DIY Malware Droppers in the Wild

The revenge of the script kiddies, or the master minds releasing DIY tools to let 'em generate enough noise as I've pointed out in my future trends of malware paper? Further expanding the Malicious Wild West series, here are two more recently released DIY malware droppers. The detection rate for the generated dropper of the first one is disturbing given it's not even crypted :

AVG - 06.12.2007 - Downloader.VB.KK
NOD32v2 - 06.12.2007 - probably unknown NewHeur_PE virus
Panda - 06.12.2007 - Suspicious file

No AV detects the packer itself!

File size: 311296 bytes
MD5: 1944378cba81bcd894d43d71dc5fccb5
SHA1: 920505f2124e8a477ab26a28f81a779d717882be

The second one has a much higher detection rate of both the packer and the dropper :

File size: 19001 bytes
MD5: abad61857c4b79773326496dec11929b
SHA1: 5c74c3572febf7f468b41d9bdc5cbc19eb2348b5

PandaLabs has recently conducted a study on the increasing use of packers and cryptors by malware authors worth mentioning :

"There are many different packers. According to the PandaLabs study, UPX is the most common and is used in 15 percent of the malware detected. PECompact and PE, are used in 10 percent of cases. However, according to PandaLabs, there are more than 500 types of packers that could be used by cyber-crooks. “In essence it is a stealth technique. The increasing use of these programs highlights how keen Internet criminals are for their creations to go undetected,” explains Luis Corrons, technical director of PandaLabs."

You may also be interested in finding out how popular anti virus vendors perform agains known, but crypted malware.

Related posts:
A Malware Cryptor
A Malware Cryptor 2
A Malware Loader Continue reading →

Homosexual Warfare

Applause for the non-lethal weapons R&D, but a Gay Bomb using aphrodisiacs to provoke sexual behaviour on the field courtesy of the Pentagon, is far more creative than a vomit beam for instance :

"In one sentence of the document it was suggested that a strong aphrodisiac could be dropped on enemy troops, ideally one which would also cause "homosexual behaviour". The aphrodisiac weapon was described as "distasteful but completely non-lethal". In its "New Discoveries Needed" section, the document implicitly acknowledges that no such chemicals are actually known."

Just imagine the situation when a century later, a futuristic History Channel displays holograms of such warfare activities. More info on the Gay Bomb, as well as video of soldiers on LSD -- exceptional warriors win their battles without waging wars. Continue reading →

Censoring Flickr in China

Since I've been discussing China's Internet censorship practices, and I've been doing it pretty much since I've started blogging, this is the most recent example of how what's thought to be the most robust and sophisticated censorship system in world is a useless technological solution if not implemented "properly". The news of the government censoring a very popular site will spread faster, but instead of applying the predefined subversive content detection practice and allow anything else, they're mocking their overhyped censorship system by blocking the entire site instead of either removing the content in question or blocking access to the specific Flickr set. Futile attempt? For sure, but far more gentle approach of censorship compared to the current one.

Various news sources reported that China's censoring the entire Flickr. As you can see the greatfirewallofchina.org test confirms the block, but it also confirms that Flickr.com itself is not censored but any other content within. How come? The idea is that the user user is left with the impression that it's a technical glitch at Flickr.com compared to receiving a censorship warning or even a 404 when accessing the main page. Logging in Flickr is possible -- verified though a Beijing based proxy manually -- uploading is also possible, but not content can be seen.

Flickr = a Yahoo! media company with which the Chinese government has been keeping close ties in the past so that jailed journalists started filling lawsuits against Yahoo. Various bloggers speculated that China banned the entire site due to the leak of protestor's photos on it, and taking into consideration China's ongoing censorship of mobile communications such as SMS messages which I covered in a previous post, you may notice that the first image of the received sms for the time and place of the protest is censored by the photographer herself, especially the time of receivement. The protest is also on YouTube, so would YouTube be logically next to get blocked? I doubt so as basically, the protest will position itself as an even more high priority issue for the Chinese government. The censorship trade-off, should you censor it and add more exclusiveness to it, or ignore and act like it's nothing serious? Undermine censorship by spreading the censored item further.

Even more interesting is the fact that couple of months ago, Google's shareholders were about to wage a proxy battle in order for them to convince top management in the long-term effects of censorship. Google convinced them that the revenues streaming from China with its near the top Internet population are more important and so they agreed. Obviously, Yahoo's shareholders are too, not keen of the fact that their investments are driving the oppression of Chinese citizens, and have recently proposed a similar resolution :

"Amnesty International has today (11 June) expressed its support for two shareholder resolutions up for vote at tomorrow's Yahoo! annual meeting in California, one calling on the company to oppose internet repression in countries such as China, and one requesting the creation of a corporate Board Committee on Human Rights."

New media companies are helpless and obliged under Chinese law to censor if they don't want to lose the option to do business in (Soviet) China, therefore a nation-2-nation actions must be taken especially from the world's major evalgelists of a free society and democracy. The rest is a twisted reality - a Tiananmen Square image search outside China, and a Tiananmen Square image search in China, everything's "in order". Continue reading →

An Analysis of the Technical Mujahid - Issue Two

Good afternoon everyone, shall we enjoy some fried cyber jihadists for lunch? I'd say let's go for it. After analyzing issue one of the Technical Mujahid couple of months ago, the post continues to be among the most popular ones at this blog, and best of all - I've virtually met with people whose knowledge intimacy I'd never ruin by physically meeting with them. In a globalized world, OSINT is your early warning system and a tool for establishing social responsibility as a citizen of world, and I'm still sticking to my old saying that an OSINT conducted - a tax payer's buck saved somewhere.

During March, 2007, the Al Fajr Information Center released the second issue of the Technical Mujahid E-zine (72 pages), a definite proof of their commitment towards educating the prone to brainwashing and radicalization wannabe jihadists. What has improved? Have the topics shifted from the general IT ones to start covering conventional weaponry discussions? Disturbingly yes. Whereas the topics still largely remain IT related, much more PSYOPS and discussion on weapons systems such as MANPADS- is included in the second issue. The myth of terrorists and jihadists using steganography is "thankfully" coming out of the dark despite how uncomfortable you may feel about it, from a strategic point of view, the low lifes are putting more efforts into educating the average jihadist on how to generate noise, so that the real conversation can continue with wannabe jihadists getting caught, and the true master minds remaining safe.
Case in point - the first issue of the magazine was covered by the several sources who seem to be aware of the forums where the real discussion and announcements are going, but the release of the second issue wasn't that well covered in comparison to their previous coverages. But how come? Is someone interested in getting a higher proportion of the upcoming departamental budget allocation with stories like we need petabytes of disk space and CPU on demand to analyze the ongoing conversations, or is the average citizen feeling more secure not knowing how aware both cyber and real life jihadists are? A picture is sometimes worth a thousand fears. Let's discuss the second issue of the Technical Mujahid by starting with the key summary points :

Key summary points :
- The second issue of the magazine is diversifying its content to include conventional weaponry articles, especially the nasty MANPADS
- Propaganda is largely increasing, thanks to automated translation software and keywords density analysis
- With articles such as the ABC of running and operating a Jihadist site online, the authors of the magazine are aiming to generate even more noise
- There's a very experienced team of multimedia/creative designers applying professional layouts to the magazine and the articles

01. Article One - An Overview of Steganography and Covert Communications

Article one is continuation from the discussion opened in the first issue on the basics of steganography and encryption. Rich on visual material as always, it covers a surprising number of steganographic techniques starting from watermarking, and also commenting on the process of steganalysis and how degrading the quality of an image let's say, is a major trade-off compared to encryption for instance. The article also includes a comparison of colors histogram of an original image and a steganographic one to showcase the trade-off. What makes an impression is the evolving editorial and DIY tutorials with definitions of technical terms at the end of each article and their Arabic translation..

Key terms from article one :

Steganography (Steganos graphy); Steganalysis; Morse Code; Digital Signal and Image Processing; Watermarking; LSB (Least Significant Bit); MSB (Most Significant Bit); Histogram (Frequency distribution of RGB); One Way Encryption; Discrete Cosine Transform (Coefficients); Enhanced LSB Layers Analysis.

Moreover, an exampe is given where Islamic military communications in Iraq are hidden in a 100x50 pixel picture. Feeling uncomfortable with the idea of jihadists using steganography for communications? So do I, but keeping it realistic instead of denying the reality is even worse than actually admitting it. Something else is important to understand as well, and that's to overall lack of situational awareness of the average citizen in any contrying, still living in the stereotype of bunch of folks making plans on the sand in a distant cave somewhere in the mountains. Your desire to remain what you are is what limits you.

It also worth discussing why are they including English-to-Arabic translations of technical terms, and I think the main goal is to provoke readers to start searching the Arabic web for related articles, perhaps a good moment to break the stereotype a mention that online jihadi communities is where visitors convert to talkers, and later on doers.

02. Article Two - Creating a Jihadist's Site for Newbies

In order for jihadists to generate more noise and build a loyal army of believers, the authors have taken the time and effort to explain the basics of web design, web hosting, and various other issues related to building a jihadists site from scratch. In times of "war on ideologies", the bigger the community, the higher chance for possible recruitment.

03. Article Three - An Overview of Short Range Shoulder-Fired Missiles

From ITsecurity to conventional weaponry articles, the shift is very interesting one, especially the in-depth knowledge on various systems and the countermeasures aircraft have against MANPADS. What's worth mentioning is the PSYOPS motive of jihadist's sandal on the top of a scrap from an obviously taken down helicopter. The articles concludes with detailed technical specifications of MANpads and by highlighting the dominance of the Russian IGLA system.

Key terms from article three :

Infrared (wavelength greater than 0.7 micron); Ultraviolet (UV: wavelength less than 0.4 micron); Infrared seeker head; IFF (Identification Friend or Foe) antenna; Digital signal processing (DSP); Counter-Countermeasures(CCM); Directed infrared countermeasures [DIRCM]; Sensor- Mercury Cadmium Telluride (HgCdTe) 1- 24mm; Sensor- Indium Antimonide (InSb) 1-5.5mm

04. Article Four - Basics and Importance of Encryption
Even wondered how Alice and Bob talk exchange keys in Arabic? This article explains in detail the basics and importance of encryption, and compared to issue one of the technical mujahid which was recommending PGP, the author is now recommending the Mujahideen Secrets encryption tool.

05. Article Five - Basics of Video Recording and Subtitling Clips
Wonder how did the whole jihadist multimedia revolution start? As it seems, there's a team of "reporters" attached to militant groups to take recordings of the battles and later one include propaganda background music and subtitle them to acheive an even more influential effect on their audience.

Dear wannabe jihadists - if your definition of existence consists in your futile attempt to achieve a knowledge-driven jihadist community in the form of generating noise with armies of religiously brainwashed soldiers, you face extinction it's that very simple.
Continue reading →

Security Cartoons

Despite that the main goal of the initiative is to build better awareness among the average Internet user through security cartoons, it's also very entertaining for someone professionally in the field. The original press release :

"The cartoons we have developed obviously are not a textbook approach, not made for professional journals or geared to an audience of professional researchers," said Srikwan, who is the graphic designer of www.SecurityCartoon.com. "We wanted this to be accessible to anyone who uses the Internet -- general consumers, teenagers, teachers and anybody who banks or shops online. That's why the cartoon format is perfect -- everybody can relate to it. The cartoons cover online security issues such as phishing, pharming, malware, spoofing and password protection. But as opposed to most other educational efforts relating to these topics, the cartoons do not only teach its readers what to do and not to do, but why, too."

Is building security awareness in the age of malicious economies of scale worth the investment in terms of outsourcing the program details to an experienced vendor? You bet, and what I especially like about the cartoons collection is its vendor-independent position, namely it's not promoting the idea of the product concept myopia and product as the solution to the threat, but vigilance and maintaining a decent situational awareness while online. The rest is up to a vendor's marketing and sales department trying to hopefully get more customers and prove their solution outperforms the rest of the vendors, compared to a profit-margin centered vendor, trying to squeeze out the juice from a commoditized product or a solution but lacking any major differentiation points.

Here are two more great collections of security cartoons as well. Continue reading →

CIA's "Upcoming" Black Ops Against Iran

Recent articles pointing out on a U.S President Bush's clearance for CIA black operations against Iran, make it sound like it's something the CIA haven't been doing for decades already. Here's an example of a spy thriller in real life on how the CIA helped U.S embassy workers escape the country unharmed during Iran's revolution by using a fake sci-fi movie production as an excuse :

"He was stuck. For about a week, no one in Washington or Ottawa could invent a reason for anyone to be in Tehran. Then Mendez hit upon an unusual but strangely credible plan: He'd become Kevin Costa Harkins, an Irish film producer leading his preproduction crew through Iran to do some location scouting for a big-budget Hollywood epic. Mendez had contacts in Hollywood from past collaborations. (After all, they were in the same business of creating false realities.) And it wouldn't be surprising, Mendez thought, that a handful of eccentrics from Tinseltown might be oblivious to the political situation in revolutionary Iran. The Iranian government, incredibly, was trying to encourage international business in the country. They needed the hard currency, and a film production could mean millions of US dollars."

Today's active black ops doctrine isn't hapenning without Iran taking notice of course :

"Other Iranian Americans also have been prohibited from leaving Iran in recent months, including Parnaz Azima, a journalist for the U.S.-funded Radio Farda; Ali Shakeri, a founding board member of the Center for Citizen Peacebuilding at the University of California, Irvine; and Kian Tajbakhsh, consultant working for George Soros' Open Society Institute."

Realizing the U.S's inability to wage conventional war on yet another front -- from a PR point of view not lack of capacity -- the CIA is logically putting more efforts into undermining a religious regime where it hurts most - Iran's overall isolation from the world's economic markets and a fact with which no one from the international community is feeling comfortable with, namely, Iran's continuing efforts to supply the enemies -- Hezbollah -- of its enemies -- the U.S -- with technology and know how that was supposedly hard to acquire.

Capitalism has the power to undermine any regime except perhaps one whose foundations are purely religious such as with Islam, therefore dirty tricks like the ones fabricating evidence and making the average Iranian perceive its current rulers as a corrupt puppets of behind a power-driven vision, seems to be a way of destabilizing the regime. Another recent example of an unamed intelligence agency's PSYOPS team aiming to a achieve a disorted media-echo by distributing false rumors and relying on that basis that there's truth in every rumour, was that of Muammar Gaddafi's coma speculations that quickly spread around the world. But what was the purpose of this hoax? Let's clarify - to achieve a media echo effect abusing the mainstream media's major weakness in respect to always trying to be the first to spread a ground breaking event. What did the colonel do once he found out he was in a come? Instead of ignoring, he fell victim into an even more well-thought of trap, and responded that the'll sue the news agency that came up with the hoax, thus, achieving an even more sucessful media echo effect. If you want to destroy a regime, you destroy it from inside-to-outside, not the other way around and perhaps the key objective of this PSYOPS was to help the regime's citizen's envision a future without their leader, even for a few hours before the fact is once again on the front pages. Ingenious intelligence thinking.

PSYOPS and BLACKOPS intersect and these are among the many practial examples I pointed out in a previous post :

- your web sites spread messages of your enemies
- sms messages and your voice mail say you're about to lose the war
- your fancy military email account is inaccessible due to info-warriors utilizing the power of the masses, thus script kiddies to distract the attention
- you gain participation, thus support
- you feel like Johnny Mnemonic taking the elevator to pick up the 320 GB of R&D data when a guerilla info-warrior appears on the screen and wakes you up on your current stage of brainwashing
- starting from the basics that the only way to ruin a socialist type of government is to introduce its citizens to the joys of capitalism -- it always works
- hacktivism - traffic acquisition plus undermining confidence
- propaganda - North Korea is quite experienced
- self-serving news items, commissioned ones
- achieving Internet echo as a primary objective
- introducing biased exclusiveness
- stating primary objectives as facts that have already happened
- impersonation Continue reading →

g0t XSSed?

Following previous posts on XSSing The Planet and XSS Vulnerabilities in E-banking Sites, here's a full disclosure project that's basically categorizing user-submitted XSS vulnerabilities by pagerank/government/public entity, with mirrored XSSed pages.

Even a .secured TLD name is nothing more than a false feeling of security with phishers still loading content from E-banking providers' sites, and actively exploiting XSS vulnerabilities to make their scams use the bank's site. Therefore from a business development perspective you ought to realize that overperforming in a developing market segment, is sometimes more profitable than being a pioneer with an idea the market's not willing to anticipate for the time being -- perhaps for the best. Continue reading →

Data Breach Sample Letters of Notification

Dear customer, to ensure your satisfaction with our quality services we're notifying you that our inability to protect your sensitive data has resulted in its leakage on the World Wide Web thus, stay tuned for possible identity theft and spending the next couple of years explaining how it wasn’t you who bought that luxurious yacht your bank wants you to pay for. By the time our stolen laptops get connected to the Internet -- which we doubt anyway -- they will phone back helping us locate them which doesn’t mean we didn’t breach the confidentiality of your personal information, and are just trying to be socially responsible in the time of notification.

Sincerely,
Your favorite and customer-friendly breached retailer

Perhaps the most comprehensive archive of scanned data breach letters of notification on U.S based companies, I've come across to so far. Well worth going through in case you wonder on what tone does a breached company use to maintain its weakened brand image, and to prevent a PR disaster.

Related posts:
To report, or not to report?
Personal Data Security Breaches - 2000/2005
A Chart of Personal Data Security Breaches 2005-2006
Getting paid for getting hacked
Continue reading →

MSN Spamming Bot

An image is sometimes worth a thousand words. This is a screenshot of infected bots spreading spam messages at MSN via typical !spam IRC based command and control. And here's a related article about malware on IM networks as well:

"It is not clear exactly why the number of IM attacks is increasing, but security researchers have their theories. Don Montgomery, vice president of marketing at Akonix, speculated the increase in the number of attacks reflects the increase in the use of instant messaging, particularly on corporate networks. "IM is becoming favored over e-mail as a distribution vector for malware as a result of e-mail security now being employed by 75 percent or more of companies, while IM security is only employed by 15 to 20 percent of companies," Montgomery said. "The hackers are simply turning to the open door."

Two options remain highly lucrative. Either someone’s spamming p3n1$ enlargement propositions and directing to a spam site, or the social engineering efforts aim at visiting an exploit hosting site. No more direct .pif; .scr; or .exe propositions in plain simple text, what’s exploited is mostly client side vulnerabilities and redirectors to break the ice. IM threats stats courtesy of Symantec's IMlogic and here’s a related post regarding the acquisition of the company with Symantec anticipating the emergence of this market segment and investing in it. IM propagation has it cyclical patterns which like pretty much all other propagation vectors reaching a mature level starts getting at least partly replaced by other ways of propagation. Continue reading →

The WebAttacker in Action

Interesting to see that the WebAttacker kit can still be seen in the wild. Here are the redirectors in action :

Input URL: _http://rulife.info/traffic/go.php?sid=1
Effective URL: _http://greencunt.org/crap/index.php
Responding IP: 203.223.159.110
Name Lookup Time: 1.290261
Total Retrieval Time: 5.987628

=> _http://rulife.info/traffic/go.php?sid=1
=> _http://xorry.org/backup/atds/out.php?s_id=1
=> _http://greencunt.org/crap/index.php

What follows is the (sandboxed) infection : file: Write C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\sysykiz.exe

Several more URLs are to be found at the "green" domain as well :
_http://greencunt.org/anna/fout.php
_http://greencunt.org/spl1/index.php

Despite that the tool is outdated compared to mature malware platforms and exploitation kits which I'll be covering in upcoming posts, the leak of its source code made it easy for someone to tweak it for their personal needs and simply feed with undetectable binaries, new vulnerabilities, and newly registered domains -- even hijacked ones through web application vulnerabilities for instance.

In case you're interested in a proof that attackers are still successfully infecting victims by using vulnerabilities for which patches have been released months ago, here's another URL that's exploiting two vulnerabilities at once namely :

MDAC ActiveX code execution (CVE-2006-0003)
IE COM CreateObject Code Execution (MS06-042)

The domain in question is - _http://www.avvcc.com and _http://www.avvcc.com/lineage/djyx.htm

Related posts:
RootLauncher Kit
Nuclear Grabber Kit
Shots from the Malicious Wild West - Sample Seven
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One
Continue reading →

The Revenge of the Waitress

Think your scrooge tips will achieve their effect? Think twice but don't put the emphasis on underpaid waitresses, rather on the overall availability of credit card data reading devices as well as their vulnerability to such readers. Here's a video of another waitress clonning credit cards on the fly :

"A telltale clue that helped the restaurant and investigators zero in on the waitress: She would make quick visits to the restroom after picking up customers' charge cards, apparently to swipe them through a palm-sized device that recorded the confidential numbers." Continue reading →

Reverse Engineering the ANI Vulnerability

Informative video analyzing the ANI cursor vulnerability, part of the Google TechTalks series.

"Alex Sotirov is a vulnerability engineer at determina. He will discuss some latest techniques in reverse engineering software to find vulnerabilities. Particularly, he'll discuss his technique that lead him to find the ANI bug (a critical new bug in WinXP and Vista)."


Continue reading →

Phrack Magazine's Latest Issue

Phrack is back believe it or not with its latest Issue 64 released two days ago. The style is still so old-school, so authentic it makes you remember extraordinary Web 1.0 experiences. Articles of notice I went through so far : "A brief history of the Underground scene" ; "Blind TCP/IP hijacking is still alive" ; and "The art of Exploitation: come back on an exploit". Dazzling already :

"In the last decade, Phrack took a very annoying industry-oriented editorial policy and the original spirit was in our opinion not respected. The good old school spirit as we like had somehow disappeared from the process of creating the magazine. That is why the underground got split with a major dispute, as some part of the scene was unhappy with this new way of publishing. We clearly needed to bring together again all the relevant parties around the spirit of hacking and the values that make the Underground. The Underground is neither about making the industry richer by publishing exploits or 0day information, nor distributing hacklogs of whitehats on the Internet, but to go further the limits of technology ever and ever, in a big wave of learning and sharing with the people ready to embrace it. This is not our war to fight peoples doing this for money but we have to clearly show our difference." Continue reading →

Google Hacking for Vulnerabilities

Tools like these are a clear indication in the interest of gathering targets through google hacking techniques and SQL injecting them using a single tool. What’s important to note is that, instead of scanning the target's web server in an automated fashion thus, increasing the potential of detecting your malicious requests in this case the attack vectors are already known even cached on a search engines' servers. Perhaps a good time to set up a google hacking or PHP deception honeypot, make sure google crawls it and either gather first hand statistics, or deceive at your best. A paper released under the Know Your Enemy series comments on the concept of search engines' reconnaissance :

"Below we give the exploits we have seen against our honeypots and where possible an estimate of the number of users for each piece of software. The estimates are obtained by checking the number of Google search results returned for a given page in a website, for example searching for '"powered by PHPBB" inurl:viewtopic.php' suggests there are around 1.5 million installations of PHPBB indexed by Google."

Malware using search engines to build its hit lists is nothing new and it's the Santy worm and perhaps even the JS/Yamanner worm I have in mind. Worms like these are just the tip of the iceberg when it comes to malware because their successful intrusions act as a propagation vector for malware exes, exploits embedded pages, and hosting of phishing sites. In case you remember, over an year ago New Zealand started a nation wide google hacking security audit aiming to not just build awareness on the potential security issues, but to also, measure the country's susceptibility to google hacking which they claim is the highest in the world. If you don’t take care of your web application vulnerabilities someone else will, and your organization wouldn’t even have "the privilege" of getting exploited by an advanced attacker, but by a script kiddie making your server open a reverse shell back to them in between everything else. Continue reading →

Microsoft's Forefront Ad Campaign

The introduction of Microsoft's Forefront security solutions is already backed up by a huge ad campaign that can be seen on the majority of tech-news portals. The campaign is however lacking a consistent vision to communicate the benefits and main differentiation points -- if any -- of the product, and is barely informing that it exists in a not so creative way :

There's nothing in Forefront that really makes it notably better or worse than any other solutions that are already in the marketplace. However, the Microsoft name may be sufficient for it to steal market share, and a better integration with other Microsoft solutions…is likely to be a bit of a differentiator,” said Quin. Faced with increasing competition from Microsoft, Symantec Corp. questioned Microsoft's ability to effectively protect enterprise customers.

Trying to be witty too much while fighting ninjas and aliens often results in your ad campaign "clowning" in the eyes of a prospective customer. Security is indeed a cosmic phenomenon for Microsoft, an unexplained pseudo-randomly generated event that's continuing to be researched and analyzed for generations to come. Can they achieve desirable results? Will penetration pricing help? And will the ad agency that got commisioned with the ad campaign come up with a bit of a more creative psychological imagination the next time?

A pure example of an acquisition-to-solution strategy compared to AOLs licensing of a reputable AV vendor's technology, in order for them to enter the market segment as well. Continue reading →

Jihadists' Anonymous Internet Surfing Preferences

Jihadists are logically not just interested in encryption and steganography but also, in ways to anonymize their web surfing activities as much as possible. A wannabe jihadist whose tips and recommendations have gained him a lot of reputation around the forums I follow, recently came up with an in-depth article on recommended and reviewed IP cloaking services with direct download links in between. It makes stats like these questionable to a certain extend as I've already pointed out. Among the IP cloaking tools reviewed are :
- Steganos Internet Anonym Pro
- Hide IP Platinum 3.1
- Proxy Switcher Pro
- Invisible Browsing v5.0.52

TOR is, of course, mentioned as well but at the bottom of the article citing performance issues compared to commercial solutions. IP decloaking is not even considered as a concept. Continue reading →

Counter Espionage Tips from the Cold War

There's nothing old-fashioned in short films like these representing possible techniques used by intelligence services while recruiting - "Cold War counter-spy instructional film created to convince government officials traveling with top secret info to watch their backs. Watch hapless G-men get seduced and setup for blackmail by treacherous Soviet she-spies"



And despite that today's perception of sexy she-spies has evolved proportionally with the technological advances in espionage, some of the tips are still emphasizing on the basics. Continue reading →

A Client Application for "Secure" E-banking?

This is perhaps the second product concept myopia right after the lie detection software for text comminations I come across to recently. Remember a previous post heading in the opposite direction, where a bank was trying to rebuild confidence in the most abused phishing medium - the email - to keep in touch with its customers? Here's another company that's betting on a third-party client application to solve the problem of secure E-banking totally falling victim in the secure channel communication myopia one that I think has nothing to do with reality when it comes to the success of phishing :

"Here’s how Armored Online works: A company, such as a financial institution or online retailer, offers a downloadable client to customers through its website. That client then gives the customer’s computer a secure channel with which to communicate and transact with the company. Its Java-based browser is locked down, meaning it won’t accept any plug-ins, like cookies used by criminals. What’s more, the client can only “talk” to the server at the bank or online store. “It’s like iTunes for banks,” Mr. Sowerby said."

The attack of the disabled cookies? Not really, so be realistic. Coming up with a third-party application as the cornerstone of E-banking security directly conflicts with E-banking's biggest benefit - flexibility due to the compatibility with the most popular browsers. So you'd rather focus on the current situation - Brandjacking instead of re-inventing the SSL wheel -- as a matter of fact the Gozi trojan and the Nuclear Grabber are quite comfortable with SSL as they bypass it entirely. Even worse, a trojanized copy of the program will emerge given it receives any acceptance at all. And if banks start embracing it -- don't -- we can easily start talking about DRM enabled E-banking where, both, banks and customers will turn into virtual hostages to a third-party application trying to reboot the market for anti-phishing services, totally forgetting the problem is not in the lack of unencrypted transactions as no one is sniffing the credentials, but pushing fake sites instead of letting customers pull the sites for themselves.

Don't disrupt in irrelevance. Continue reading →

A Malware Loader For Sale

Continuing the Shots from the Malicious Wild West series and the yet another malware tool in the wild posts, here’s a recently advertised malware loader. Polymorphism, built in packing functions and the ability to set an interval for loading yet another executable at a URL or a URL redirector, DIY firewalls unloading techniques, pretty much anything ugly is in place -- as usual. The loader's source code is currently available for $150, undetected bots go for $15 per piece. Malware on demand in principle, or malicious economies of scale? Continue reading →

MySpace's Sex Offenders Problem

MySpace, being one of the most popular social networking sites is always under fire on its efforts to combat known child offenders registering and using its database to find what they're looking for. The problem isn’t MySpace as a faciliator for such type of communications but the vast amounts of personal information -- future contact points -- kids publish about themselves online, not knowing that on the Internet anyone can be a dog and most importantly, parents loosing the emotional connection with their kids and making it easier for someone to break the ice and establish trust.

Several months ago, funded by nothing more but his common sense Kevin Poulsen gathered name data from the U.S public child offenders registry and found positive results with people -- thankfully -- stupid enough to use their real names. And while they wouldn't do it again the next time instead of making it easier to aggregate the data, a CAPTCHA to limit such automatic activities was implemented. Don't blame MySpace blame bureaucracy. Meanwhile, here's an article on U.S authorities demanding that MySpace provide data on identified and removed known child offenders -- they agreed :

"MySpace agreed Monday to provide the information to all states after some members of the group filed subpoenas or took other legal actions to demand it. The company said last week such efforts were required under the federal Electronic Communications Privacy Act before it could legally release the data."Different states are going about it different ways," said Noelle Talley, spokeswoman for Cooper, who filed a "civil investigative demand" for the information. Connecticut Attorney General Richard Blumenthal used a subpoena that "compels this information right away - within hours, not weeks, without delay - because it is vital to protecting children," he said."

If protecting children is vital, remove the CAPTCHA so everyone knowing how to aggregate and tweak the data will come up with far more sophisticated stats than the ones currently available. Actual results too. Next time it would become harder to track them, so don’t count on measures like these instead, ensure naughty conversations aren’t taking place at all. Makes me wonder one thing - should you be filtering known child offenders on the Internet perhaps a futile attempt given the pseudo-personalities they could establish, or at the ISP level and put them under surveillance right from the very beginning? Of course child offenders should not have unmonitored access to the Internet so rethink the basics.

Related posts:
Registered Sex Offenders on MySpace
IMSafer Now MySpace Compatible
Continue reading →