Banking Trojan Defeating Virtual Keyboards

The folks behind VirusTotal, just released an analysis and an associated video of trojan generating video sessions of the infected end user's login process, thus bypassing the virtual keyboard many banks started providing with the idea to fight keyloggers.

"Today we will analyze a new banking trojan that is a qualitative step forward in the dangerousness of these specimens and a new turn of the screw in the techniques used to defeat virtual keyboards. The novelty of this trojan lies in its capacity to generate a video clip that stores all the activity onscreen while the user is authenticating to access his electronic bank.

The video clip covers only a small portion of the screen, using as reference the cursor, but it is large enough so that the attacker can watch the legitimate user's movements and typing when
using the virtual keyboard, so that he gets the username and password without going into further trouble. It would obviously be place a heavy burden on the resources of the computer to capture the complete screen, both when generating the video clip as well as sending it to the attacker. The main reason for doing only a small portion of the screen referenced to the cursor is that the trojan guarantees the speed of the capture to show all the sequence and activity with the virtual keyboard seamlessly."

Anything you type can be keylogged, but generating videos of possibly hundreds of infected users would have a negative effect on the malware author's productivity, which is good at least for now. Follow my thoughts, the majority of virtual keyboards have static window names, static positions, and the mouse tend to move over X and Y co-ordinates, therefore doing a little research on the most targeted bank sites would come up with a pattern, pattern that should be randomized as much as possible. Trouble is, the majority of phishing attacks are still using the static image locations of the banks themselves, when this should have long been randomized as well.
OPIE authentication, suspicious activity based on geotagging anomalies, and transparent process for the customer -- please disturb me with an sms everytime money go out -- remain underdeveloped for the time being. You might find Candid Wüest's research on "Phishing in the Middle of the Stream" - Today's Threats to Online Banking informative reading on the rest of the issues to keep in mind.

No Anti Virus Software, No E-banking for You, or are Projection Keyboards an alternative? Continue reading →

Results of the Cyber Storm Exercise

The Cyber Storm exercise conducted in January "simulated a sophisticated cyber attack campaign through a series of scenarios directed at several critical infrastructure sectors. The intent of these scenarios was to highlight the interconnectedness of cyber systems with physical infrastructure and to exercise coordination and communication between the public and private sectors. Each scenario was developed with the assistance of industry experts and was executed in a closed and secure environment. Cyber Storm scenarios had three major adversarial objectives:

- To disrupt specifically targeted critical infrastructure through cyber attacks
- To hinder the governments' ability to respond to the cyber attacks
- To undermine public confidence in the governments' ability to provide and protect services"

Seems like the results from the exercise are already available and among the major findings are related to :

- Interagency Coordination
- Contingency Planning, Risk Assessment, and Roles and Responsibilities
- Correlation of Multiple Incidents between Public and Private Sectors
- Training and Exercise Program
- Coordination Between Entities of Cyber Incidents
- Common Framework for Response and Information Access
- Strategic Communications and Public Relations Plan
- Improvement of Processes, Tools and Technology

Frontal attacks could rarely occur, as cyberterrorism by itself wouldn't need to interact with the critical infrastructure, it would abuse it, use it as platform. However, building confidence within the departments involved is as important as making them actually communicate with each other.

Go through a previous post on the Biggest Military Hacks of All Time in case you're interested in knowing more on specific cases related to both, direct and indirect attacks. Continue reading →

Examining Internet Privacy Policies

Accountability, public commitment, or copywriters charging per word, privacy policies are often taken for fully enforced ones, whereas the truth is that actually no one is reading, bothering to assess them. And why would you, as by the time you've finished you'll again have no other choice but to accept them in order to use the service in question -- too much personal and sensitive identifying information is what I hear ticking. That's of course the privacy conscious perspective, and to me security is a matter of viewpoint, the way you perceive it going beyond the basics, the very same way you're going to implement it -- Identity 2.0 as a single sign on Web is slowly emerging as the real beast. The marketing perspective, offers unprecedented and fresh data whose value may be the next big project, balance is the key.

Here's an interesting research on "Examining Internet Privacy Policies Within the Context of Use Privacy Values" :

"In this paper, we present research bridging the gap between management and software requirements engineering. We address three research questions. 1) What are the most stringently regulated organizations (health care related organizations including health insurance, pharmaceutical, and drugstores) saying in their privacy policy statements? 2) What do consumers value regarding information privacy? 3) Do the privacy policy statements provide the information that consumers want to know?

Results from this study can help managers determine the kinds of policies needed to both satisfy user values and ensure privacyaware website development efforts. This paper is organized as follows. First, we discuss relevant research on privacy, policy analysis, and software requirements engineering. Next, we cover the research methodologies of content analysis and survey development, and then the survey results. Finally, we discuss the results and implications of this work for privacy managers and software project managers."

The only time privacy policies get read is whenever a leak like AOL's one happens, and mostly for historical purposes, where's the real value, not the perceived one? Don't responsibly generate privacy policies, consider preemptively appointing chief privacy officers, thus commiting yourself to valuing your users's privacy and having a strategy in mind.

Related resources:
Privacy
Snooping on Historical Click Streams
A Comparison of US and European Privacy Practices Continue reading →

Cyber Intelligence - CYBERINT

HUMINT, SIGINT, TECHINT, all concepts for gathering intelligence and supporting decision makers on emerging trends are invaluable by their own definitions, yet useless if not coordinated for achieving the ultimate objective. Cyberspace is so much more than a social phenomenon or the playground of countless pseudo personalities. Info-warriors and analysts are realizing that Cyberspace is becoming so disperse and versatile, that a seperate practice of Cyber Intelligence is necessary to proactively respond -- and always be a step ahead of developing new capabilities -- of emerging players, threats, and tactics. Virtual situational awareness is as important to intelligence analysts, as it is important to security professionals wanting to remain competitive.

What's Cyber Intelligence, or Intelligence analysis for Internet security, can we model it, how long would the model survive before what used to static turns into a sneaky variable knowing its practices has been exposed? What would the ultimate goal of CYBERINT be? To map the bad neighborhoods and keep an eye on them, to profile the think-tanks and assess their capabilities, background motivations for possible recruitment? Or to secure Cyberspace, no matter how megalomanic it may sound, or to basically acquire know-how to be used in future real-life or cyber conflicts?

Intelligence Analysis for Internet Security proposes an intelligence model for the development of an overall systems security model, here's an excerpt :

"Obtaining prior knowledge of both threats and vulnerabilities – as well as sensitivity to possible opportunities to exploit the vulnerabilities - is essential. Intelligence analysis, of course, operates at different levels, ranging from the specific to the general, and from short-term incidents and operations to long term patterns and challenges. Each form or level of analysis is crucial, and complements and supplements the others. Nevertheless, it is important to distinguish them from one another and to be clear at which level the activities are taking place. It is also important to recognize that the most critical insights will be obtained from fusion efforts that combine these different levels. The several complementary levels of intelligence analysis are strategic analysis, tactical analysis and operational analysis. In practice, these categories shade into each other and are not always sharply differentiated, and differing definitions for these terms exist in the intelligence community. Nevertheless, they offer a useful framework within which intelligence tasks and requirements can initially be delineated."

A very informative and relevant research emphasizing on strategic intelligence analysis, tactical intelligence analysis, operational intelligenec analysis, and how cyber intelligence intersects with traditional approaches.

What's the core of CYBERINT?

- the maturing concept of cyberterrorism, propaganda and communications online, thus huge amounts of data to be aggregated and analyzed
- an early warning system for new attack tools, their easy of use, availability, ability to be tracked down, and level of sophistication
- offensive CYBERINT is perhaps the most interesting and aggresive approach I consider fully realistic nowadays. Operational initiatives such as nation-wide pen testing, OS and IP space mapping for instant exploitation, segmented economic espionage attacks -- ip theft worms achieving efficiency -- passive google hacking and reconnaissance, tensions engineering, zero day vulnerabilities arms race

Outsourcing to objective providers of intelligence and threats data should also be considered, but then again it's just a tiny portion of what can actually be achieved if a cross-functional team is acting upon a common goal - to be a step ahead of tomorrow's events, and pleasently going through threat analysis conducted year ago predicting and responding to them.

If you don't have enemies, it means you're living in a world of idleness, the more they are, the more important is what you're up to.

Related resources and posts:
Information Warfare
Cyberterrorism
Intelligence
Benefits of Open Source Intelligence - OSINT Continue reading →

Leaked Unmanned Aerial Vehicle Photo of Taliban Militants

Missed shot from a predator drone due to moral concerns, remarkable move and one visionary enought not to provoke another media fiasco of killed civilians for the sake of killing alleged militants. "U.S. Military Investigates Leaked Photo"

"The grainy black and white photo shows what NBC says are some 190 Taliban militants standing in several rows near a vehicle in an open area of land. Gunsight-like brackets were positioned over the group in the photo. NBC quoted one Army officer who was involved with the spy mission as saying "we were so excited" that the group had been spotted and was in the sights of a U.S. drone. But the network quoted the officer, who was not identified, as saying that frustration soon set in after the officers realized they couldn't bomb the funeral under the military's rules of engagement."

Hezbollah are also known to be able of operating drones, as well as their "window-shopping" purchasing capabilities for night vision gear but how come? Politically independent parties whose revenues get generated by their ability to be totally neutral and, of course, tactics for bypassing gear embargoes.

However, it would be naive to assume everyone is as rational as you are, as it's a rather common practice for various military forces to build up their foundations near highly populated areas, schools and hospitals. Insider leaks like these show certain weaknesses, namely operatives with access to information whose significance slightly devaluated, so why not generate some buzz on the findings.

Naturally, the Pentagon is taking measures to limit the potential of yet another media fiasco, taking into consideration the growing use of gadgets in the military. Moreover, successfully realizing the power of OSINT, an information security/web site alert was issued during August on what can't be posted at .mil sites.

Predator UAV image of Serbian fighters surrendering in Kosovo, courtesy of Military Intelligence Satellites. Continue reading →

Internet PSYOPS - Psychological Operations

Psychological operations or PSYOPS is an indirect use of information warfare methods to deceive, shape and influence the behavior and attitude of the targeted audience -- military marketers with greater access to resources and know-how. The Internet acting as a global-reaching, cost-effective platform for dissemination of a message, rumor, lie, inside information is directly influencing the evolution of the concept.

You may find this research conducted back in 2001, still relevant on the basics of psychological operations and propaganda online. A brief summary of The Internet and Psychological Operations :

"As an information medium and vehicle of influence, the Internet is a powerful tool, in both open societies as well as in those whose only glimpse of the outside world is increasingly viewed and shaped through webpages, E-mail, and electronic chat rooms. Moreover, the sword cuts both ways, as unconstrained (legally, socially, politically) adversaries find the Internet an effective vehicle for influencing popular support for their cause or inciting the opposite against the U.S. or its interests. Consequently, the realm of military psychological operations (PSYOP) must be expanded to include the Internet. Just as obvious is the need for action to remove or update current policy and legal constraints on the use of the Internet by military PSYOP forces, allowing them to embrace the full range of media, so that the U.S. will not be placed at a disadvantage. Although current international law restricts many aspects of PSYOP either through ambiguity or noncurrency, there is ample legal room for both the U.S. and others to conduct PSYOP using modern technology and media such as the Internet. Existing policy and legal restrictions, however, must be changed, allowing military PSYOP forces to both defend and counter adversarial disinformation and propaganda attacks which impact on the achievement of military objectives. By examining this issue, I hope to highlight the importance of the Internet for PSYOP and foment further discussion."

Undoubtedly, Abu Ghraib's fiasco is among the most relevant cases of unintentional PSYOPS in reverse, where the leak's echo effect would continue to spell sskepticism towards what democracy really is. And while there're indeed legal issues to consider when using such operations, what is legal and illegal in times of war is questionable.

Some basic examples:
- your web sites spread messages of your enemies
- sms messages and your voice mail say you're about to lose the war
- your fancy military email account is inaccessible due to info-warriors utilizing the power of the masses, thus script kiddies to distract the attention
- you gain participation, thus support
- you feel like Johnny Mnemonic taking the elevator to pick up the 320 GB of R&D data when a guerilla info-warrior appears on the screen and wakes you up on your current stage of brainwashing
- starting from the basics that the only way to ruin a socialist type of government is to introduce its citizens to the joys of capitalism -- it always works
- hacktivism - traffic acquisition plus undermining confidence
- propaganda - North Korea is quite experienced
- self-serving news items, commissioned ones
- achieving Internet echo as a primary objective
- introducing biased exclusiveness
- stating primary objectives as facts that have already happened
- impersonation

The evolution of online PSYOPS is on its way and is actively utilized by both adversaries, and everyone in between, it's entirely up to you to be either objective, or painfully subjective. Continue reading →

Prosecuting Defectors and Appointing Insiders

In the year 2006, those who control Russia's energy reserves control a huge portion of the world's energy market -- renewable energy is the future. And as you can imagine they're for sure not controlled by some newly born Russian millionaires -- a great benchmark for how vibrant a country's economy or level of corruption really is. Seems like the long-term effects of a planned economy are still a political doctrine, and the invisible hand of the market is still short enough to feel the Russian energy sector as Russian intelligence chief's son has been named adviser to oil company chairman :

"A son of the head of Russia's main intelligence agency has been named an adviser to the chairman of state oil company OAO Rosneft, the daily newspaper Kommersant reported Wednesday, citing an unidentified source on Rosneft's board of directors. Andrei Patrushev, the 25-year-old son of Federal Security Service (FSB) director Nikolai Patrushev, had previously been an FSB official himself, working in the department that keeps tabs on the Russian oil industry, according to Kommersant."

The courage to rise above shown by Mikhail Khodorkovsky has its own butterfly effect, and it's so easily predictable one. Here's a Google bomb for you -- it means enemy of the people. Here's another. Враг народа or a vivid protectionist? Continue reading →

Malware on Diebold Voting Machines

Continuing the previous post on "How to Win the U.S Elections" seems like malware is indeed diebold voting machines compatible -- related videos.

The main findings of the study are:

- Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.

- Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.

- AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.

- While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security.

IP enabled, Windows running ATM's with anti-virus, IPv6 enabled fridges with anti-virus, smart phones with anti-virus, Play Stations with anti-virus, birds as early warning systems for an epidemic, so where's my signature, dude? Continue reading →

Vulnerabilities in Emergency SMS Broadcasting

There's been a recent test of emergency cell phone alert in the Netherlands -- original article was here -- and while broadcasting supposidly reaches the largest number of people in the surrounding area, timing and countless number of factors also matter :

"Cell phones throughout a downtown hotel beeped simultaneous Tuesday with an alert: there is a suspicious package in the building. It was a drill, run by Dutch authorities testing an emergency "cell broadcasting" system that sends a text message to every mobile phone in a defined area. Representatives from 21 national governments, New York City and the U.S. Federal Emergency Management Agency, or FEMA, watched the signal go out to cell phones throughout the Sofitel hotel in Amsterdam. About half the people in the building then followed instructions and evacuated. "We want to see what worked and what didn't," said David Webb, of FEMA's Urban Search and Rescue Program. "The EU (European Union) is really leading the way with this technology."

What if :

- Even in case that key emergency personal were to use a seperate communication network, radio for instance, broadcasting to anyone accepting could result in significant delays, and even though the message is sent, it doesn't mean it would take advantage of the momentum

- cell phone jammers are often used by hotels to preserve the unique atmosphere and undisturbed conference meetings can prove contradictive, excluding the fact that the parties supposidly plotting the attack don't use one by themselves

- despite the fact that one in five will pick up their mobile during sex, how many obsessively check for newly arrived sms messages?

- how would a tourist know how the successfully authenticate the local authories at the first place, in case of emergencies watch out for an sms from 010101, now I assume you know how easily I can sms you from the same number and impersonate the number

- what should the user be mostly aware of be aware of, mobile malware, SMSishing, or "call this 0 900 or else I won't tell you where's the attack" type of messages

- from a multilingual point of view, will it be using English by default, and how many would be still enjoying their meals while everyone's leaving

Great idea, but it may prove challenging to evaluate the actual results in a timely manner. Sent doesn't mean received or read on time, even actioned upon.

Recommended reading:
SMS disaster alert and warning systems - don't do it !
Revisiting SMS during Disasters
Concept Paper on Emergency Communications during Natural Disasters
Exploiting Open Functionality in SMS- Capable Cellular Networks
The Role of Mobiles in Disasters and Emergencies Continue reading →

Testing Intrusion Prevention Systems

Informative testings results of various IPSs such as Juniper IDP 200, Cisco IPS 4240, eSoft ThreatWall 200, ForeScout ActiveScout 100, McAfee IntruShield 2700.

Here's how they tested :

"In order to create a base environment in which to compare the different appliances, we set up a single system within our test network to be the target of Core Impact’s simulated attacks. We chose a system running the most vulnerable operating system we could think of—Windows 2000 Service Pack 2 with no additional service packs or security updates. We temporarily opened the channels on the test network’s firewall and installed Core Impact on a system outside the network. We then proceeded to detect and “attack” the Windows 2000 system to identify its vulnerabilities. Of the hundreds of attack modules available, we picked 85 of the most applicable. Knowing how our target system was vulnerable and the attacks we could launch against it, we connected each IPS in turn according to its recommended configuration. We then allowed each IPS to function in a real-world network environment for a day or more. Eventually we rebooted the Windows 2000 machine and ran Core Impact to simulate a barrage of intrusions. Finally, we adjusted the security profiles of each IPS and ran the tests one more time. The result was a complete picture of how effective each IPS was at preventing attacks—both out of the box and after fine-tuning. The good news is, we were able to tweak each IPS to completely shut down the Core Impact attacks."

There are, however, hidden costs related to IPSs, and that's increased maintainance and reconfiguration time, possible decline in productivity. The key is understanding the pros and cons of your solution, educating the masses of users, and run a departamental, compared to a comany-wide enforcement at the first place as far as host based IPS are concerned. Network based IPSs sensitivity is proportional to the level of false alerts generated, so figure out how to balance and adapt the solution to your network.

Suspicious system behaviour is such an open topic term to the majority of end users, keep it in mind whatever you do when dealing with HIPS. And do your homework of course.

Continue reading →

Google Anti-Phishing Black and White Lists

Can the world's most effective search engine manage to keep questionable sites away from the search results of its users? Seems like its toolbar users are also warned about such. Google for sure got the widest and most recent snapshot of the Web to draw up conclusions from, and seems like starting from the basics of keeping a black and white list with questionable sites/URLs is still taken into consideration. Googling Google proves handy sometimes and you can stumble upon interesting findings such as Google's Black -- cache version -- and White lists of phishing and possible fraudelent sites -- there's still a cached version of the White list available and the white domains as well.

As I often say that the host trying to 6667 its way out of the network today, will be the one sending phishing and spam mails tomorrow, therefore in order to verify I took a random blacklisted host such as http://219.255.134.12/fdic.gov/index.html.html and decided to first test it at TrustedSource, and of course, at the SORBS to logically figure out that the host's has been indeed :

"Spam Sending Trojan or Proxy attempted to send mail from/to from= to="

What's ruining the effect of black and white lists? With today's modular malware -- and DIY phishing toolkits -- the list of IP's currently hosting phishing sites can become a decent time-consuming effort to keep track of, namely black lists can be sometimes rendered useless given how malware-infected hosts increasingly act as spamming, phishing, and botnet participating ones -- if ISPs were given the incentives or obliged to take common sense approaches for dealing with malware infected hosts, it would make a difference. As far as the white lists are concerned, XSS vulnerabilities on the majority of top domains, and browser specific vulnerabilities make their impact, but most of all, it's a far more complex issue than black and white only.

Another recent and free initiative I came across to, is the Real-Time Phishing Sites Monitor, which may prove useful to everyone interested in syndicating their findings.

Third-party anti-phishing toolbars, as well as anti-phishing features build within popular toolbars are not the panacea of dealing with phishing attacks. A combination of them and user awareness, thus less gullible user is the way. Continue reading →

Visualizing Enron's Email Communications

In a previous post "There You Go With Your Financial Performance Transparency" I mentioned the release of Enron's email communications between 2000/2002, mind you, by Enron's ex-risk management provider. Continuing the series of resourceful posts on visualizing terrorists, intelligence data sharing, security and new media, here's Jeffrey Heer's visual data mining of Enron's email communications sample :

"Using the Enron e-mail archive as a motivating dataset, we are attempting the marriage of visual and algorithmic analyses of e-mail archives within an exploratory data analysis environment. The intent is to leverage the characteristic strengths of both man and machine for unearthing insight. Below are a few sketches from a preliminary exploration into the design space of such tools."

And here's how he visualized the social network, invaluable "big picture". Continue reading →

Secret CIA Prisons

It's official, there're indeed (publicly) secret CIA prisons, and a public commitment towards improvement :

"All suspects will now be treated under new guidelines issued by the Pentagon on Wednesday, which bring all military detainees under the protection of the Geneva Convention. The move marks a reversal in policy for the Pentagon, which previously argued that many detainees were unlawful combatants who did not qualify for such protections. The new guidelines forbid all torture, the use of dogs to intimidate prisoners, water boarding - the practice of submerging prisoners in water - any kind of sexual humiliation, and many other interrogation techniques."

I assume operating such facilities in the Twilight Zone is flexible from an interrogation point of view, what makes me wonder though is how justified kidnappings of alleged terrorists by recruiting local intelligence agents are. Guess a guy I had a hot discussion with the other night was right, no more Russian skirmishes in guerilla warfare, the adversary leaders just dissapear and no one, even their forces ever hear anything of them -- spooky special forces stealing the hive's queen.

In case you're also interested in DoD's New Detainee Interrogation Policy, it's already available at the FAS's blog, plus "biographies" of 14 detainees.

However, there's one thing the entire synthetic community would always be thankful to the CIA though, and that's the LSD, a proven "ice breaker" during the decades.

Graph courtesy of Spiegel.de Continue reading →

NSA's Terrorist Records Database

Right on time! Inside sources -- this is a creative spoof -- at the NSA finally coordinated their intelligence sharing efforts with the Patriot Search, and came up with a public database giving you the opportunity to lookup your entire neighborhood for suspicious relations with the Middle East.

What's the bottom line? Keep your friends close, your intelligence buddies closer!

Interested in Anti-Terror tips? Follow these :

- Use email software with strong encryption to prevent terrorists from reading your email
- Encrypt the files on your computer using strong encryption such as PGP to prevent terrorists from accessing your files
- Browse the web using an anonymous proxy to prevent terrorists from seeing what sites you visit
- Insist that electronic voting machines provide you with a traceable paper receipt so you can ensure that terrorists haven't altered the electronic ballot
- Report all behavior, especially if it is suspicious Continue reading →

The Freedom Tower - 11th September 2006

That's of course how it's gonna look like in 2012 -- true leaders never look into the past, they're too busy defining the future. Time goes fast given you're busy and always up to something -- disruption! I still clearly remember the moment when 9/11 happened and realize how much I've changed since then. Mixed thoughts started buzzing around my mind, the type of thoughts Cryptome's Daily Photos smartly emphasises on. Anyway, someone or something always has to, either be the result, the consequence, or the foundation for the next stage. I'll leave it open to interpretations on what interacts with what :

Cold War <=> Defense/Intelligence spending/Innovation <=> Post 9/11 World
Terrorist <=> Ideology <=> War
Foreign policy <=> Terrorism <=> Geopolitical dominance
Terrorism <=> OSINT <=> Intelligence
Civil Liberties <=> Terrorism <=> Surveillance
Poverty <=> G8 <=> Developed world
Space exploration budget cuts <=> Terrorism <=> Alternative energy sources development
Paranoia <=> Terrorism <=> Security services/products market growth

I can keep on going, but that's not the point, the point is how globalisation is acting as a double edged sword, and so is paranoia, still, keep in mind that there're one million other ways to get killed compared to a terrorist attack.

There've always been and will always be "bad guys", "good guys", and "greyhat guys" -- barking dogs of course -- trouble is knowing whom to trust at a particular moment in time. I can easily argue that during the past five years, all the "bad guys" had to do was to go through the press and come up "future long term strategies" perceptional enough to shock and awe "the infidels". My point is that, OSINT is also a double edged sword, useful and dangerous to both parties. As far as the infidels are concerned, I'm not one - I believe in myself!

Underestimating an adversary is much worse than overestimating it, just cut using terrorism as the excuse for everything you do, or are about to do, which is as subjective as China's economy taking over the world -- something neither the "bad guys" nor China would do.

Related posts:
Terrorism
Data mining, terrorism and security
Terrorist Social Network Analysis
Benefits of Open Source Intelligence - OSINT
Visualization, Intelligence and the Starlight project
Cyber terrorism - don't stereotype and it's there!
Cyber terrorism - recent developments
Arabic Extremist Group Forum Messages' Characteristics
Tracking Down Internet Terrorist Propaganda
Cyber Terrorism Communications and Propaganda
Steganography and Cyber Terrorism Communications Continue reading →

A Study on The Value of Mobile Location Privacy

Right in between Flickr's introduction of geotagging, the term stalkerazzi got its necessary attention, then again it entirely depends on you to evolve as a Web 2.0 user and add more value to the ongoing folksonomy, or realize the possible privacy implications.

Yesterday, Danezis Cvrcek and Matyas Kumpost released an interesting study on The Value of Location Privacy :

"This paper introduces results of a study into the value of location privacy for individuals using mobile devices. We questioned a sample of over 1200 people from five EU countries, and used tools from experimental psychology and economics to extract from them the value they attach to their location data. We compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation. We provide some analysis of the self-selection bias of such a study, and look further at the valuation of location data over time using data from another experiment."

While there're indeed privacy issues related to mobile devices, in the age of malware authors purchasing commercial IP Geolocation services to get a better grasp of the infected sample, and Google's growing concern on the use of networks such as Tor mimicking possible malicious bahavior you should ask yourself, what is it that you're trying to achive, Anonymity or Privacy preservation online and go for it without feeling like a hostage. Continue reading →

Email Spam Harvesting Statistics

Web application email harvesting has always represented an untapped threat, and it's not the basics of parsing or web application vulnerabilities I have in mind, but the already stored, in-transit, and saved contacts by infected people and their (insecure) platforms.

Malware is already averaging 1 piece in 600 social networking pages, which isn't surprising and is greatly proportional with the rise of web application vulnerabilities. Compared to personal data security breaches capable of providing the freshest and most recent emails of the parties involved, thus reseting a spammer's activities lifecycle, web email harvesting is still a rather common event.

Thankfully, there're already scaled initiatives such as the Distributed Spam Harvester Tracking Network making an impact :

"Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.

To participate in Project Honey Pot, webmasters need only install the Project Honey Pot software somewhere on their website. We handle the rest — automatically distributing addresses and receiving the mail they generate. As a result, we anticipate installing Project Honey Pot should not increase the traffic or load to your website."

Some current project statistics:
- Spam Trap Addresses Monitored - 1,354,582
- Total Spam Received - 1,464,090
- Total Spam Servers Identified - 499,310
- IPs Monitored - 611,368
- Total Harvesters Identified - 10,653

Donate a MX record, or get yourself an account and start contributing. On the other hand, the host that's web crawling for fresh emails today, will definitely match with the one found in a phishing email at a later stage -- the growing transparency and the pressure put on spammers inevitably results in the Ecosystem I mentioned in my Malware - Future Trends research.

Related posts:
The Beauty of the Surrealistic Spam Art
Real-Time PC Zombie Statistics
The current state of IP spoofing
Dealing with Spam - The O'Reilly.com Way Continue reading →

Benchmarking and Optimising Malware

With the growth and diversity of today's malware, performance criteria for a malicious code is reasonably neglected as a topic of interest, but that shouldn't be the case, as "the enemy you know is better than the enemy you don't know". As information warfare and malware often intersect for the purpose of balancing asymmetric forces, or conducting espionage, there're already research initiatives for multi-platform, multi-communication-environment code.
José M. Fernandez and Pierre-Marc Bureau constructively build awareness on how "the best is yet to come" in their research on Optimising Malware :

"In this paper, we address and defend the commonly shared point of view that the worst is very much yet to come. We introduce an aim-oriented performance theory for malware and malware attacks, within which we identify some of the performance criteria for measuring their “goodness” with respect to some of the typical objectives for which they are currently used. We also use the OODA-loop model, a well known paradigm of command and control borrowed from military doctrine, as a tool for organising (and reasoning about) the behavioural characteristics of malware and orchestrated attacks using it. We then identify and discuss particular areas of malware design and deployment strategy in which very little development has been seen in the past, and that are likely sources of increased future malware threats. Finally, we discuss how standard optimisation techniques could be applied to malware design, in order to allow even moderately equipped malicious actors to quickly converge towards optimal malware attack strategies and tools fine-tuned for the current Internet."

They've successfully distinguished the following generic and specific aim-oriented performance criteria :

Generic
- Number of hosts
- Persistence
- Anonymity

Fraud
- Money
- Credibility

Information theft
- Penetration
- Stealth
- Amount of information
- Host location

Access sale
- Upstream bandwidth
- Security

Destruction
- Propagation
- Upstream bandwidth
- Host location
- Damage

Information Warfare
- Speed
- Host Location
- Damage
- Exposure

Taking into consideration the OODA loop concept -- Observation, Orientation, Decision, Action -- the characteristics would get definitely improved with the time.

Related resources and recent posts:
Malware
Virus Outbreak Response Time
Malware Bot Families - Technology and Trends
Malware Statistics on Social Networking Sites Continue reading →

Google Hacking for Cryptographic Secrets

Interesting perspective, for sure could prove handy on a nation-wide scale. The concept of googling for private keys has been around for quite a while, and here's an informative paper emphasising on how Google can Reveal Cryptographic Secrets taking the topic even further :

"Google hacking is a term to describe the search queries that find out security and privacy flaws. Finding vulnerable servers and web applications, server fingerprinting, accessing to admin and user login pages and revealing username-passwords are all possible in Google with a single click. Google can also reveal secrets of cryptography applications, i.e., clear text and hashed passwords, secret and private keys, encrypted messages, signed messages etc. In this paper, advanced search techniques in Google and the search queries that reveal cryptographic secrets are explained with examples in details."

Comments on : Hashed passwords, Secret Keys, Public Keys, Private Keys, Encrypted Files, Signed Messages -- external comments on packed binary patterns, malware functions, and the malware search engine itself.

Google is so not the root of the problem, althrough at least theoretically malicious web crawling is indeed possible. Seems like patterns come useful to both sides of the front -- and everyone in between. Continue reading →

Hezbollah's use of Unmanned Aerial Vehicles - UAVs

According to the common wisdom, terrorists -- or let's just say contradictive political fractions -- weren't supposed to be capable of owning the using unmanned aerial vehicles in war conflicts, but be only able to wage guerilla warfare thus balancing the unequal forces in a conflict. Seems like Hezbollah are indeed capable of owning and using UAVs, as Israel recently shot down yet another one :

"Israeli aircraft shot down an unmanned spy plane launched by the Lebanese guerrilla group Hizbollah as it entered Israeli territory on Monday, the Israeli army said. The drone was spotted by the air force's monitoring unit and fighter planes were scrambled to intercept it, an Israeli military spokesman said. The spokesman said a fighter plane shot the drone down 10 km (six miles) off Israel's coast, northwest of the city of Haifa. "The current assessment is that it was headed further south, we do not know exactly for what purpose," the spokesman said. An Israeli military source added that it was an Iranian-made drone with a range of about 150 km."

Go through an in-depth post at DefenseTech, and Eugene Miasnikov's report on Threat of Terrorism Using Unmanned Aerial Vehicles: Technical Aspects, which :

"assesses the technical possibility of UAV use as a delivery means for terrorists. The analysis shows that such a threat does exist and that it will grow. The author also considers areas that require higher attention from government agencies. This report is also targeted at the Russian public. Terrorist activity can be prevented only through the coordinated efforts of the government and civil society. The government cannot efficiently fight terrorists without the active involvement of the population. The first step toward creating such an alliance is to recognize the threat and its potential consequences."

So what's next once reconnaissance is taken care of and timely intelligence gathered? UCAVs in the long term, of course. Nothing's impossible, the impossible just takes a little while! Continue reading →