I feel that, in response to the recent event of how the WMF vulnerability got purchased/sold for $4000 (an interesting timeframe as well), iDefense are actively working on strengthening their market positioning - that is the maintain their pioneering position as a perhaps the first company to start paying vulnerability researchers for their discoveries.
The company recently offered $10,000 for the submission or a vulnerability that gets categorized as critical in any of Microsoft's Security Bulletins. In the long-term, would vulnerability researchers be able to handle the pressure put on them through such financial incentives, and keep their clear vision instead of sell their souls/skills? What if someone naturally offers more, would money be the incentive that can truly close the deal, and is it just me realizing how bad is it to commercialize the not so mature vuln research market, namely how this would leak all of its current weaknesses?
Consider going through some of my previous thoughts on the emerging market for software/0day vulnerabilities as well and stay tuned for another recent discovery a dude tipped me on, thanks as a matter of fact!
Technorati tags:
idefense, vulnerabilities
Friday, February 17, 2006
How to win 10,000 bucks until the end of March?
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Thursday, February 16, 2006
The end of passwords - for sure, but when?
My first blog post "How to create better passwords - why bother?!" back in December, 2005, tried to briefly summarize my thoughts and comments I've been making on the most commonly accepted way of identifying yourself - passwords.
Bill Gates did a commentary on the issue, note where, at the RSA Conference, perhaps the company that's most actively building awareness on the potential/need for two-factor authentication, or anything else but using static passwords for various access control purposes. Moreover, it was again Bill Gates who wanted to integrate the Belgian eID card with MSN Messenger (Anonymity or Privacy on the Internet?) Microsoft are always reinventing the wheel, be it with antivirus, or their Passport service, and while they have the financial obligations to any of their stakeholders, I feel it's a wrong approach on the majority of occasions.
What I wonder is, are they forgetting the fact that over 95% of the PCs out there, run Microsoft Windows, and not Vista, and how many would continue to do so polluting the Internet at the bottom line. My point is that MS's constant rush towards "the next big thing" doesn't actually provides them with the resources to tackle some of the current problems, at least in a timely manner. What do you think? What could Microsoft do to actually influence the acceptance of two-factor authentication, and moreover, how feasible is the concept at the bottom line?
Technorati tags :
security, microsoft, authentication, passwords
Bill Gates did a commentary on the issue, note where, at the RSA Conference, perhaps the company that's most actively building awareness on the potential/need for two-factor authentication, or anything else but using static passwords for various access control purposes. Moreover, it was again Bill Gates who wanted to integrate the Belgian eID card with MSN Messenger (Anonymity or Privacy on the Internet?) Microsoft are always reinventing the wheel, be it with antivirus, or their Passport service, and while they have the financial obligations to any of their stakeholders, I feel it's a wrong approach on the majority of occasions.
What I wonder is, are they forgetting the fact that over 95% of the PCs out there, run Microsoft Windows, and not Vista, and how many would continue to do so polluting the Internet at the bottom line. My point is that MS's constant rush towards "the next big thing" doesn't actually provides them with the resources to tackle some of the current problems, at least in a timely manner. What do you think? What could Microsoft do to actually influence the acceptance of two-factor authentication, and moreover, how feasible is the concept at the bottom line?
Technorati tags :
security, microsoft, authentication, passwords
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, February 15, 2006
A timeframe on the purchased/sold WMF vulnerability
The WMF vulnerability and how it got purchased/sold for $4000 was a major event during January, at least for me as for quite some time the industry was in the twilight zone by not going through a recently released report. But does this fact matters next to figuring out how to safeguard the security of your network/PC given the time it took the vendor to first, realize that it's real, than to actually patch it? Something else that made me an impression is that compared to the media articles and my post, was I the only one interested in who bought, instead of who sold it?
So here's a short timeframe on how it made it to to the mainstream media :
January 27 - Kaspersky are the first to mention the "purchase" in their research
January 30 I've started blowing the whistle and friends picked it up (even the guy that got so upset about it!)
January 31 Meanwhile, someone eventually breached AMD's forums and started infecting its visitors!
February 2 Microsoft Switzerland's Security blog featured it
February 2 LinuxSecurity.com republished it
February 2 DSLReports.com picked it up
February 2 Appeared at Slashdot
February 3 OSIS.gov(an unclassified network serving the intelligence community with open source intelligence) picked it up :)
What's the conclusion? Take your time and read the reports thoroughly, cheer Kaspersky's team for their research? For sure, but keep an eye on the Blogosphere as well!
Technorati tags :
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Detecting intruders and where to look for
CERT, just released their "Windows Intruder Detection Checklist" from the article :
"This document outlines suggested steps for determining whether your Windows system has been compromised. System administrators can use this information to look for several types of break-ins. We also encourage you to review all sections of this document and modify your systems to address potential weaknesses."
I find it a well summarized checklist, perhaps the first thing that I looked up when going through it was the rootkits section given the topic. It does provide links to free tools, but I feel they could have extended to topic a little bit. Overall, consider going through it. Another checklist I recently came across is the "11 things to do after a hack" and another quick summary on "10 threats you probably didn't make plans for".
Rootkits are gaining popularity, and with a reason -- it takes more efforts to infect new victims instead of keeping the current ones, at least from the way I see it. In one of my previous post "Personal Data Security Breaches - 2000/2005" I mentioned about a rootkit placed on a server at the University of Connecticut on October 26, 2003, but wasn't detected until July 20, 2005, enough for auditing, detecting attackers and forensics? Well, not exactly, still something else worth mentioning is the interaction between auditing, rootkits and forensics. There's also been another reported event of using rootkit technologies for DRM(Digital Right Management) purposes, not on CDs, but DVDs this time, so it's not enough that malware authors are utilizing the rootkit concept, but flawed approaches from companies where we purchase our CDs and DVDs from, are resulting in more threats to deal with!
Check CERT's "Windows Intruder Detection Checklist" and if interested, also go though the following resources on rootkits and digital forensics :
Windows rootkits of 2005, part one
Windows rootkits of 2005, part two
Windows rootkits of 2005, part three
Malware Profiling and Rootkit Detection on Windows
Timing Rootkits
Shadow Walker - Raising The Bar For Windows Rootkit Detection - slides
When Malware Meets Rootkits
Leave no trace - book excerpt
Database Rootkits
Rootkits and how to combat them
Rootkits Analysis and Detection
Concepts for the Stealth Windows Rootkit
Avoiding Windows Rootkit Detection
Checking Microsoft Windows Systems for Signs of Compromise
Implementing and Detecting Implementing and Detecting an ACPI BIOS Rootkit
Host-based Intrusion Detection Systems
Forensics Tools and Processes for Windows XP Clients
F.I.R.E - Forensic and Incident Response Environment Bootable CD
Forensic Acquisition Utilities
FCCU GNU/Linux Forensic Bootable CD 10.0
iPod Forensics :)
Forensics of a Windows system
First Responders Guide to Computer Forensics
Computer Forensics for Lawyers
Technorati tags:
security, information security, forensics, rootkit, security breach, CERT
"This document outlines suggested steps for determining whether your Windows system has been compromised. System administrators can use this information to look for several types of break-ins. We also encourage you to review all sections of this document and modify your systems to address potential weaknesses."
I find it a well summarized checklist, perhaps the first thing that I looked up when going through it was the rootkits section given the topic. It does provide links to free tools, but I feel they could have extended to topic a little bit. Overall, consider going through it. Another checklist I recently came across is the "11 things to do after a hack" and another quick summary on "10 threats you probably didn't make plans for".
Rootkits are gaining popularity, and with a reason -- it takes more efforts to infect new victims instead of keeping the current ones, at least from the way I see it. In one of my previous post "Personal Data Security Breaches - 2000/2005" I mentioned about a rootkit placed on a server at the University of Connecticut on October 26, 2003, but wasn't detected until July 20, 2005, enough for auditing, detecting attackers and forensics? Well, not exactly, still something else worth mentioning is the interaction between auditing, rootkits and forensics. There's also been another reported event of using rootkit technologies for DRM(Digital Right Management) purposes, not on CDs, but DVDs this time, so it's not enough that malware authors are utilizing the rootkit concept, but flawed approaches from companies where we purchase our CDs and DVDs from, are resulting in more threats to deal with!
Check CERT's "Windows Intruder Detection Checklist" and if interested, also go though the following resources on rootkits and digital forensics :
Windows rootkits of 2005, part one
Windows rootkits of 2005, part two
Windows rootkits of 2005, part three
Malware Profiling and Rootkit Detection on Windows
Timing Rootkits
Shadow Walker - Raising The Bar For Windows Rootkit Detection - slides
When Malware Meets Rootkits
Leave no trace - book excerpt
Database Rootkits
Rootkits and how to combat them
Rootkits Analysis and Detection
Concepts for the Stealth Windows Rootkit
Avoiding Windows Rootkit Detection
Checking Microsoft Windows Systems for Signs of Compromise
Implementing and Detecting Implementing and Detecting an ACPI BIOS Rootkit
Host-based Intrusion Detection Systems
Forensics Tools and Processes for Windows XP Clients
F.I.R.E - Forensic and Incident Response Environment Bootable CD
Forensic Acquisition Utilities
FCCU GNU/Linux Forensic Bootable CD 10.0
iPod Forensics :)
Forensics of a Windows system
First Responders Guide to Computer Forensics
Computer Forensics for Lawyers
Technorati tags:
security, information security, forensics, rootkit, security breach, CERT
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, February 14, 2006
Look who's gonna cash for evaluating the maliciousness of the Web?
Two days ago, SecurityFocus ran an article "Startup tries to spin a safer Web" introducing SiteAdvisor :
"A group of graduates from the Massachusetts Institute of Technology (MIT) aim to change that by crawling the Web with hundreds, and soon thousands, of virtual computers that detect which Web sites attempt to download software to a visitor's computer and whether giving out an e-mail address during registration can lead to an avalanche of spam.
The goal is to create a service that lets the average Internet user know what a Web site actually does with any information collected or what a download will do to a computer, Tom Pinckney, vice president of engineering and co-founder of the start-up SiteAdvisor, said during a presentation at the CodeCon conference here."
The concept is simply amazing, and while it's been around for ages, it stills needs more acceptance from decision makers that tend to stereotype on perimeter and antivirus defense only. Let's start from the basics, it is my opinion that users do more surfing than downloading, that is, the Web and its insecurities represent a greater threat than users receiving malware in their mailboxes or IMs. And not that they don't receive any, but I see a major shift towards URL droppers, and while defacement groups are more than willing to share these with phishers etc., a URL dropper is easily getting replaced by an IP one, so you end up having infected PCs infecting others through hosting and distributing the malware, so sneaky, isn't it? My point is that initiatives such as crawling the web for malicious sites, listing, categorizing and updating their status is a great, both security, and business sound opportunity. The way you know the bad neighbourhoods around your town, in that very same way you need a visualization to assist in research, or act as a security measure, and while its hard to map the Web and keep it up to date, I find the idea great!
So what is SiteAdvisor up to? Another build-to-flip startup? I doubt so as I can almost feel the smell of quality entrepreneurship from MIT's graduates, of course, given they assign a CEO with business background :) APIs, plugins, already tested the majority of popular sites according to them, and it's for free, at least to the average Internet user who's virtual "word of mouth" will help this project get the scale and popularity necessary to see it licensed and included within current security solutions. They simply cannot test the entire Web, and I feel the shouldn't even set it as an objective, instead map the most trafficked web sites or do so on-the-fly with the top 20 results from Google. I wonder how are downloads tested, are they run through VirusTotal for instance, and how significant could a "push" approach from the end users, thus submitting direct links to malicious files found within to domain for automatic analysis, sound in here?
I think the usefulness of their idea could only be achieved with the cooperation/acquisition of a leading search engine, my point is that some of the project's downsizes are the lack of on-the-fly ability(that would be like v2.0 and a major breakthrough in respect to performance), how it's lacking the resources to catch up with Google on the known web (25,270,000,000 according to them recently), how IP droppers instead of URL based ones totally ruin the idea in real-life situations(it takes more efforts to register and maintain a domain, compared to using a zombie host's capabilities to do the same, doesn't it?)
In one of my previous posts on why you should aim higher than antivirus signatures protection only I mentioned some of my ideas on "Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"?
Crawling for malicious content and making sense of the approaches used in order to provide an effective solutions is very exciting topic. As a matter of fact in one of my previous posts "What search engines know, or may find about us?" I mentioned about the existence of a project to mine the Web for terrorist sites dating back to 2001. And I'm curious on its progress in respect to the current threat of Cyberterrorism, I feel both, crawling for malicious content and terrorist propaganda have a lot in common. Find the bad neighbourhoods, and have your spiders do whatever you instruct them to do, but I still feel quality and in-depth overview would inevitably be sacrificed for automation.
What do you think is its potential of web crawling for malicious content, and by malicious I also include harmful in respect to Cyberterrorism PSYOPS (I once came across a comic PSYOPS worth reading!) techniques that I come across on a daily basis? Feel free to test any site you want, or browse through their catalogue as well.
You can also find more info on the topic, and alternative crawling solutions, projects and Cyberterrorism activities online here :
A Crawler-based Study of Spyware on the Web
Covert Crawling: A Wolf Among Lambs
IP cloaking and competitive intelligence/disinformation
Automated Web Patrol with HoneyMonkeys Finding Web Sites That Exploit Browser Vulnerabilities
The Strider HoneyMonkey Project
STRIDER : A Black-box, State-based Approach to Change and Configuration Management and Support
Webroot's Phileas Malware Crawler
Methoden und Verfahren zur Optimierung der Analyse von Netzstrukturen am Beispiel des AGN-Malware Crawlers (in German)
Jihad Online : Islamic Terrorists and the Internet
Right-wing Extremism on the Internet
Terrorist web sites courtesy of the SITE Institute
The HATE Directory November 2005 update (very rich content!)
Recruitment by Extremist Groups on the Internet
Technorati tags:
security, information security, SiteAdvisor, web crawler, search engine, cyberterrorism
"A group of graduates from the Massachusetts Institute of Technology (MIT) aim to change that by crawling the Web with hundreds, and soon thousands, of virtual computers that detect which Web sites attempt to download software to a visitor's computer and whether giving out an e-mail address during registration can lead to an avalanche of spam.
The goal is to create a service that lets the average Internet user know what a Web site actually does with any information collected or what a download will do to a computer, Tom Pinckney, vice president of engineering and co-founder of the start-up SiteAdvisor, said during a presentation at the CodeCon conference here."
The concept is simply amazing, and while it's been around for ages, it stills needs more acceptance from decision makers that tend to stereotype on perimeter and antivirus defense only. Let's start from the basics, it is my opinion that users do more surfing than downloading, that is, the Web and its insecurities represent a greater threat than users receiving malware in their mailboxes or IMs. And not that they don't receive any, but I see a major shift towards URL droppers, and while defacement groups are more than willing to share these with phishers etc., a URL dropper is easily getting replaced by an IP one, so you end up having infected PCs infecting others through hosting and distributing the malware, so sneaky, isn't it? My point is that initiatives such as crawling the web for malicious sites, listing, categorizing and updating their status is a great, both security, and business sound opportunity. The way you know the bad neighbourhoods around your town, in that very same way you need a visualization to assist in research, or act as a security measure, and while its hard to map the Web and keep it up to date, I find the idea great!
So what is SiteAdvisor up to? Another build-to-flip startup? I doubt so as I can almost feel the smell of quality entrepreneurship from MIT's graduates, of course, given they assign a CEO with business background :) APIs, plugins, already tested the majority of popular sites according to them, and it's for free, at least to the average Internet user who's virtual "word of mouth" will help this project get the scale and popularity necessary to see it licensed and included within current security solutions. They simply cannot test the entire Web, and I feel the shouldn't even set it as an objective, instead map the most trafficked web sites or do so on-the-fly with the top 20 results from Google. I wonder how are downloads tested, are they run through VirusTotal for instance, and how significant could a "push" approach from the end users, thus submitting direct links to malicious files found within to domain for automatic analysis, sound in here?
I think the usefulness of their idea could only be achieved with the cooperation/acquisition of a leading search engine, my point is that some of the project's downsizes are the lack of on-the-fly ability(that would be like v2.0 and a major breakthrough in respect to performance), how it's lacking the resources to catch up with Google on the known web (25,270,000,000 according to them recently), how IP droppers instead of URL based ones totally ruin the idea in real-life situations(it takes more efforts to register and maintain a domain, compared to using a zombie host's capabilities to do the same, doesn't it?)
In one of my previous posts on why you should aim higher than antivirus signatures protection only I mentioned some of my ideas on "Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"?
Crawling for malicious content and making sense of the approaches used in order to provide an effective solutions is very exciting topic. As a matter of fact in one of my previous posts "What search engines know, or may find about us?" I mentioned about the existence of a project to mine the Web for terrorist sites dating back to 2001. And I'm curious on its progress in respect to the current threat of Cyberterrorism, I feel both, crawling for malicious content and terrorist propaganda have a lot in common. Find the bad neighbourhoods, and have your spiders do whatever you instruct them to do, but I still feel quality and in-depth overview would inevitably be sacrificed for automation.
What do you think is its potential of web crawling for malicious content, and by malicious I also include harmful in respect to Cyberterrorism PSYOPS (I once came across a comic PSYOPS worth reading!) techniques that I come across on a daily basis? Feel free to test any site you want, or browse through their catalogue as well.
You can also find more info on the topic, and alternative crawling solutions, projects and Cyberterrorism activities online here :
A Crawler-based Study of Spyware on the Web
Covert Crawling: A Wolf Among Lambs
IP cloaking and competitive intelligence/disinformation
Automated Web Patrol with HoneyMonkeys Finding Web Sites That Exploit Browser Vulnerabilities
The Strider HoneyMonkey Project
STRIDER : A Black-box, State-based Approach to Change and Configuration Management and Support
Webroot's Phileas Malware Crawler
Methoden und Verfahren zur Optimierung der Analyse von Netzstrukturen am Beispiel des AGN-Malware Crawlers (in German)
Jihad Online : Islamic Terrorists and the Internet
Right-wing Extremism on the Internet
Terrorist web sites courtesy of the SITE Institute
The HATE Directory November 2005 update (very rich content!)
Recruitment by Extremist Groups on the Internet
Technorati tags:
security, information security, SiteAdvisor, web crawler, search engine, cyberterrorism
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)