freedom of expression on the internet [and] to protect United States businesses from coercion to participate in repression by authoritarian foreign governments". It is so "surprising" to find out that they are so interested in locating cyber-dissidents : "U.S. search engine providers must transparently share with the U.S. Office of Global Internet freedom details of terms or parameters submitted by Internet-restricting countries." exactly the same way I mentioned in my previous "Anonymity or Privacy on the Internet?" post.



Meanwhile, the OpenNetInitiative also released a bulletin analyzing Chinese non-commercial website registration regulation, giving even further details on the recent "you're being watched" culture that tries to cost-effectively deal with the issue of self-regulation :



"In a report published last year, “Internet Filtering in China: 2004-2005,” ONI shared its research findings that China’s filtering regime is the most extensive, technologically sophisticated, and broad-reaching Internet filtering system in the world. This new regulation does not rely on sophisticated filtering technology, but uses the threat of surveillance and legal sanction to pressure bloggers and website owners into self-censorship. While savvy website owners might thwart the registration requirement with relative ease, the regulation puts the vast majority of Chinese Internet users on notice that their online behaviour is being monitored and adds another layer of control to China’s already expansive and successful Internet filtering regime."



Yet another recent research I came across is a university study that finds out that "60% Oppose Search Engines Storing Search Behaviours", you can also consider the "alternatives" if you're interested :) A lots to happen for sure, but it is my opinion that personalized search is the worst privacy time bomb a leading search engine should not be responsible for, besides open-topic data retention policies and not communicating an event such as the DoJ's one, but complying with it right away, bad Yahoo!, bad MSN!



At the bottom line, Google's notifications of censored content(as of March, 2005 only, excluding the period before!), the general public's common sense on easily evaluating what's blocked and what isn't, and the powerful digital rights fighting organizations that simultaneously increased their efforts to gain the maximum out of the momentum seemed to have done a great job of building awareness on the problem. Still, having to live with the booming wanna be "free market" Chinese economy, and the country's steadily climbing position as a major economic partner, economic sanctions, quotas, or real-life scenarios would remain science fiction.



Technorati tags :
, , , , Continue reading →

DVD of the weekend - The Lone Gunmen

February 17, 2006
The Lone Gunmen on two double-sided discs, pure classic! In one of my chats with Roman Polesek, from Hakin9, he was wise enough to state the you cannot be a prophet in your own industry, simple, but powerful statement you should take into consideration.

Initiatives such as The Lone Gunmen, the X-files, and The Outer Limits have already proven useful, given someone listens! For instance :



"In a foreshadowing of the September 11, 2001 attacks, subsequent conspiracy theories, and the 2003 invasion of Iraq, the plot of the March 4, 2001 pilot episode of the series depicts a secret U.S. government agency plotting to crash a Boeing 727 into the World Trade Center via remote control for the purpose of increasing the military defence budget and blaming the attack on foreign "tin-pot dictators" who are "begging to be smart-bombed." This episode aired in Australia less than two weeks before the 9/11 attacks, on August 30."



Conspiracy theorists do have a lot to say, so don't ignore them, find the balance, and enjoy the series :)



You can also browse through some transcripts as well.



Technorati tags :
conspiracy Continue reading →

Smoking emails

February 17, 2006
I just came across this, "Morgan Stanley offers $15M fine for e-mail violations" - from the article :





"US investment bank Morgan Stanley will offer a settlement to the Securities and Exchange Commission (SEC), agreeing in principle to pay a $15 million fine for failing to preserve e-mail messages. The e-mail messages could have provided useful evidence in several cases brought against the company. In one case, resulting in a $1.58 billion judgement against the bank, a judge turned the burden of proof on Morgan Stanley after learning they had deleted e-mails related to the case. However, Morgan Stanley has not yet presented the offer to the SEC nor is there a guarantee the SEC will accept. The investment bank says it is fixing the problems that led to the erasure and is pleading for leniency."



He, He, He!





You see, the email archiving market is about to top $310M for 2005 according to the IDC, still one of the world's most powerful investment banks cannot seem to be able to comply with the requirements.




Lack of financial power - nope, lack of incentives - yep! The case reminds me of KPMG's tax shelters, McAfee's fine for accounting scam between 1998-2000, and the "Smoking Emails" Admissible In $1 Billion Enron-Related Chase Case".





Quit smoking emails, and take advantage of MailArchiva - Open Source Email Archiving and Compliance.





Techorati tags :
smoking gun, investment banking, compliance, mailarchiva Continue reading →

How to win 10,000 bucks until the end of March?

February 17, 2006
I feel that, in response to the recent event of how the WMF vulnerability got purchased/sold for $4000 (an interesting timeframe as well), iDefense are actively working on strengthening their market positioning - that is the maintain their pioneering position as a perhaps the first company to start paying vulnerability researchers for their discoveries.


The company recently offered $10,000 for the submission or a vulnerability that gets categorized as critical in any of Microsoft's Security Bulletins. In the long-term, would vulnerability researchers be able to handle the pressure put on them through such financial incentives, and keep their clear vision instead of sell their souls/skills? What if someone naturally offers more, would money be the incentive that can truly close the deal, and is it just me realizing how bad is it to commercialize the not so mature vuln research market, namely how this would leak all of its current weaknesses?



Consider going through some of my previous thoughts on the emerging market for software/0day vulnerabilities as well and stay tuned for another recent discovery a dude tipped me on, thanks as a matter of fact!



Technorati tags:
, Continue reading →
Subscribe to: Comments (Atom)