She Loves Me, She Loves Me Not

I'm in love, with myself at the first place, and while Saint Valentine's meant to reboot a relationship so to speak, every day should be a Saint Valentine's day in a relationship. Do you trip on love? Malware authors always do around the 14th of February.

Quote of the day - No promises, no demands, love is a battlefield -- or drug like addiction? Via Tech_Space.

Emerging DDoS Attack Trends

In a previous post I emphasized on the long-term trend of how DoS attacks have the potential to cause as much damage as a full-scale DDoS attack, and increase their chance of not getting detected while require less resources. Looks like Prolexic Technologies are thinking in the same direction and warning that :

"IT security bosses will have to be increasingly vigilant in 2007 as criminals exploit new ways of ensuring distributed denial of service (DDOS) attacks cause the maximum damage and circumvent filtering technology, according to DDOS protection specialist Prolexic.While there will continue to be large-scale consumption-based attacks this year, attackers have learned that smaller, customised attacks tailored to web servers' application logic can have similar effects but require smaller botnets to generate, according to Prolexic president Keith Laslop."The requests will bring your CPU usage up to 100 percent by doing things like registering as a new customer" he said. "There is a slow frequency of requests so it will not trigger third-party [detection] technology, and intrusion-detection systems are not designed to notice these attacks."

Attacks like these while not conducted by malicious parties, are already happening at Britain's Prime Minister web site, though these should have been anticipated earlier.

As always, assessing risk as if you are a part of a red team provides the best security for your network. Think malicious attackers. If they're able to fingerprint the software running on your boxes and get under the skin of your web applications, a surgical and specifically crafted DoS attack would not only require less resources compared to a DDoS one, but would also make it a little bit harded for incident forensic investigator to react in a timely manner. So while you're preparing for a constant Gbytes stream, attackers will shift tactics.

Here's more info on the recent -- totally futile -- attempt to attack the root domain servers.

Gender Based Censorship in the News Media

Great perspective. The author Dr. Agnes Callamard even got the data to prove it. Limiting the freedom of expression for the sake of securing political or economic investments - so realistic. When it comes to gender based censorship, things have greatly changed during the last decade if you keep an eye on Fortune's Most Powerful Women stats. Sexism is so old-fashioned, and diversity among top management has been taking place for a while, moreover, professional oriented women next to the family oriented ones are increasing -- my type -- but then again if all men are alike, and all women too, look for the exceptions. And by the way, since when does age became a benchmark for a quality point of view or a criteria for knowledge, stereotypes keep you -- the baby boomers -- blindly protected, now aren't they? Trouble is, some evolve faster then you'll ever do, because you are your own benchmark in times when opinionated self-starters make an impact on a daily basis. Success is a state of mind, gender doesn't matter and never did :

"In particular, the results of the GMMP 2005 show and ARTICLE 19’s own work confirms that censorship can be the handmaiden of gender-based power, discrimination and inequality and further, that this type of censorship may be exercised via and by the media. This gender-based censorship is comprised of dynamics that are both systematic and selective in nature, explicit and implicit by expression, intentional and unintentional in outcome and both deliberate and thoughtless in impact. It expresses itself in many shapes, colours, and voices. But ultimately, like all other forms of censorship, it alters reality, dis-empowers, controls, renders invisible, and silences."

I'm still sticking to my point that if girls/women didn't hate each other so much, or let's say be less jealous of one another they could rule the world -- they do rule the world as a matter of fact, but compared to posers media whoring on a daily basis, I'm convinced they're the true puppet masters behind the curtains, now aren't they? Just a thought.

Forensic Examination of Terrorists' Hard Drives

During the last year I presented my point of view on the topic in numerous posts, in order to debunk the common misunderstanding of Cyberterrorism as an offensive concept. And while real-time cyber intelligence can save lifes, a historical forensic examination like the this one may act as a case study to further model the behaviour of a terrorists before they strike. Here's a list worth looking up at Archive.org, courtesy of the now deceased Madrid bomber Jamal Ahmidan :

"The below is a list of web sites found to have been visited by Ahmidan or accomplices. The list is not inclusive, but merely represents those sites in the indictment the names of which the author recognized based on close to five years of routine monitoring of jihadist activity online. Quite a few of these sites were likely to have been "under surveillance" during the time when Ahmidan and/or his associates accessed them. Had their IP addresses been reported to Spanish authorities at the time these sites were accessed, and had the authorities in Spain then followed up on such reports, it is entirely reasonable to expect that the Madrid bombing of 11 March 2004 could have been prevented."

Cyberterrorism is so not overhyped, it's just a concept discussed from the wrong angle and that's the myth of terrorists using electronic means for killing people. A terrorists' training camp is considered a military target since it provides them the playground to develop their abilities. Sooner or later, it will feel the heat and dissapear from the face of the Earth, they know it, but don't care mainly because they've already produced and are distributing Spetsnaz type of video training sessions. So abusing information or the information medium itself is much more powerful from their perspective then destroying their means for communication, spread propaganda, and obviously recruit. Real-time open source intelligence and accurate risk assessment of specific situations to prioritize the upcoming threat given the growing Jihadist web, is what should get more attention compared to data retention and data mining.

Meanwhile, in the real world, events across the globe are sometimes reaching the parody stage. Know your enemy, and don't underestimate his motivation.

Overachieving Technology Companies

Great dataset by Forbes - The 25 Fastest-Growing Tech Companies :

"Our selection process: We require at least $25 million in sales, 10% annual sales growth for five consecutive years, profitability over the past 12 months and 10% estimated annual profit growth for the next three to five years. We exclude firms with significant legal problems or other open-ended liabilities and also consider accounting and corporate governance scores from Audit Integrity of Los Angeles in making our final cuts."

Growth has many dimensions, and with any market's cyclical pattern it's important to assess the potential for sustainable long-term growth based on easy to influence market factors, as the balance of power in the tech market can sometimes change very quickly. Being a pioneer doesn't always count as the best alternative, and it's the companies able to differentiate among fads and emerging trends, the ones worth assessing. Diversification in market sectors with higher liquidity such as anti virus and perimeter defense, or making a long-term investment, that is positioning yourself as the default destination for a need that's only emerging for the time being remain rather popular -- and predictable -- strategic business moves. Leadership, vision, and courage matter, but money when it comes to innovation doesn't. Let's discuss several companies worth mentioning whatsoever :

_Google
Don't say cheese, say Google. The company's continuing to please market analysts with steady profits, whose stock ratings bring more investors' cash into the GoogleMachine and with the re-emerging -- this time more mature -- online advertising market bidding for keywords in a world of searching will remain profitable, the question every wonders is - until when? The naysayers, or the ones who couldn't obtain any Google shares constantly talk about several buzz words - decline in online advertising, click fraud, and index poisoning. And despite the fact that Yahoo's web properties may be attracting more traffic than Google's, Google's KISS principle and their vision to set quality search results and up-to-date index of the Web as a core competency in times when the Web is growing faster than ever before, is an incentive for advertisers and users to both trust, and do business with the company. Google may not have a market capitalization as high as Microsoft, but the flow of soft dollars, Google's shares as a fringe benefit and a bargain are winning more respect, attracting quality HR, and if that's not enought, disrupting and making the world a much more transparent place to live in. Now that sounds much better than a company that's always been earning over 50% of its revenues from its oldest products -- that's boring profitability.

_Salesforce.com
The on demand concept in action. Need processing power? Outsource. Need a large snapshot of the Web? Outsource. The very idea of outsourcing a task to someone's that's specializing in the area is a more cost effective way then you'll ever do, is major driving force. Besides all, why create a new CRM system or even advertising system, when there're standardized and already developed and ready to use ones? Salesforce.com is a true case study signalling the trend, and with the company empowering developers to contribute concepts, it's a win-win-win situation for everyone involved. Read more here.

_WebEx Communications
Some Internet services are often taken for granted, and they should be, but the companies that provide these commoditized benefits such as video conferencing, are always in the position to generate steady cash flow. Take WebEx Communications. Video conferencing was supposed to revolutionize the way people communicate and do business. Have you seen a decline in 1st class business travel, or has your company kindly asked you to start video conferencing with potential customers in order to cut costs? Now, who'll do business with a salesforce whose elevator pitch cannot be verified in the elevator in a face-2-face meeting anyway? Trust me, not the type of people you'll feel proud and secure to do business with. It's all about the targeted audience and who'll benefit most from the service in a specific time, and in a specific market cycle. Seems like WebEx are either good at sensing the market, or it's the very nature of the service and the level of brand awareness they've achieved when it comes to online video conferencing.

_Websense
Web filtering was a rather hot market segment couple of years ago when there was much more transparency in the dark corners of the Web. An URL containing information corporate users didn't really needed to be more productive was easy to spot, and the static nature of the Web compared to today's dynamically changing malicious sites was making it easy for the vendor to filter out the bad sites. Real-time evaluation, or sandboxing a site came into play, Web 2.0 "wisdom of crowds" SiteAdvisor started getting acceptance, Scandoo is slowly gaining ground, vendors such as ScanSafe diversifying already. So how is Websense still able to generate such revenue flows? The secret is in their sales force able to not only acquire new customers, but to most importantly retain their major ones, and of course diversification in market sectors such as data theft prevention. And like companies such as Google, Amazon and Ebay, Database as the "Intel Inside" is a major differentiator and can close a lot of deals.

To sum up - don't disrupt in irrelevance.

Receiving Everyone's Financial Statements

Bank institutions around the world - stay tuned for wannabe identity thieves requesting their statements while hoping you'll forward them everyone else's ones, in between. Smells like an over performing intern to me :

"An Aberdeen woman who asked for her bank statement was sent details of 75,000 other customers. Stephanie McLaughlan, 22, was sent the financial details by Halifax Bank of Scotland (HBOS). She received five packages each containing 500 sheets of 30 customers' names, sort codes and account details. HBOS apologised and said it was carrying out an investigation. The Information Commissioner's Office (ICO) said it would probe the "negligence."

Obviously, you can too play the U.S Department of Treasury requesting financial information from the SWIFT, but in this case - unintentionally.

Automated Detection for Patterns of Insecurities

While there're lots of pros and cons to consider when it comes to automated source code scanning, Fortify's pricey automated source code analysis tool has the potential to prevent the most common vulnerabilities while the software's still in the development phrase. Recently, they've added 34 new categories of vulnerabilities to their product :

"Thanks to this effort, Fortify Software continues to lead the industry by identifying over 150 categories of vulnerabilities in software.
The updated Secure Coding Rulepacks include: * Increased breadth: 34 new distinct vulnerability categories. * Enhanced support for .NET: 24 new vulnerability categories and coverage for five new third-party libraries, including the Microsoft Enterprise Library. * Expanded JSP support: Coverage for popular tag libraries, including JSTL and Apache Struts, for enhanced protection from cross-site scripting and SQL injection attacks. * Detection of persistent Cross-Site Scripting vulnerabilities: Fortify SCA now detects one of the most common and difficult to identify forms of cross-site scripting, which occurs when malicious data from an attacker is stored in a database and later included in dynamic content sent to a victim."

But how come small to middle size application vendors aren't really considering the use of such automated scanning tools? Overempowerment and trust in their developers' abilities? Not at all. The problem is the lack of incentives for them to do so, but what they're missing is a flow of soft dollars -- a PR boost -- if they were to communicate the efforts undertaken to ship their products audited, and hopefully, products free of brain-damaging bugs.

In respect to the relatively immature market segment for software auditing, Fortify is perfectly positioned to even start fuzzing applications for their customers enjoying their almost pioneer advantage. Or even better, perhaps their customers should consider the concept for themselves. All rest is the endless full disclosure debate, researchers pushing for accountability, and vendors -- legally -- thinking they're on war with them, fighting back however they can. You may also find a related post on how prevalence of XSS vulnerabilities by Michael Sutton informative, and the following posts worth the read as well.

The bottom line question - Can Source Code Auditing Software Identify Common Vulnerabilities? It sure can, but never let a scanner do a developer's job or forward secure coding practices to a third-party.

Interactivity by Default

Proud to be operating in a Web 2.0 world, I'm continuing to integrate features to make the reading of this blog more interactive, less time consuming, and much more easy to navigate. After del.icio.us and TalkR, here comes Snap :

"Snap Preview Anywhere enables anyone visiting your site to get a glimpse of what other sites you're linking to, without having to leave your site. By rolling over any link, the user gets a visual preview of the site without having to go there, thus eliminating wasted "trips" to linked sites."

Enjoy!

Attack of the Biting UAVs

Remotely controlled unmanned aerial vehicles have been shifting usability from defensive(reconnaissance) to offensive(weapons payload) for the last several years. Working prototypes in the shadows of secrecy reaching yet another long-range flight milestone are setting up the foundations for a different kind of warfare. And while the concept has the potential of saving lifes, and of course taking some while protecting the pilot, it will take several more years before fleets of drones are fully capable of integrating their benefits in the NCW field.
Here's an in-depth article on the evolution of UAVs to UCAVS :

"Robotic air vehicles are beginning to replace some of the Air Force’s manned combat aircraft. Soon, they will be handling a major share of the service’s strike mission. The first steps in this transition already have been taken in the field of fighter-class aircraft. Classified projects now in development seem sure to cut into the manned medium and heavy bomber roles, as well. The Predator MQ-1 is leading this transition. A familiar feature of Air Force combat operations for more than a dozen years, the spindly Predator has evolved dramatically. It is no longer simply a loitering “eye in the sky” but rather a versatile weapon system capable of destroying a couple of ground targets on its own or in collaboration with other aircraft. It is in great demand, and the Air Force is acquiring Predators as fast as it can absorb them. Now in early production is a souped-up version of the Predator, the MQ-9 Reaper. Its combat payload—missiles and bombs carried on underwing hardpoints—roughly equals that of an F-16 fighter. In the Reaper, the Air Force has found a craft that truly combines the powers of a potent strike fighter with the capabilities of a reconnaissance drone."

You may also be curious on why the U.S Department of Agriculture is interested in buying some the way I am -- perhaps a sci-fi insects invasion. What would the next logical evolution of UCAVs be? That's UCAVs capable of electronic warfare attacks, and with their flight durability and flexibility of operation, the idea will receive more acceptance as the technology matures. There's also something else to keep in mind, and that's the interest and active research of various terrorist organizations in UAVs. And while they wouldn't sacrifice $7M for a drone, even be able to get hold of one -- unless Iran supplies -- cheap alternatives such as the Spy X plane are already taken into consideration, at least for reconnaissance purposes. Yes they're cheap, and yes they're easy to jam, you can even hear them coming, but the trend is worth mentioning.

The TalkRization of My Blog

The service is quite intuitive for a free one, and I must say I never actually got the time to run a podcast on my one, so TalkR seems like the perfect choice for those of you -- including me -- who want to listen to my blog posts. Here's the TalkR feed URL for you to syndicate, and several samples :

- Social Engineering and Malware
- The Life of a Security Threat
- Russia's Lawful Interception of Internet Communications
- Foreign Intelligence Services and U.S Technology Espionage
- Technical Analysis of the Skype Trojan
- Old Media VS New Media

By the way, when was the last time you met a girl who speaks stuff like this?

Old Media VS New Media

The never ending war of corporate interests between the old and the new media, seems to be re-emerging on a weekly basis. Obviously, newspapers don't really like Google picking up their content and making money without giving them any commissions -- they don't even have to -- and with more shortsighted local newspaper unions asking Google and Yahoo! to stop doing so, I'm so looking forward for the moment in the near future when we'll be discussing their will to get crawled again. You fear what you don't understand, and the old media doesn't like the way it got re-intermediated, thus losing its overhyped content generation exclusiveness. In a Web 2.0 world, everyone generates content, which later on gets mixed, re-mixed, syndicated and aggregated, what if newspapers really tried to adapt instead of denying the future? And isn't it ironic that the newspapers that want to be removed from any search engine's index, are later on using these search engines while investigating for their stories?

Here's a lengthy comment I recently made on the old media vs the new one.

PR Storm

Great to see that Mike Rothman and Bill Brenner know how to read between the lines. Here's a related point of view on the Storm Worm - Why do users still receive attachments they are not supposed to click on?

Meanwhile, Eric Lubow (Guardian Digital, Linuxsecurity.com) have recently joined the security blogosphere and I'll be keeping an eye on his blog for sure -- hope it's mutual. Two more rather fresh blogs worth reading are ITsecurity.com's one -- how's it going Kev -- and Panda Software's blog. And with PandaLabs now blogging, the number of anti virus vendors without a blog, namely still living in the press release world is getting smaller. I remember the last time I was responsible for writing press releases for a vendor I'd rather not associate myself with, and how Web 1.0 the whole practice was. If you really want to evolve from branding to communicating value, hire a blogger that's anticipating corporate citizenship given he's commissioned, and reboot your PR channels.

Clustering Phishing Attacks

Clustering a phishing attack to get an in-depth and complete view on the inner workings of a major phishing outbreak or a specific campaign only - that's just among the many other applications of the InternetPerils. Backed up with neat visualization features, taking a layered approach, thus, make it easier for analysts do their jobs faster, its capabilities are already scoring points in the information security industry :

"InternetPerils has discovered that those phishing servers cluster, and infest ISPs at the same locations for weeks or months. Here's an example of a phishing cluster in Germany, ever-changing yet persistent for four months, according to path data collected and processed by InternetPerils, using phishing server addresses from the Anti-Phishing Working Group (APWG) repository. The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it."

Here are seven other interesting anti-phishing projects, and a hint to the ISPs who really want to know what their customers are (unknowingly) up to.

Visual Thesaurus on Security

In case you haven't heard of the Thinkmap Visual Thesaurus, it's an "interactive dictionary and thesaurus which creates word maps that blossom with meanings and branch to related words. Its innovative display encourages exploration and learning. You'll understand language in a powerful new way." With its current database size and outstanding usability build into the interface, it has a lot of potential for growth, and I'm sure you'll find out the same if you play with it for a little while.

Testing Anti Virus Software Against Packed Malware

Very interesting idea as packed malware is something rather common these days, and as we've seen the recent use of commercial packers in the "skype trojan" malware authors are definitely aware of the concept. What the authors did was to pack the following malware using 21 different packers/software protectors - Backdoor.Win32.BO_Installer, Email-Worm.Win32.Bagle, Email-Worm.Win32.Menger, Email-Worm.Win32.Naked, Email-Worm.Win32.Swen, Worm.Win32.AimVen, Trojan-PSW.Win32.Avisa, Trojan-Clicker.Win32.Getfound, and scan them with various anti virus software to measure which ones excel at detecting packed malware. What some vendors are best at detecting others doesn't have a clue about, but the more data to back up your personal experience, the better for your decision-making.

Threats of Using Outsourced Software

Self-efficiency in (quality) software programming for security reasons -- yeah, sure :

"The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they write is hardly a new concern. But the DSB will say in its report that three forces — the greater complexity of systems, their increased connectivity and the globalization of the software industry — have combined to make the malware threat increasingly acute for the DOD. "This is a very big deal," said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function."

The billion-dollar weapons system will be unable to function in case of an ELINT attack, not a software backdoor taking the statistical approach.

There's an important point to keep in mind, during WWII, the U.S attacted Europe's brightest minds who later on set the foundations for the U.S becoming a super power. Still, you cannot expect to produce everything on your own, and even hope of being more efficient in producing a certain product in the way someone who specialized into doing this, can. Start from the basics, what type of OS does your Intelligence angency use in order not to have to build a new one and train everyone to use it efficiently? Say it with me.. Moreover, the sound module in your OS has as a matter of fact already been outsourced to somewhere else, if you try to control the process with security in mind, vendors will cut profit margin sales, as they will have to pay more for the module, will increase prices slowing down innovation. But of course it will give someone a very false feeling of security.

Fears due to outsourced software? Try budgeting with the secondary audits "back home" if truly paranoid and want to remain cost-effective. While it may be logically more suitable to assume "coded back home means greater security and less risk", you'll be totally wrong. All organizations across the world connect using standart protocols, and similar operating systems, making them all vulnerable to a single threats of what represent today's network specific attacks. And no one is re-inventing the OSI model either.

You can also consider another task force, one that will come up with layered disinformation channel tactics when they find out such a backdoor, as detecting one and simply removing it on such systems would be too impulsive to mention.

Who's Who on Information and Network Security in Europe

A very handy summary of Europe's infosec entities and contact details that come as a roadmap for possible partnerships or analyst's research :

"This Directory serves as the “Yellow pages” of Network and Information Security in Europe. As such, it is a powerful tool in everyday life of all European stakeholders and actors in Network and Information Security (NIS). By having access to all contact data and entry points for all European actors in one booklet, available on your desk, the “arm length’s rule” of access to information is becoming concrete. I am confident that this device of compiled Network and Information Security stakeholders, contacts, websites, areas of responsibility/activity of national and European Authorities, including organisations acting in Network Security and Information, serves our mission to enhance the NIS security levels in Europe well."

Compared to China's information security market on which I've blogged in a previous post, Europe's R&D efforts are still largely de-centralized on a country level, but hopefully, with the ongoing initiatives among member states innovation will prevail over bureaucracy.

The Zero Day Vulnerabilities Cash Bubble

The WMF was reportedly sold for $4000, a Vista zero day was available for sale at $50,000, and now private vulnerability brokers claim that they beat both the underground and the current incentive programs, while selling vulnerabilities in between $75,000 - $120,000.

"The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms--as well as the odd government agency--for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000. "I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview."

But the cash bubble is rather interesting. Zero day vulnerabilities are an over-hyped commodity and paying to get yourself protected from one, means you'll be still exposed to the next one while you could have been dealing with far more risky aspects of protecting your network, or customers. The (legitimate) business model breaks when every vendor starts offering a "bounty" for vulnerabilities while disintermediating the current infomediaries. It would be definitely more cost-effective for them, than improving someone's profit margins. Or they could really reboot their position in this situation by applying some fuzz logic on their own software at the first place.

Attack of the SEO Bots on the .EDU Domain

A university's Internet presence often results in very high pageranks for their site, therefore, if a malicious spammer would like to harness the possibilities of having the spammed message appear among the top 20 search results, he'd figure out a way to post direct http:// links on various .edu domains, especially on the wikis residing there. That's the case with PuppetID : Matias Colins -- of course collins is spelled with one L only --. Matias Colins is an automated attack script that's already hosting hundreds of spam pages on the .edu domain, mostly adult related, and it's worth mentioning that where access to a directory has been in place, the hosted pages blocked caching from any search engine, or hosted one on its own. Redirection is perhaps what the attacker is very interested in too. See how this berkeley.edu link - dream.sims.berkeley.edu/~tdennis/wp-content/animalsex.php - redirects to a site for whatever the page title says, and this is yet another one - oit.pdx.edu/jethrotest/mysqldb.php.

Here are two more examples of another bot using my blog post titles to generate subdomains or the like, and of bots abusing Ebay's reputation system by self-recommending themselves.

Social Engineering and Malware

With all the buzz over the "Storm Worm" -- here's a frontal PR attack among vendors -- it is almost unbelievable how hungry for a ground breaking event, the mainstream media is. And it's not even a worm. If you are to report each and every outbreak not differentiating itself even with a byte from previous "event-based" malware attacks, what follows is a flood of biased speculations -- too much unnecessary attention to current trends and no attention to emerging ones. With pre-defined subjects, static file names, one level based propagation vector, with the need for the end user to OPEN AN .EXE ATTACHMENT FROM AN UNKNOWN SOURCE, and with "the" Full_Movie.exe in 35kb, worldwide scale attacks such as the ones described here, are more of a PR strategy -- malware with multiple propagation vectors has the longest lifecycle, as by diversifying it's improving its chances of penetration. Don't misunderstand me, protecting the end user from himself is a necessity, but overhyping this simple malware doesn't really impress anyone with a decent honeyfarm out there. It doesn't really matter how aggressively it's getting spamed, what matters the ease to filter and enjoying the effective rules you've applied. No signatures needed. As a matter of fact I haven't seen a corporate email environment that's allowing incoming executable files in years, especially anything in between 0-50kb, have you? My point is that, the end user seems to be the target for this attack, since from an attacker's perspective, you have a higher chance of success if you try to infect someone who doesn't really know whether his AV is running, or cannot recall the last time an update was done to at least mitigate the risk of infection. These are the real Spam Kings.

At the beginning of 2006, I discussed the evolving concept of localizing malware attacks :

"By localization of malware, I mean social engineering attacks, use of spelling and grammar free native language catches, IP Geolocation, in both when it comes to future or current segmented attacks/reports on a national, or city level. We are already seeing localization of phishing and have been seeing it in spam for quite some time as well. The “best” phish attack to be achieved in that case would be, to timely respond on a nation-wide event/disaster in the most localized way as possible. If I were to also include intellectual property theft on such level, it would be too paranoid to mention, still relevant I think. Abusing the momentum and localizing the attack to target specific users only, would improve its authenticity. For instance, I’ve come across harvested emails for sale segmented not only on cities in the country involved, but on specific industries as well, that could prove invaluable to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones."

The current "events-based" malware is a good example here. If it were a piece of malware to automatically exploit the targeted PC, then you really have a problem to worry about. Meanwhile, Businessweek is running an interesting article on Why Antivirus Technology Is Ineffective, and stating "white-listing" is the future of malware prevention. Could be, if there wasn't ways to bypass the white-listing technology, or give a "white-listed" application a Second Life -- and of course there are.

In another piece of quality research written by Mike Bond and George Danezis, the authors take us through the temptation stage, monitoring, blackmail, voluntary propagation, involuntary propagation, and present nice taxonomies of rewards and blackmail.

And if you're still looking for fancy stats and data to go through, read this surprisingly well written paper by Microsoft - Behavioural Modelling of Social Engineering-Based Malicious Software. They've managed to spot the most popular patterns - generic conversation, non-english language used, virus alert/software patch required, malware found on your computer, no malware found, account information, mail delivery error, physical attraction, accusatory, current events, and free stuff.

Current events, free stuff, and malware on your computer are the most effective ones from my point of view as they all exploit wise psychological tactics. Current events because the Internet is a major news source and has always been, free stuff, due the myth of "free stuff" on the Internet, and the found malware putting the (gullible) end user in a "oops it was my turn to get a nasty virus" state of mind.

Collected in the Wild

Nothing special, looks like a downloader, tries to connect to *****.cc/getcommand.php?addtodb=1&uid=rtrtrele.CurrentU. to get the payload that's packed and repacked quite often. File length: 2829 bytes. MD5 hash: 2147eb874fefe4e6a90b6ea56e4d629a.

The next one is rather more interesting as it's a registry backdoor, creating a new service and opening up a listening port 5555. File length: 21504 bytes. MD5 hash: 406e3fc8a2f298a151890b3bee9d7b18.

Creates service "msntupd (msntupd)" as "C:\WINDOWS\SYSTEM32\regbd.sys".

Inside an Email Harvester's Configuration File

In previous posts on web application email harvesting, and the distributed email harvesting honeypot, I commented on a relatively less popular threat - the foundation for sending spam and phishing emails, namely collecting publicly available email addresses. The other day I came across an email harvester and decided to comment on its configuration file.

Type of file extensions to look in :
TargetFile=abc;abd;abx;adb;ade;adp;adr;bak;bas;cfg;cgi;cls;
cms;csv;ctl;dbx;dhtm;dsp;
dsw;eml;fdb;frm;hlp;imb;imh;imh;imm;inbox;ldb;ldif;mbx;
mda;mdb;mde;mdw;
mdx;mht;mmf;msg;nab;nch;nfo;nsf;nws;ods;oft;pmr;pp;ppt;
pst;rtf;slk;sln;sql;stm;tbb;tbi;txt;uin;vap;vcf;myd;html;htm;htt;js;
asm;asp;c;cpp;h;doc;ini;jsp;log;mes;php;phtm;pl;
shtml;vbs;xhtml;xls;xml;xml;wsh;

Domains to look in :
TargetDomain=ru;com;net;cz;in;info;uk;fr;by;edu;it;de;ua;pl;nz;am;tv;

As you can see, this one is Europe centric.

Blacklisted usernames and domains :
BlackList=root;info;samples;postmaster;webmaster;noone;nobody;
nothing;anyone;someone;your;you;me;bugs;
rating;site;contact;soft;somebody;privacy;service;help;submit;feste;
gold-certs;the.bat;page;admin;support;ntivi;unix;bsd;linux;listserv;certific;
google;accoun;spm;spam;www;secur;abuse;
.mil;.ftn;@hotmail;@msn;@microsoft;rating@;f-secur;news;update;.gov;@fido;anyone@;bugs@;contract@;feste;gold-certs@;help@;info@;nobody@;noone@;kasp;sopho;@foo;
@iana;free-av;@messagelab;winzip;winrar;samples;abuse;panda;cafee;
spam;pgp;@avp.;noreply;local;root@;postmaster@;
.fidonet;subscribe;faq;@mtu;.mtu;.mgn;.plesk;.sbor;.port;.hoster;
@novgorod;@quarta;.nsk;.talk;.tomsknet;
@suct;.lan;.uni-bielefeld;@ruddy;.msk;@individual;.interdon;
@php;@zend; feedback;.lg;.lnx;@hostel;@relay;
.neolocation; @example;.kirov;.z2;.fido;.tula;
@intercom;@olli;@ozon; @bk;@lipetsk;@ygh;
.eltex;.invention;.intech;@cityline;.kiev;@4ax;
.senergy;@mail.gmail;@butovo;

F-Secure, Kaspersky, MessageLabs, Panda Software and McAfee are taken into consideration, but the best part is that the vendors themselves are visionary enought not to be using domains or email addresses associated with them, for spam and malware traps.

Thankfully, there're many spam poison projects where these crawlers get directed to a huge number of randomly generated email addresses. And while the results are evident, namely they're picking them up and poisoning their databases with non-existent emails it is questionable if that's the best way to fight spam, since the spammers are going to send their message to anyone, even to the non-existent email addresses causing network load. Something else worth mentioning, these email harvesters are starting to pick up [at] and [dot] type of obfuscation too.

Here are some more comments on the Spamonomics I recently made. Spammer's attitude has to do with "Busyness vs Business" factor of productivity mostly, their business model is broken, but they just keep on sending them without knowing it.

The Life of a Security Threat

Eye-catching streaming video courtesy of iDefense. In the past, iDefense got a lot of publicity due to their outstanding cyber intelligence capabilities, and quality reports among which my favorite is the one providing a complete coverage of the China vs U.S cyberwar due to the captured AWACS in case you remember. VeriSign, perhaps the last vendor you would think of, purchased the company with the idea to diversify its portfolio of services and further expand their market propositions, if critical infrastructure is what they manage, an IDS signature when there's no patch available and wouldn't be not even next Patch Tuesday, is invaluable and proactive approach for protecting a company's assets. Recently, iDefense offered another bounty on zero day vulnerabilities in Vista and IE7, but considering that Windows Vista is still not adopted on a large corporate and end user scale the way XP is, therefore a zero day exploit for Windows XP must have a higher valuation then a Windows Vista one. Proving Vista is insecure and iDefense taking the credit for it though, is a strategic business move rather then a move aiming to improve the overal security of their customers -- if only could iDefense purchase all the exploits from Month of the X Bugs initiatives. Moreover, a Vista zero day exploit was available for sale. Feel the hypo-meter about to explode. Think malicious attackers. Would someone pay $50,000 for an exploit of an OS whose adoption by corporate and home users is continuing to sparkle debates, while an IE6 zero days are offered in between $1000-2000?

In the time of blogging, there're numerous zero day vulnerabilities for sale out there, the way this commercialization of vulnerability research directly created the -- thankfully -- stil not centralized underground market for vulnerabilities by adding more value to what's a commodity from my point of view. Here's a complete coverage on how the WMF vulnerability got purchased for $4000 in case you want to deepen your knowledge into the topic.

Security Lifestyle(S)

If Security is a state of mind, then so is brand loyalty.

Head Mounted Surveillance System

It's so cheap and affordable even you can add it to your wish list :

"The new DV ProFusion is a cost effective alternative to the DV Pro. It is a lightweight, mobile, body worn video and audio solution. DV ProFusion has a built in screen allowing for live viewing and instant playback. DV ProFusion is available in either 30GB hard drive capacity, which provides up to 100 hours of video or 100GB offering 450 hours of video, depending on sampling bit rate. DV ProFusion enables the user to keep both hands free whilst recording exactly what they see and hear themselves. DV ProFusion is specifically designed to work with a number of optional accessories, including an extendable pole and additional lens options."

While it's very innovative idea, in five years the current models would look like the brick-size like Motorola cell phones you all know. I like the idea of storing the footage in the device compared to relying via air which makes me think of several scenarios for possible abuse or DoS attacks. In case you haven't heard public CCTV cameras are getting a boost with built-in speakers, so perhaps at a later stage it would come to someone's mind to include a speaker on the other side of the head too. Two clips to see it in action.

Transferring Sensitive Military Technology

Busted :

"China on Tuesday condemned US sanctions imposed last week on three Chinese companies for allegedly selling banned weapons to Iran and Syria, calling the accusations "totally groundless". "We strongly oppose this and demand the US side correct this erroneous action," foreign ministry spokesman Liu Jianchao said at a regular press conference. The Chinese firms are among 24 foreign entities from several countries hit with the sanctions, invoked under the 2005 Iran and Syria Nonproliferation Act."

Follow the connection, the U.S is doing business with the Chinese companies, who leak it to Iran and Syria, who leak it Hezbollah or pretty much everyone at the bottom of the food chain.

More comments - "Foreign Intelligence Services and U.S Technology Espionage" and "Hezbollah's use of Unmanned Aerial Vehicles - UAVs".

Artillery Rockets image courtesy of Globalsecurity.org

It's all About the Vision and the Courage to Execute it

Great article on China's blogging market and the never-ending censorship saga. Meet Fang Xingdong, a banned journalist who decides to beat them by playing their own game, do the math yourself. While heading China's Bokee with 14 million bloggers and more than 10,000 new ones every day, he's appointed only 10 people to monitor the blogs :

"Of course, the authorities did not allow a completely wide-open system. Censorship is still practised, even at Mr. Fang's company. Among his 80 employees are 10 people who comb through the blogs every day, deleting anything deemed to be obscene or politically unacceptable. He hopes that the Chinese blogosphere will become self-regulating. "If it's more orderly, there will be less pressure on us," he says. "I think a blog should have a basic foundation of morality and law. I compare it to a person's home."

If I were in China, I'd register on his network.

Preventing a Massive al-Qaeda Cyber Attack

From the unpragmatic department :

"Colarik proposes "a league of cyber communities." The world's 20 largest economies would sign a treaty vowing to manage their own country's cyber activities. Member states would then deny traffic to any nation that refuses to crack down on cyber terrorists."

No, he really means it, totally forgetting on how a huge percentage of terrorist related web sites are hosted in the U.S. Here's the latest example. It gets even more shortsighted :

"Al-Qaeda also publishes a monthly magazine devoted to cyber-terrorism techniques."

If installing a VMware and PGP Whole Disk Encryption is a cyber-terrorism technique, we're all cyber terrorists without the radical mode of thinking and the Quran on the bookshelf.

Eyes in London's Sky - Surveillance Poster

Alcohol's bad, drugs are bad, surveillance is good for protecting your from the insecurities we made you become paranoid of, and so are head-mounted surveillance cams equipped police officers. Sure, but consider the social implications too. London may be one of the most important business centers in Europe -- next to Frankfurt and Rotterdam -- but I'm so not looking forward to living in what's turning into a synonym for 1984.

Still Living in the Perimeter Defense World

Whereas you'd better break out of the budget-allocation myopia and consider prioritizing your security investments, decreased spending on information security in certain regions means good old-fashioned malware and spam floods for the rest of regions doing it :

"Fewer small- and medium-sized enterprises (SMEs) in Taiwan will increase their spending on information security this year compared with last year, according to a report released Thursday by the Institute for Information Industry's Market Intelligence Center (MIC). The report said that only 12.9 percent of SMEs will increase their information security spending in 2007, compared with 16.2 percent in 2006."

Perimeter defense and host security is like the ABC of security, but since viruses and network attacks are "taken care of" all seems fine -- you wish.

"While more than 90 percent of SMEs have installed anti-virus software and firewall devices, only 11 percent have installed unified threat management products, according to Wang."

And while your organization is multitasking on how to budget with the anyway scarce resources due to legal requirements to do so, or visionary leaders realizing the soft and hard cash losses if you dare to pretend your organization wouldn't get breached into, regions around the world don't have the incentives to do so. If you bring too many people to a party someone always takes a *** in the beer, or so they say. Know when to spend, how much, on what, and is the timing for your investment the right one given the environmental factors of your company. A small size business doesn't really need a honeyfarm unless of course the admin is putting a personal effort in the job.

Data Mining Credit Cards for Child Porn Purchases

22 million customers had the privacy of their credit card purchasing histories breached for the sake of coming up with 322 suspects while looking for transactions to a single child porn web site - ingenious, absolutely ingenious :

"In the case under investigation, police were aware of a child pornography Web site outside of Germany that was attracting users inside the country. And they asked the credit-card companies to conduct a database search narrowed to three criteria: a specific amount of money, a specific time period and a specific receiver account."

I don't want to ruin the effect of the effort here, but why do you still believe child porn is located on the WWW, in the http:// field you're so obsessed with? Is the WWW the only content distribution vector for multimedia files you're aware of? Try the Internet Relay Chat, the concept of Fserve to be precise. Having found the low lifes who buy child porn over the Web is like picturing a pothead as the über-dealer to meet your quotas, namely, efforts like these have absolutely no effect on the overal state of child pornography online. It's the wrong way to fight the war. Put the emphasis on fighting the very production process -- trafficking of children -- not the distribution one.

Insider Sentiments around L.A's Traffic Light System

Rember how the Hollywood Hackers were winning time while heading straight to Grand Central Station in NYC to outsmart the Plague's plan to cause a worldwide ecological disaster and cash in between? In pretty much the same fashion -- without the randomization of traffic lights -- two engineers in between their union's strike seems to have watched the movie too :

"They didn't shut the lights off, city transportation sources said. Rather, the engineers allegedly programmed them so that red lights would be extremely long on the most congested approaches to the intersections, causing gridlock for several days starting Aug. 21, they said."

Whether overal paranoia due to the sensitive nature of the workers' positions and the publicly stated intentions, insider sentiments prevail from my point of view.

Iran Bans Purchase of Foreign Satellite Data

Re-inventing the wheel :

"According to the bill, a copy of which has been sent to all ministries, organizations, state and revolutionary institutions, the purchase of information from foreign sources is deemed against the law. Specialists of the Defense Ministry have currently succeeded in initiating a project for obtaining satellite information online. For the first time in Iran, it is now possible to produce topographic maps, on a scale of 1/10,000, of a specific area for municipal and developmental projects, with the satellite images of very high resolution."

Guess they don't want others to know which locations of their country are still unknown to themselves, but with the bill definitely implemented as a national security measure, and to improve the nation's self-esteem, drop a line if they ever get close to producing such high-resolution image of their Natanz facility on their own.

Russia's Lawful Interception of Internet Communications

Don't fool yourself, they've been doing it for the time being, now they're legalizing it -- working for anything like the EFF in Russia means having the bugs in your place bugged. Citing Cyber-Terrorism Threat, Russia Explores Internet Controls :

"An estimated 20 percent of the Russian population now has access to the Internet. Whereas the Putin administration exerts tight control over the major domestic broadcast and print media, it does not currently restrict the content of Internet sites on a wide scale. Web sites such as Gazeta.ru and Lenta.ru provide many of the articles and commentary that would normally otherwise appear in an opposition press. Several wealthy Russians living in political exile, including Boris Berezovsky and Vladimir Gusinsky, own Russian-language websites that publicize their anti-Putin views to Russian audiences. In August 2006, Russian right-wing extremists used the Internet to coordinate a bomb attack against illegal migrants from Asia."

Give me an excuse for data retention? No, give me another one besides the infamous "if you don't have anything to hide then why worry"? We all have things to hide, and things we don't want others to know, that's still called my privacy, and since when does this became a terrorist activity, or someone's just piggybacking on the overall paranoia created by the thought to be acting as government watchdog, media -- don't be a reporter, be a journalist! Winning the public support in different countries largely relies on the local attitudes towards the key buzzwords - terrorists are using the Net as a "safe heaven", and child pornographers are operating online, while people are unemployed and primitive deceases which should been dealth with years are a second economic priority, next to your first one - fighting your (political campaign) demons, or the (upcoming budget allocation) demons you put so much efforts into making me believe in. Start from the basics, why retain everyone's data, and intercept everyone's communications while forgetting that information is all about interpretation? How come you're assuming -- if you're even considering it -- that such a neatly centralized databases of private information would be protected from insiders, even outsiders which will inevitably be tempted to having access to such a database? A country's intelligence is the government's tool for protecting the national security or beyond, but over-empowering the watchers is so shortsighted, you'd better break through your black'n'white world only and start considering all other colours as equal. Don't slip on your values.

If you sacrifice privacy for security, you don't deserve both of them, and the utopian idea of having a 100% successful law enforcement as the panacea of dealing of crime reminds of a quote I recently find myself repeating very often - make sure what you wish for, so it doesn't actually happen.

Visits to the White House Now Top Secret Information

Informative - White House visitor logs declared top secret :

"The five-page document dated May 17 declares that all entry and exit data on White House visitors belongs to the White House as presidential records rather than to the Secret Service as agency records. Therefore, the agreement states, the material is not subject to public disclosure under the Freedom of Information Act.

In the past, Secret Service logs have revealed the comings and goings of various White House visitors, including Monica Lewinsky during the Clinton administration."

I thought that's always been the case anyway, but it closes a loophole that could result in potentially embarrassing future developments -- or less accountability. Time will show. More info.

Sunday's Portion of Hahaha

While patiently waiting for the future adventures of Monica Furious, I came across a nice collection of cartoons. I'm sure you'll find these two very entertaining - "The Disabled Cookies" and "The Spam Prison".

Web Economy Buzz Words Generator

Whether looking for VC cash, or having a quota to meet being a salesman, some of these may come handy or pretty much make someone's morning.

Here are my favorite:
e-enable integrated mindshare
empower impactful infomediaries
architect compelling ROI
productize 24/7 e-services
recontextualize compelling ROI

Doesn't matter how well you project your success, if you don't have an elevator pitch worth someone's attention span, than you don't know what you're doing, but marely relying on the web economy's state of buzziness -- this is another one. Try some copywriting exercises too.

Four Years of Application Pen Testing Statistics

Invaluable :

"The article presents a unique opportunity to take a peek into the usually secluded data regarding the actual risk posed to Web applications. It shows a constant increase in risk level over the four years and an overwhelming overall percentage of applications susceptible to information theft (over 57%), direct financial damage (over 22%), denial of service (11%) and execution of arbitrary code (over 8%). The article analyzes results of first time penetration tests as well as repeat tests (retests) in order to evaluate the evolution of application security within Web applications over time."

Lots of figures respecting your busy schedule, and the authors' data pointing out how the lack of repeated testing, and the "security as a one time purchase" mentality, actually means a false sense of security. Having a secured web application doesn't mean the end user won't be susceptible to a client side attack, and having a secured end user doesn't mean the web application itself will be secured, ironic, isn't it? Perhaps prioritizing the platforms to be audited, namely the major web properties, could protect the always unaware end user to a certain extend -- from himself. Related comments.

Foreign Intelligence Services and U.S Technology Espionage

Talking about globalization, like it or not, perceive it as a threat to national security or a key economic benefit, it's happening and you cannot stop it. Nothing else will add more long-term value to a business or a military force than innovation, and when it comes to the U.S military's self-efficiency in R&D, it's pretty evident they've managed to achieve the balance and still dictate the rhythm.

The methods used aren't nothing new :

"The report says that foreign spies use a wide variety of techniques, ranging from setting up front companies that make phony business proposals to hacking computers containing information on lasers, missiles and other systems. But the most popular methods of attempting to obtain information was a simple “informational request” (34.2%) and attempts to purchase the information (32.2%). Attempts were also made using personal relationships, searching the Internet, making contacts at conferences and seminars, cultural exchanges."

What's new is the actual report in question - "Technology Collection Trends in the U.S. Defense Industry". OSINT is also an important trends gathering factor, and so is corporate espionage through old-fashioned malware approaches or direct intrusions, and it's great the report is considering the ease of execution on these and the possible network vulnerabilities in the contractors :

"DSS also anticipates an increase in suspicious internet activity against cleared defense contractors. The potential gain from even one successful computer intrusion makes it an attractive, relatively lowrisk, option for any country seeking access to sensitive information stored on U.S. computer networks. The risk to sensitive information on U.S. computer systems will increase as more countries develop capabilities to exploit those systems."

Then again, what's produced by the U.S but cannot be obtained from there, will be from other much more insecure third-party purchasers -- how did Hezbollah got hold of night vision gear? Or even worse, by obtaining the leftovers from a battle conflict for further clues.

The bottom line question - is the illegal transfer of U.S technology threat higher than the indirect leakage of U.S educated students taking their IQ back home, while feeling offended by their inability to make an impact were they a U.S citizen?

Technical Analysis of the Skype Trojan

During December yet another trojan started making rounds, this time dubbed the Skype trojan -- SEO conspiracy. Was the trojan exploiting a zero day vulnerability in the Skype protocol? Absolutely not, as it was basically using Skype's messaging service as a propagation vector, thus, the gullible and in a Christmas mood end user was still supposed to interact with the malware by clicking on the link. And with required end user's interaction, the possibilities for major outbreaks were very limited. Perhaps the only development worth mentioning is the malware author's use of commercial anti-cracking software -- NTKrnl Secure Suite -- to make the unpacking harder, or at least theoretically improve the time needed to do so compared to using publicly obtainable, and much more easily detectable packers.

Two days ago, Nicolas Brulez from Websense Security Labs released a technical analysis of the trojan itself, and here's your proof for the logical possiblities of specific copy'n'paste malware modules :

"The main protection scheme I faced was the copy pasted from my Honeynet Scan of The month 33 Challenge. The breakpoint detection was 100% identical, even the numbers I had generated randomly. More importantly, the technique I had written based on SEH + cpuid/rdtsc was also copied. The only difference was that they used the EDX register to compare the timing.

Copy pasting protection code without even changing it a little, provides no security at all and allowed me to unpack it even quicker. (gotta love looking at code you wrote 2 years ago)

It apparently included some other tricks, that made it a little harder to unpack, and the file looked like it was corrupted at some point. In order to debug it and comment my disassembly in a readable way, I opted to use a userland debugger, and thus had to write a little shellcode for injection into the packed malware. Basically, it entailed abusing Windows Exception Handling (using a hook), to get past every check. After that, one could attach his favorite userland debugger to the malware and eventually find the Original Entry Point. Although the imports rebuilding for this protector isn't hard at all, it wasn't mandatory in this executable as it only imported one function: ExitProcess"

And while the average malware coder is using commercial tools to make his releases harder to analyze, the almighty jihadist is still living in the Hacker Defender world.

Were you Tracking Santa's Location?

As usual, NORAD were, but there's one minor issue to keep in mind and that's how during the Christmas and New Year holidays Santa Claus is the most successfully targeted victim of identity theft. Hopefully they were tracking the real Santa through the real Rudolph as the weakest link :

"The satellites have infrared sensors, meaning they can detect heat. When a rocket or missile is launched, a tremendous amount of heat is produced - enough for the satellites to detect. Rudolph's nose gives off an infrared signature similar to a missile launch. The satellites can detect Rudolph's bright red nose with practically no problem. With so many years of experience, NORAD has become good at tracking aircraft entering North America, detecting worldwide missile launches and tracking the progress of Santa, thanks to Rudolph."

All rest is a commodity but attitude.