In a previous post, "Give it back!" I mentioned the ongoing re-classification of declassified information and featured some publicly known sources for information on government secrecy. Today I came across to a news item relating to the topic in another way, "States Removing Personal Data from Official Web Sites", more from the article :
"At least six states use redaction software, which digitally erases information. It can be tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida's Manatee County, removed SSNs and bank account numbers from 3 million public records on the Web site. Another 2.5 million court records were redacted before going online."
That's an interesting way to fight the problem from the top of it, namely personal data security breaches that never stop growing, but I wish they came up with the practice either by default years ago, or understand today's dynamics of the threat. Even if they start implementing this on a wide scale, it doesn't mean identity theft would stop occuring, or that phishing attacks wouldn't trick them into giving the complete details. Having implemented a process for securely storing, accessing and trasfering such sensitive customers' bank data, often results in complexities, but using "redaction software" when you can actually take advantage of a risk management solution, isn't the smartest move here -- yet again that's the effect of today's dynamics and ever-changing attack vectors. What's the point of putting so much efforts into sanitizing the data before going online with it, when an outsourcer, or an employee whose responsibilities include working with it will somehow expose it?
Wait, forgot the naive customer who's still taking all the phishing emails received "personally". Don't think SSNs and bank accounts "redaction", but insiders and storage/database security.
In respect to removing sensitive information from the Web, I feel the unability of successfully classifying information and balancing the accountability in front of society to a certain extend, generates contradictive responses. If you try to take down a document that has been somehow listed on the Internet or available in digital format, what you're doing is actually inspiring people to disseminate it, that include news agencies as well, so make sure it doesn't appear there at the first place. Recent cases such as these :
"DOD removes missile defense system report from Web site"
"NORAD orders Web deletion of transcript"
"Air Force One data removed from Web Site revealed details of security measures on president's jets"
"Leaks of Military Files Resume"
bring more insights on the issue. It is well known that the entire Chinese information warfare doctrine is backed up by the NCW visions of U.S's military -- they still have Sun Tzu's legacy though -- and that Al Qaeda's manuals actually quote U.S military's documents. If you know what exactly you're looking for, you will find it one way or another, just make sure information-sharing doesn't end up as an information leakage event.
Going beyond achieving the balance between usability, accountability, and secrecy, I also feel that disinformation and deception are reasonably taking place as well, given the reader is actually identified and consequently influenced.
Wednesday, April 26, 2006
In between the lines of personal and sensitive information
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, April 25, 2006
Wild Wild Underground
Where's the real underground these days, behind the shadows of the ShadowCrew, the revenge of the now, for-profit script kiddies, or in the slowly shaping real Mafia's online ambitions? Moreover, is all this activity going on behind the Dark Web, or the WWW itself? Go through this fresh overview, emphasizing on today's script kiddies, 0days as a commodity, malware and DDoS on demand on the WWW itself, and perhaps a little bit of vendors' tolerated FUD.
In a previous post, I mentioned on the existence of the International Exploits Shop, the Xshop, basically a web module where 0days, and service support in terms of videos, PHP-based configuration etc. are provided to anyone willing to get hold of a 0day/zero-day vulnerability -- scary stuff, yet truly realistic concept that's directly bypassing today's infomediaries that purchase vulnerabilities.
I must admit I didn't do homework well enough to figure out that the Hack Shop has been changing quite some places for the last two years and having offered many other vulnerabilities, going beyond what I came across to two months ago -- the Internet offers a much wider set of potential buyers than from the three informediaries for the time being. As a reader gave me a hint, in the future images would protect that type of pages from crawling activities, and it's interesting to note that previous versions of the shop were doing exactly the same, while the last one I got tipped about, was using text on its pages. What's also important to mention is that these are the public propositions, ones placed on the WWW, and not the Dark Web, the one behind closed doors. Last month, Sophos mentioned on the existence of a multi-exploit kit for an unbelievably cheap price :
"A Russian website is selling a spyware kit for $15. The website promises an easy-to-deploy spyware that only requires users to trick their victims into visiting a malicious website. The website even offers technical support. Carole Theriault, senior security consultant at Sophos, says such websites invite script kiddies and other unskilled would-be hackers into the world of cybercrime for profit."
Rather interesting, WebSense Security Labs looked further, came up with the screenshots from the site itself, cut the last screenshot you can clearly see here (Disable adobe acrobat web capture, Disable opera user, Kill frame, Location lock, Referrer lock) but again spread the rumour of multi-exploit kit for sale at $15, of course for entering the for-profit cyber crime business -- a little bit of FUD, sure, but the sellers aren't still that very desperate I think.
So, I decided to look even further and now can easily conclude -- it depends where you're buying it from, I mean even the official site sells it at a price that way too high for an average script kiddie to get hold of multi-exploits pack -- whether outdated or not can be questioned as well. So, the kit officially goes for $300 and, $25 for updates, I also came across it for $95, but I bet they are a lot of people looking for naive wannabe exploiters out there. As you can see on these screenshots, it has the ability to encrypt HTML pages, parts of the page, and take precautions for curious folks trying to figure out more about the page in question, and it makes me wonder on how well would malicious HTML detection would perform here, if it does?
What's the outcome -- script kiddies with attitude are basically compiling toolsets of old exploits and building all-in-one malware kits. As you can even see, they are lazy enough not to keep an eye on its detection status, a sign of "growing" business for sure, yet the "underground" seems to Ph34r going to the Opera , so take your note.
I recently came across to a great article "The Return of the Web Mob" you can find more details on the topic as well, such as :
"I saw one case where an undetectable Trojan was offered for sale and the buyers were debating whether it was worth the price. They were doing competitive testing to ensure it actually worked as advertised," said Jim Melnick, a member of Dunham's team."
"In November 2005, Mashevsky discovered an attempt to hijack a botnet. [The] network of infected computers changed hands three times in one day. Criminals have realized that it is much simpler to obtain already-infected resources than to maintain their own botnets, or to spend money on buying parts of botnets which are already in use," he said."
"Dunham, who frequently briefs upper levels of federal cyber-security authorities on emerging threats, said there have been cases in Russia where mafia-style physical torture has been used to recruit hackers. If you become a known hacker and you start to cut into their profits, they'll come to your house, take you away and beat you to a pulp until you back off or join them. There have been documented cases of this," Dunham said."
While doing a recent research across the Russian and the Chinese domain, I came to the conclusion that every local scene has it's own underground, and that those that go as publicly as some do at the bottom line, make the headlines. However, Chinese users being collectivists, are still at the heroic stage of cyber dissidents slowly turning into wannabe hackers, and they have a chain of command, so to speak, that I can argue is more powerful than thought to be "well organized" like the ones in Russia, being individualists. There are even marketing campaigns going on in the form of surveys, trying to measure the bargaining point for 0day vulnerabilities I guess. This one says :
How much would you be willing to pay for an exploit?
$100-300
$300-500
$500-1000
over $1000
we write our own exploits :D
I get them for free
and offers trying to even add value to the purchase by offering a SMS flooder for free if you purchase the exploit. I mean, if you start thinking logically, bypassing the current intermediaries and their moody programs compared to one-to-one communication model with a possible buyer -- the entire idea behind disintermediation is the method of choice. Have 0days turned into an uncontrolled commodity that has to be somehow, at least, coordinated?!
In my recent Future trends of malware research, I mentioned how open-source malware would inevitably dominate, and how the concept will put even more pressure on AV vendors to figure out how to protect from unknown malicious code -- proactively. What I came across to was, customer-centric malware propositions, special features increase or decrease the final price, botnet sources for free download/purchase if modifications are made, free advices coming with the purchase, on demand vulnerabilities, spamming or spam harvesting services on demand, price comparison for malware samples, rootkits-enabled pieces of malware indeed show an increase of growth, DDoS on demand services are usually proposed with 30 mins of service "demo".
Bot's sources are also annoyingly available at the click of a button, as I verified over 20 working links with archives averaging 75MB.
Popular ones :
urxbot, spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, jbot, microbot, blueyebot, icebot, q8bot, happybot, htmlinfectbot, gsys, epicbot, darkbot, r00fuz, panicattack
Who's to blame? It's not Russia for sure, and if it was it would mostly have to do with enforcement of current laws, yet the global media tends to stereotype to efficiently meet deadlines, instead of figuring out what is going on at the bottom line. When the U.S sees attacks coming from Chinese networks, it doesn't mean it's Chinese hackers attacking the U.S, but could be that sick North Korean ones are trying to increase tensions by spoofing their identities. Moreover, as I've mentioned it is logical to conclude that there are "undergrounds" on a national level, for instance for the last couple of years there's been a steady growth of defacements and phishing attackers from Brazil, Turkey, and of course China, I rarely come across anything else but "mention Russia and get over it" attitude.
In respect to the Chinese "underground", according a report not to be disclosed, and so I'm not as it's fully loaded with impressive information, the Chinese underground back in 2002 used to aggressively attack U.S government's and military targets while drinking Coke from McDonald's themed Coke glass :) courtesy of the China Eagle Union themselves. Their actions in coordination with the Honker Union of China, for instance, played a crucial role in active hacktivism and continue playing it even today.
Like it or not, the average script kiddie, or can we say sophisticated Generation Y teenagers, are well too informed, and obviously sellers of malicious services such as DDoS and malware on demand, than it used to be years ago. I feel it's not their knowledge that's increasing, but the number of connected computers with security illiterate users aiming to put themselves in a "stealth mode" while online in order not to get hacked, or as a friend put it, running in root mode and hiding behind firewalls - ah, the end user.
You can digitally fingerprint a malicious code when you have it, that's normal, but what happens when you don't, can you fight the concepts themselves? Ken Dunham comments on "mafia-style physical torture" are the reflection of people naming their malware MyDoom and begging for botnets if you take your time to go through the quotes from Ancheta's case.
Don't ph34r the teenagers, ph34r their immaturity, and ongoing recruitment practices by the Mafia itself.
In a previous post, I mentioned on the existence of the International Exploits Shop, the Xshop, basically a web module where 0days, and service support in terms of videos, PHP-based configuration etc. are provided to anyone willing to get hold of a 0day/zero-day vulnerability -- scary stuff, yet truly realistic concept that's directly bypassing today's infomediaries that purchase vulnerabilities.
I must admit I didn't do homework well enough to figure out that the Hack Shop has been changing quite some places for the last two years and having offered many other vulnerabilities, going beyond what I came across to two months ago -- the Internet offers a much wider set of potential buyers than from the three informediaries for the time being. As a reader gave me a hint, in the future images would protect that type of pages from crawling activities, and it's interesting to note that previous versions of the shop were doing exactly the same, while the last one I got tipped about, was using text on its pages. What's also important to mention is that these are the public propositions, ones placed on the WWW, and not the Dark Web, the one behind closed doors. Last month, Sophos mentioned on the existence of a multi-exploit kit for an unbelievably cheap price :
"A Russian website is selling a spyware kit for $15. The website promises an easy-to-deploy spyware that only requires users to trick their victims into visiting a malicious website. The website even offers technical support. Carole Theriault, senior security consultant at Sophos, says such websites invite script kiddies and other unskilled would-be hackers into the world of cybercrime for profit."
Rather interesting, WebSense Security Labs looked further, came up with the screenshots from the site itself, cut the last screenshot you can clearly see here (Disable adobe acrobat web capture, Disable opera user, Kill frame, Location lock, Referrer lock) but again spread the rumour of multi-exploit kit for sale at $15, of course for entering the for-profit cyber crime business -- a little bit of FUD, sure, but the sellers aren't still that very desperate I think.
So, I decided to look even further and now can easily conclude -- it depends where you're buying it from, I mean even the official site sells it at a price that way too high for an average script kiddie to get hold of multi-exploits pack -- whether outdated or not can be questioned as well. So, the kit officially goes for $300 and, $25 for updates, I also came across it for $95, but I bet they are a lot of people looking for naive wannabe exploiters out there. As you can see on these screenshots, it has the ability to encrypt HTML pages, parts of the page, and take precautions for curious folks trying to figure out more about the page in question, and it makes me wonder on how well would malicious HTML detection would perform here, if it does?
What's the outcome -- script kiddies with attitude are basically compiling toolsets of old exploits and building all-in-one malware kits. As you can even see, they are lazy enough not to keep an eye on its detection status, a sign of "growing" business for sure, yet the "underground" seems to Ph34r going to the Opera , so take your note.
I recently came across to a great article "The Return of the Web Mob" you can find more details on the topic as well, such as :
"I saw one case where an undetectable Trojan was offered for sale and the buyers were debating whether it was worth the price. They were doing competitive testing to ensure it actually worked as advertised," said Jim Melnick, a member of Dunham's team."
"In November 2005, Mashevsky discovered an attempt to hijack a botnet. [The] network of infected computers changed hands three times in one day. Criminals have realized that it is much simpler to obtain already-infected resources than to maintain their own botnets, or to spend money on buying parts of botnets which are already in use," he said."
"Dunham, who frequently briefs upper levels of federal cyber-security authorities on emerging threats, said there have been cases in Russia where mafia-style physical torture has been used to recruit hackers. If you become a known hacker and you start to cut into their profits, they'll come to your house, take you away and beat you to a pulp until you back off or join them. There have been documented cases of this," Dunham said."
While doing a recent research across the Russian and the Chinese domain, I came to the conclusion that every local scene has it's own underground, and that those that go as publicly as some do at the bottom line, make the headlines. However, Chinese users being collectivists, are still at the heroic stage of cyber dissidents slowly turning into wannabe hackers, and they have a chain of command, so to speak, that I can argue is more powerful than thought to be "well organized" like the ones in Russia, being individualists. There are even marketing campaigns going on in the form of surveys, trying to measure the bargaining point for 0day vulnerabilities I guess. This one says :
How much would you be willing to pay for an exploit?
$100-300
$300-500
$500-1000
over $1000
we write our own exploits :D
I get them for free
and offers trying to even add value to the purchase by offering a SMS flooder for free if you purchase the exploit. I mean, if you start thinking logically, bypassing the current intermediaries and their moody programs compared to one-to-one communication model with a possible buyer -- the entire idea behind disintermediation is the method of choice. Have 0days turned into an uncontrolled commodity that has to be somehow, at least, coordinated?!
In my recent Future trends of malware research, I mentioned how open-source malware would inevitably dominate, and how the concept will put even more pressure on AV vendors to figure out how to protect from unknown malicious code -- proactively. What I came across to was, customer-centric malware propositions, special features increase or decrease the final price, botnet sources for free download/purchase if modifications are made, free advices coming with the purchase, on demand vulnerabilities, spamming or spam harvesting services on demand, price comparison for malware samples, rootkits-enabled pieces of malware indeed show an increase of growth, DDoS on demand services are usually proposed with 30 mins of service "demo".
Bot's sources are also annoyingly available at the click of a button, as I verified over 20 working links with archives averaging 75MB.
Popular ones :
urxbot, spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, jbot, microbot, blueyebot, icebot, q8bot, happybot, htmlinfectbot, gsys, epicbot, darkbot, r00fuz, panicattack
Who's to blame? It's not Russia for sure, and if it was it would mostly have to do with enforcement of current laws, yet the global media tends to stereotype to efficiently meet deadlines, instead of figuring out what is going on at the bottom line. When the U.S sees attacks coming from Chinese networks, it doesn't mean it's Chinese hackers attacking the U.S, but could be that sick North Korean ones are trying to increase tensions by spoofing their identities. Moreover, as I've mentioned it is logical to conclude that there are "undergrounds" on a national level, for instance for the last couple of years there's been a steady growth of defacements and phishing attackers from Brazil, Turkey, and of course China, I rarely come across anything else but "mention Russia and get over it" attitude.
In respect to the Chinese "underground", according a report not to be disclosed, and so I'm not as it's fully loaded with impressive information, the Chinese underground back in 2002 used to aggressively attack U.S government's and military targets while drinking Coke from McDonald's themed Coke glass :) courtesy of the China Eagle Union themselves. Their actions in coordination with the Honker Union of China, for instance, played a crucial role in active hacktivism and continue playing it even today.
Like it or not, the average script kiddie, or can we say sophisticated Generation Y teenagers, are well too informed, and obviously sellers of malicious services such as DDoS and malware on demand, than it used to be years ago. I feel it's not their knowledge that's increasing, but the number of connected computers with security illiterate users aiming to put themselves in a "stealth mode" while online in order not to get hacked, or as a friend put it, running in root mode and hiding behind firewalls - ah, the end user.
You can digitally fingerprint a malicious code when you have it, that's normal, but what happens when you don't, can you fight the concepts themselves? Ken Dunham comments on "mafia-style physical torture" are the reflection of people naming their malware MyDoom and begging for botnets if you take your time to go through the quotes from Ancheta's case.
Don't ph34r the teenagers, ph34r their immaturity, and ongoing recruitment practices by the Mafia itself.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Monday, April 24, 2006
25 ways to distinguish yourself -- and be happy?
Totally out of the security world, yet very relevant inspirational tips for all readers feeling down, or looking for more sources of self-esteem. I've always believed that among the most important key factors for leadership is the ability to know yourself, and to understand the time dimensions of failure -- it's just a temporary event whenever it happens to occur. I also often debate on the pros and cons of corporate citizenship with friends, and try to emphasize on the mobility of today's workforce -- at least the way I see it. Is there any use of such an approach these days, and how should an enterprise go when attracting and retaining it's most valuable HR assets? Does the individual really count at the bottom line?
I think assets with attitude are the most valuable ones, given they never stop self-developing themselves. Going back to this very positive "manifesto" "You don't have to motivate me, just stop demotivating me" type of attitude is what you can greatly enjoy in these tips. Extremely well written key points, especially that "being part of the commodity crowd erodes your value", so true. These get updated all the time, so add them to your own unique ways of distinguishing yourself -- and being happy? :)
01. Care as if it's your own
02. Do your daily work with passion
03. Build strong relationships
04. Dream big!
05. Set the right expectations
06. Ask for help
07. Celebrate small victories
08. Set higher standards
09. Know your values
10. Pursue right memberships
11. Help people help themselves
12. Be a reader
13. Plan by outcomes
14. Think long-term
15. Embrace uncertainty with ease
16. Ask the right questions
17. Engage with a coach
18. Re relevant
19. Get back on your feet fast!
20. Lead a volunteer effort
21. Balance innovation and continuous improvement
22. Learn to sell -- your skills, not your soul or at least not on parts
23. Learn systems thinking
24. Walk away from free
25. Influence the influencers
I think assets with attitude are the most valuable ones, given they never stop self-developing themselves. Going back to this very positive "manifesto" "You don't have to motivate me, just stop demotivating me" type of attitude is what you can greatly enjoy in these tips. Extremely well written key points, especially that "being part of the commodity crowd erodes your value", so true. These get updated all the time, so add them to your own unique ways of distinguishing yourself -- and being happy? :)
01. Care as if it's your own
02. Do your daily work with passion
03. Build strong relationships
04. Dream big!
05. Set the right expectations
06. Ask for help
07. Celebrate small victories
08. Set higher standards
09. Know your values
10. Pursue right memberships
11. Help people help themselves
12. Be a reader
13. Plan by outcomes
14. Think long-term
15. Embrace uncertainty with ease
16. Ask the right questions
17. Engage with a coach
18. Re relevant
19. Get back on your feet fast!
20. Lead a volunteer effort
21. Balance innovation and continuous improvement
22. Learn to sell -- your skills, not your soul or at least not on parts
23. Learn systems thinking
24. Walk away from free
25. Influence the influencers
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Why's that radar screen not blinking over there?
Two days ago, the Russian News & Information Agency - Novosti, reported on how "Russian bombers flew undetected across Arctic" more from the article :
"Russian military planes flew undetected through the U.S. zone of the Arctic Ocean to Canada during recent military exercises, a senior Air Force commander said Saturday. The commander of the country's long-range strategic bombers, Lieutenant General Igor Khvorov, said the U.S. Air Force is now investigating why its military was unable to detect the Russian bombers. They were unable to detect the planes either with radars or visually," he said."
SpaceWar.com, and several other sites/agencies also picked up the story, still its truthfulness, excluding the lack of coverage, can always be questioned, as "by the end of the year, two more Tu-160s will be commissioned for the long-range strategic bomber fleet, Khorov said." So, while I agree with him on the visual confirmation issue, such an achievement is hell of an incentive for commissioning more planes, isn't it? Moreover, should the what used to be, the world's largest radar - The Over-The-Horizon Backscatter Radar have been scrapped given Iran's (and not only) nuclear ambitions, or the ongoing space warfare doctrine would be the logical successor in here?
Let's for instance assume it actually happened, and take the reverse approach -- it actually happened in Russia too, back in 1987, and it wasn't a senior air force commander that did it, if he did, but 19 years old Mathias Rust who landed on the Red Square itself.
More details will follow for sure, so stay tuned, meanwhile take a look at Google Earth's Community spot link on Mathias's landing.
UPDATE
Nice article on the topic, and a great quote as well "Scanning containers full of sneakers for a 'nuke in a box' is not a really thoughtful thing."
Technorati tags:
Military, Radar, Bomber
"Russian military planes flew undetected through the U.S. zone of the Arctic Ocean to Canada during recent military exercises, a senior Air Force commander said Saturday. The commander of the country's long-range strategic bombers, Lieutenant General Igor Khvorov, said the U.S. Air Force is now investigating why its military was unable to detect the Russian bombers. They were unable to detect the planes either with radars or visually," he said."
SpaceWar.com, and several other sites/agencies also picked up the story, still its truthfulness, excluding the lack of coverage, can always be questioned, as "by the end of the year, two more Tu-160s will be commissioned for the long-range strategic bomber fleet, Khorov said." So, while I agree with him on the visual confirmation issue, such an achievement is hell of an incentive for commissioning more planes, isn't it? Moreover, should the what used to be, the world's largest radar - The Over-The-Horizon Backscatter Radar have been scrapped given Iran's (and not only) nuclear ambitions, or the ongoing space warfare doctrine would be the logical successor in here?
Let's for instance assume it actually happened, and take the reverse approach -- it actually happened in Russia too, back in 1987, and it wasn't a senior air force commander that did it, if he did, but 19 years old Mathias Rust who landed on the Red Square itself.
More details will follow for sure, so stay tuned, meanwhile take a look at Google Earth's Community spot link on Mathias's landing.
UPDATE
Nice article on the topic, and a great quote as well "Scanning containers full of sneakers for a 'nuke in a box' is not a really thoughtful thing."
Technorati tags:
Military, Radar, Bomber
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)