The TalkRization of My Blog

The service is quite intuitive for a free one, and I must say I never actually got the time to run a podcast on my one, so TalkR seems like the perfect choice for those of you -- including me -- who want to listen to my blog posts. Here's the TalkR feed URL for you to syndicate, and several samples :

- Social Engineering and Malware
- The Life of a Security Threat
- Russia's Lawful Interception of Internet Communications
- Foreign Intelligence Services and U.S Technology Espionage
- Technical Analysis of the Skype Trojan
- Old Media VS New Media

By the way, when was the last time you met a girl who speaks stuff like this? Continue reading →

Old Media VS New Media

The never ending war of corporate interests between the old and the new media, seems to be re-emerging on a weekly basis. Obviously, newspapers don't really like Google picking up their content and making money without giving them any commissions -- they don't even have to -- and with more shortsighted local newspaper unions asking Google and Yahoo! to stop doing so, I'm so looking forward for the moment in the near future when we'll be discussing their will to get crawled again. You fear what you don't understand, and the old media doesn't like the way it got re-intermediated, thus losing its overhyped content generation exclusiveness. In a Web 2.0 world, everyone generates content, which later on gets mixed, re-mixed, syndicated and aggregated, what if newspapers really tried to adapt instead of denying the future? And isn't it ironic that the newspapers that want to be removed from any search engine's index, are later on using these search engines while investigating for their stories?

Here's a lengthy comment I recently made on the old media vs the new one. Continue reading →

PR Storm

Great to see that Mike Rothman and Bill Brenner know how to read between the lines. Here's a related point of view on the Storm Worm - Why do users still receive attachments they are not supposed to click on?

Meanwhile, Eric Lubow (Guardian Digital, Linuxsecurity.com) have recently joined the security blogosphere and I'll be keeping an eye on his blog for sure -- hope it's mutual. Two more rather fresh blogs worth reading are ITsecurity.com's one -- how's it going Kev -- and Panda Software's blog. And with PandaLabs now blogging, the number of anti virus vendors without a blog, namely still living in the press release world is getting smaller. I remember the last time I was responsible for writing press releases for a vendor I'd rather not associate myself with, and how Web 1.0 the whole practice was. If you really want to evolve from branding to communicating value, hire a blogger that's anticipating corporate citizenship given he's commissioned, and reboot your PR channels. Continue reading →

Clustering Phishing Attacks

Clustering a phishing attack to get an in-depth and complete view on the inner workings of a major phishing outbreak or a specific campaign only - that's just among the many other applications of the InternetPerils. Backed up with neat visualization features, taking a layered approach, thus, make it easier for analysts do their jobs faster, its capabilities are already scoring points in the information security industry :

"InternetPerils has discovered that those phishing servers cluster, and infest ISPs at the same locations for weeks or months. Here's an example of a phishing cluster in Germany, ever-changing yet persistent for four months, according to path data collected and processed by InternetPerils, using phishing server addresses from the Anti-Phishing Working Group (APWG) repository. The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it."

Here are seven other interesting anti-phishing projects, and a hint to the ISPs who really want to know what their customers are (unknowingly) up to.

Continue reading →

Visual Thesaurus on Security

In case you haven't heard of the Thinkmap Visual Thesaurus, it's an "interactive dictionary and thesaurus which creates word maps that blossom with meanings and branch to related words. Its innovative display encourages exploration and learning. You'll understand language in a powerful new way." With its current database size and outstanding usability build into the interface, it has a lot of potential for growth, and I'm sure you'll find out the same if you play with it for a little while. Continue reading →

Testing Anti Virus Software Against Packed Malware

Very interesting idea as packed malware is something rather common these days, and as we've seen the recent use of commercial packers in the "skype trojan" malware authors are definitely aware of the concept. What the authors did was to pack the following malware using 21 different packers/software protectors - Backdoor.Win32.BO_Installer, Email-Worm.Win32.Bagle, Email-Worm.Win32.Menger, Email-Worm.Win32.Naked, Email-Worm.Win32.Swen, Worm.Win32.AimVen, Trojan-PSW.Win32.Avisa, Trojan-Clicker.Win32.Getfound, and scan them with various anti virus software to measure which ones excel at detecting packed malware. What some vendors are best at detecting others doesn't have a clue about, but the more data to back up your personal experience, the better for your decision-making. Continue reading →

Threats of Using Outsourced Software

Self-efficiency in (quality) software programming for security reasons -- yeah, sure :

"The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they write is hardly a new concern. But the DSB will say in its report that three forces — the greater complexity of systems, their increased connectivity and the globalization of the software industry — have combined to make the malware threat increasingly acute for the DOD. "This is a very big deal," said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function."

The billion-dollar weapons system will be unable to function in case of an ELINT attack, not a software backdoor taking the statistical approach.

There's an important point to keep in mind, during WWII, the U.S attacted Europe's brightest minds who later on set the foundations for the U.S becoming a super power. Still, you cannot expect to produce everything on your own, and even hope of being more efficient in producing a certain product in the way someone who specialized into doing this, can. Start from the basics, what type of OS does your Intelligence angency use in order not to have to build a new one and train everyone to use it efficiently? Say it with me.. Moreover, the sound module in your OS has as a matter of fact already been outsourced to somewhere else, if you try to control the process with security in mind, vendors will cut profit margin sales, as they will have to pay more for the module, will increase prices slowing down innovation. But of course it will give someone a very false feeling of security.

Fears due to outsourced software? Try budgeting with the secondary audits "back home" if truly paranoid and want to remain cost-effective. While it may be logically more suitable to assume "coded back home means greater security and less risk", you'll be totally wrong. All organizations across the world connect using standart protocols, and similar operating systems, making them all vulnerable to a single threats of what represent today's network specific attacks. And no one is re-inventing the OSI model either.

You can also consider another task force, one that will come up with layered disinformation channel tactics when they find out such a backdoor, as detecting one and simply removing it on such systems would be too impulsive to mention.

Continue reading →

Who's Who on Information and Network Security in Europe

A very handy summary of Europe's infosec entities and contact details that come as a roadmap for possible partnerships or analyst's research :

"This Directory serves as the “Yellow pages” of Network and Information Security in Europe. As such, it is a powerful tool in everyday life of all European stakeholders and actors in Network and Information Security (NIS). By having access to all contact data and entry points for all European actors in one booklet, available on your desk, the “arm length’s rule” of access to information is becoming concrete. I am confident that this device of compiled Network and Information Security stakeholders, contacts, websites, areas of responsibility/activity of national and European Authorities, including organisations acting in Network Security and Information, serves our mission to enhance the NIS security levels in Europe well."

Compared to China's information security market on which I've blogged in a previous post, Europe's R&D efforts are still largely de-centralized on a country level, but hopefully, with the ongoing initiatives among member states innovation will prevail over bureaucracy. Continue reading →

The Zero Day Vulnerabilities Cash Bubble

The WMF was reportedly sold for $4000, a Vista zero day was available for sale at $50,000, and now private vulnerability brokers claim that they beat both the underground and the current incentive programs, while selling vulnerabilities in between $75,000 - $120,000.

"The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms--as well as the odd government agency--for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000. "I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview."

But the cash bubble is rather interesting. Zero day vulnerabilities are an over-hyped commodity and paying to get yourself protected from one, means you'll be still exposed to the next one while you could have been dealing with far more risky aspects of protecting your network, or customers. The (legitimate) business model breaks when every vendor starts offering a "bounty" for vulnerabilities while disintermediating the current infomediaries. It would be definitely more cost-effective for them, than improving someone's profit margins. Or they could really reboot their position in this situation by applying some fuzz logic on their own software at the first place. Continue reading →

Attack of the SEO Bots on the .EDU Domain

A university's Internet presence often results in very high pageranks for their site, therefore, if a malicious spammer would like to harness the possibilities of having the spammed message appear among the top 20 search results, he'd figure out a way to post direct http:// links on various .edu domains, especially on the wikis residing there. That's the case with PuppetID : Matias Colins -- of course collins is spelled with one L only --. Matias Colins is an automated attack script that's already hosting hundreds of spam pages on the .edu domain, mostly adult related, and it's worth mentioning that where access to a directory has been in place, the hosted pages blocked caching from any search engine, or hosted one on its own. Redirection is perhaps what the attacker is very interested in too. See how this berkeley.edu link - dream.sims.berkeley.edu/~tdennis/wp-content/animalsex.php - redirects to a site for whatever the page title says, and this is yet another one - oit.pdx.edu/jethrotest/mysqldb.php.

Here are two more examples of another bot using my blog post titles to generate subdomains or the like, and of bots abusing Ebay's reputation system by self-recommending themselves. Continue reading →

Social Engineering and Malware

With all the buzz over the "Storm Worm" -- here's a frontal PR attack among vendors -- it is almost unbelievable how hungry for a ground breaking event, the mainstream media is. And it's not even a worm. If you are to report each and every outbreak not differentiating itself even with a byte from previous "event-based" malware attacks, what follows is a flood of biased speculations -- too much unnecessary attention to current trends and no attention to emerging ones. With pre-defined subjects, static file names, one level based propagation vector, with the need for the end user to OPEN AN .EXE ATTACHMENT FROM AN UNKNOWN SOURCE, and with "the" Full_Movie.exe in 35kb, worldwide scale attacks such as the ones described here, are more of a PR strategy -- malware with multiple propagation vectors has the longest lifecycle, as by diversifying it's improving its chances of penetration. Don't misunderstand me, protecting the end user from himself is a necessity, but overhyping this simple malware doesn't really impress anyone with a decent honeyfarm out there. It doesn't really matter how aggressively it's getting spamed, what matters the ease to filter and enjoying the effective rules you've applied. No signatures needed. As a matter of fact I haven't seen a corporate email environment that's allowing incoming executable files in years, especially anything in between 0-50kb, have you? My point is that, the end user seems to be the target for this attack, since from an attacker's perspective, you have a higher chance of success if you try to infect someone who doesn't really know whether his AV is running, or cannot recall the last time an update was done to at least mitigate the risk of infection. These are the real Spam Kings.

At the beginning of 2006, I discussed the evolving concept of localizing malware attacks :

"By localization of malware, I mean social engineering attacks, use of spelling and grammar free native language catches, IP Geolocation, in both when it comes to future or current segmented attacks/reports on a national, or city level. We are already seeing localization of phishing and have been seeing it in spam for quite some time as well. The “best” phish attack to be achieved in that case would be, to timely respond on a nation-wide event/disaster in the most localized way as possible. If I were to also include intellectual property theft on such level, it would be too paranoid to mention, still relevant I think. Abusing the momentum and localizing the attack to target specific users only, would improve its authenticity. For instance, I’ve come across harvested emails for sale segmented not only on cities in the country involved, but on specific industries as well, that could prove invaluable to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones."

The current "events-based" malware is a good example here. If it were a piece of malware to automatically exploit the targeted PC, then you really have a problem to worry about. Meanwhile, Businessweek is running an interesting article on Why Antivirus Technology Is Ineffective, and stating "white-listing" is the future of malware prevention. Could be, if there wasn't ways to bypass the white-listing technology, or give a "white-listed" application a Second Life -- and of course there are.

In another piece of quality research written by Mike Bond and George Danezis, the authors take us through the temptation stage, monitoring, blackmail, voluntary propagation, involuntary propagation, and present nice taxonomies of rewards and blackmail.

And if you're still looking for fancy stats and data to go through, read this surprisingly well written paper by Microsoft - Behavioural Modelling of Social Engineering-Based Malicious Software. They've managed to spot the most popular patterns - generic conversation, non-english language used, virus alert/software patch required, malware found on your computer, no malware found, account information, mail delivery error, physical attraction, accusatory, current events, and free stuff.

Current events, free stuff, and malware on your computer are the most effective ones from my point of view as they all exploit wise psychological tactics. Current events because the Internet is a major news source and has always been, free stuff, due the myth of "free stuff" on the Internet, and the found malware putting the (gullible) end user in a "oops it was my turn to get a nasty virus" state of mind.

Continue reading →

Collected in the Wild

Nothing special, looks like a downloader, tries to connect to *****.cc/getcommand.php?addtodb=1&uid=rtrtrele.CurrentU. to get the payload that's packed and repacked quite often. File length: 2829 bytes. MD5 hash: 2147eb874fefe4e6a90b6ea56e4d629a.

The next one is rather more interesting as it's a registry backdoor, creating a new service and opening up a listening port 5555. File length: 21504 bytes. MD5 hash: 406e3fc8a2f298a151890b3bee9d7b18.

Creates service "msntupd (msntupd)" as "C:\WINDOWS\SYSTEM32\regbd.sys". Continue reading →

Inside an Email Harvester's Configuration File

In previous posts on web application email harvesting, and the distributed email harvesting honeypot, I commented on a relatively less popular threat - the foundation for sending spam and phishing emails, namely collecting publicly available email addresses. The other day I came across an email harvester and decided to comment on its configuration file.

Type of file extensions to look in :
TargetFile=abc;abd;abx;adb;ade;adp;adr;bak;bas;cfg;cgi;cls;
cms;csv;ctl;dbx;dhtm;dsp;
dsw;eml;fdb;frm;hlp;imb;imh;imh;imm;inbox;ldb;ldif;mbx;
mda;mdb;mde;mdw;
mdx;mht;mmf;msg;nab;nch;nfo;nsf;nws;ods;oft;pmr;pp;ppt;
pst;rtf;slk;sln;sql;stm;tbb;tbi;txt;uin;vap;vcf;myd;html;htm;htt;js;
asm;asp;c;cpp;h;doc;ini;jsp;log;mes;php;phtm;pl;
shtml;vbs;xhtml;xls;xml;xml;wsh;

Domains to look in :
TargetDomain=ru;com;net;cz;in;info;uk;fr;by;edu;it;de;ua;pl;nz;am;tv;

As you can see, this one is Europe centric.

Blacklisted usernames and domains :
BlackList=root;info;samples;postmaster;webmaster;noone;nobody;
nothing;anyone;someone;your;you;me;bugs;
rating;site;contact;soft;somebody;privacy;service;help;submit;feste;
gold-certs;the.bat;page;admin;support;ntivi;unix;bsd;linux;listserv;certific;
google;accoun;spm;spam;www;secur;abuse;
.mil;.ftn;@hotmail;@msn;@microsoft;rating@;f-secur;news;update;.gov;@fido;anyone@;bugs@;contract@;feste;gold-certs@;help@;info@;nobody@;noone@;kasp;sopho;@foo;
@iana;free-av;@messagelab;winzip;winrar;samples;abuse;panda;cafee;
spam;pgp;@avp.;noreply;local;root@;postmaster@;
.fidonet;subscribe;faq;@mtu;.mtu;.mgn;.plesk;.sbor;.port;.hoster;
@novgorod;@quarta;.nsk;.talk;.tomsknet;
@suct;.lan;.uni-bielefeld;@ruddy;.msk;@individual;.interdon;
@php;@zend; feedback;.lg;.lnx;@hostel;@relay;
.neolocation; @example;.kirov;.z2;.fido;.tula;
@intercom;@olli;@ozon; @bk;@lipetsk;@ygh;
.eltex;.invention;.intech;@cityline;.kiev;@4ax;
.senergy;@mail.gmail;@butovo;

F-Secure, Kaspersky, MessageLabs, Panda Software and McAfee are taken into consideration, but the best part is that the vendors themselves are visionary enought not to be using domains or email addresses associated with them, for spam and malware traps.

Thankfully, there're many spam poison projects where these crawlers get directed to a huge number of randomly generated email addresses. And while the results are evident, namely they're picking them up and poisoning their databases with non-existent emails it is questionable if that's the best way to fight spam, since the spammers are going to send their message to anyone, even to the non-existent email addresses causing network load. Something else worth mentioning, these email harvesters are starting to pick up [at] and [dot] type of obfuscation too.

Here are some more comments on the Spamonomics I recently made. Spammer's attitude has to do with "Busyness vs Business" factor of productivity mostly, their business model is broken, but they just keep on sending them without knowing it. Continue reading →

The Life of a Security Threat

Eye-catching streaming video courtesy of iDefense. In the past, iDefense got a lot of publicity due to their outstanding cyber intelligence capabilities, and quality reports among which my favorite is the one providing a complete coverage of the China vs U.S cyberwar due to the captured AWACS in case you remember. VeriSign, perhaps the last vendor you would think of, purchased the company with the idea to diversify its portfolio of services and further expand their market propositions, if critical infrastructure is what they manage, an IDS signature when there's no patch available and wouldn't be not even next Patch Tuesday, is invaluable and proactive approach for protecting a company's assets. Recently, iDefense offered another bounty on zero day vulnerabilities in Vista and IE7, but considering that Windows Vista is still not adopted on a large corporate and end user scale the way XP is, therefore a zero day exploit for Windows XP must have a higher valuation then a Windows Vista one. Proving Vista is insecure and iDefense taking the credit for it though, is a strategic business move rather then a move aiming to improve the overal security of their customers -- if only could iDefense purchase all the exploits from Month of the X Bugs initiatives. Moreover, a Vista zero day exploit was available for sale. Feel the hypo-meter about to explode. Think malicious attackers. Would someone pay $50,000 for an exploit of an OS whose adoption by corporate and home users is continuing to sparkle debates, while an IE6 zero days are offered in between $1000-2000?

In the time of blogging, there're numerous zero day vulnerabilities for sale out there, the way this commercialization of vulnerability research directly created the -- thankfully -- stil not centralized underground market for vulnerabilities by adding more value to what's a commodity from my point of view. Here's a complete coverage on how the WMF vulnerability got purchased for $4000 in case you want to deepen your knowledge into the topic. Continue reading →

Security Lifestyle(S)

If Security is a state of mind, then so is brand loyalty. Continue reading →

Head Mounted Surveillance System

It's so cheap and affordable even you can add it to your wish list :

"The new DV ProFusion is a cost effective alternative to the DV Pro. It is a lightweight, mobile, body worn video and audio solution. DV ProFusion has a built in screen allowing for live viewing and instant playback. DV ProFusion is available in either 30GB hard drive capacity, which provides up to 100 hours of video or 100GB offering 450 hours of video, depending on sampling bit rate. DV ProFusion enables the user to keep both hands free whilst recording exactly what they see and hear themselves. DV ProFusion is specifically designed to work with a number of optional accessories, including an extendable pole and additional lens options."

While it's very innovative idea, in five years the current models would look like the brick-size like Motorola cell phones you all know. I like the idea of storing the footage in the device compared to relying via air which makes me think of several scenarios for possible abuse or DoS attacks. In case you haven't heard public CCTV cameras are getting a boost with built-in speakers, so perhaps at a later stage it would come to someone's mind to include a speaker on the other side of the head too. Two clips to see it in action. Continue reading →

Transferring Sensitive Military Technology

Busted :

"China on Tuesday condemned US sanctions imposed last week on three Chinese companies for allegedly selling banned weapons to Iran and Syria, calling the accusations "totally groundless". "We strongly oppose this and demand the US side correct this erroneous action," foreign ministry spokesman Liu Jianchao said at a regular press conference. The Chinese firms are among 24 foreign entities from several countries hit with the sanctions, invoked under the 2005 Iran and Syria Nonproliferation Act."

Follow the connection, the U.S is doing business with the Chinese companies, who leak it to Iran and Syria, who leak it Hezbollah or pretty much everyone at the bottom of the food chain.

More comments - "Foreign Intelligence Services and U.S Technology Espionage" and "Hezbollah's use of Unmanned Aerial Vehicles - UAVs".

Artillery Rockets image courtesy of Globalsecurity.org Continue reading →

It's all About the Vision and the Courage to Execute it

Great article on China's blogging market and the never-ending censorship saga. Meet Fang Xingdong, a banned journalist who decides to beat them by playing their own game, do the math yourself. While heading China's Bokee with 14 million bloggers and more than 10,000 new ones every day, he's appointed only 10 people to monitor the blogs :

"Of course, the authorities did not allow a completely wide-open system. Censorship is still practised, even at Mr. Fang's company. Among his 80 employees are 10 people who comb through the blogs every day, deleting anything deemed to be obscene or politically unacceptable. He hopes that the Chinese blogosphere will become self-regulating. "If it's more orderly, there will be less pressure on us," he says. "I think a blog should have a basic foundation of morality and law. I compare it to a person's home."

If I were in China, I'd register on his network.

Continue reading →

Preventing a Massive al-Qaeda Cyber Attack

From the unpragmatic department :

"Colarik proposes "a league of cyber communities." The world's 20 largest economies would sign a treaty vowing to manage their own country's cyber activities. Member states would then deny traffic to any nation that refuses to crack down on cyber terrorists."

No, he really means it, totally forgetting on how a huge percentage of terrorist related web sites are hosted in the U.S. Here's the latest example. It gets even more shortsighted :

"Al-Qaeda also publishes a monthly magazine devoted to cyber-terrorism techniques."

If installing a VMware and PGP Whole Disk Encryption is a cyber-terrorism technique, we're all cyber terrorists without the radical mode of thinking and the Quran on the bookshelf. Continue reading →

Eyes in London's Sky - Surveillance Poster

Alcohol's bad, drugs are bad, surveillance is good for protecting your from the insecurities we made you become paranoid of, and so are head-mounted surveillance cams equipped police officers. Sure, but consider the social implications too. London may be one of the most important business centers in Europe -- next to Frankfurt and Rotterdam -- but I'm so not looking forward to living in what's turning into a synonym for 1984. Continue reading →