Counterfeiting U.S currency is a profitable business given its stability and actual valuation, and so is money printing! It's just that sometimes there are too much legally printed money as well, and the Fed is raising the interest rates for the sixteenth time during the last two years -- which doesn't stop it from making a buck in between.
Did you know you could get Uncut Currency sheets "of fresh crisp new $1.00, $2.00, $5.00, $10.00 and $20.00 greenbacks right off the press will delight someone special in your life. They make an especially unique gift for that "hard-to-buy-for" person."
While I always joke that availability stands for temptation, that's a "process utilization" worth envying, but too much money available isn't always a good thing.
Thursday, May 11, 2006
Pass the Scissors
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Snooping on Historical Click Streams
In a previous post "The Feds, Google, MSN's reaction, and how you got "bigbrothered"? I gave practical advices on how can easily do your homework on the popularity of certain search terms and sites, without the need of issuing a subpoena. The other day, AlltheWeb (Yahoo!) introduced their Livesearch feature, seems nice, still it basically clusters possible opportunities. Now the interesting part, on the next day Google launched Google Trends which is :
"builds on the idea behind the Google Zeitgeist, allowing you to sort through several years of Google search queries from around the world to get a general idea of everything from user preferences on ice-cream flavors to the relative popularity of politicians in their respective cities or countries."
This is what I've been waiting for quite some time, and you can easily make very good judgements on key topics based on regions, languages, even cities -- marketers get yourself down to business!
Antivirus, Malware, Spyware, NSA, Censorship, Privacy
What's next, the rise of MyWare and its integration on the Web? Give a try to Yahoo!'s Buzz, and PacketStormSecurity's instant StormWatch as well.
"builds on the idea behind the Google Zeitgeist, allowing you to sort through several years of Google search queries from around the world to get a general idea of everything from user preferences on ice-cream flavors to the relative popularity of politicians in their respective cities or countries."
This is what I've been waiting for quite some time, and you can easily make very good judgements on key topics based on regions, languages, even cities -- marketers get yourself down to business!
Antivirus, Malware, Spyware, NSA, Censorship, Privacy
What's next, the rise of MyWare and its integration on the Web? Give a try to Yahoo!'s Buzz, and PacketStormSecurity's instant StormWatch as well.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, May 09, 2006
Wiretapping VoIP Order Questioned
There's been a lot of buzz recently on the FCC's order requiring all VoIP providers to begin compliance with CALEA in order to lawfully intercept VoIP communications by the middle of 2007 . Yesterday, a U.S judge seems to have challenged the order, from the article :
"The skepticism expressed so openly toward the administration's case encouraged civil liberties and education groups that argued that the U.S. is improperly applying telephone-era rules to a new generation of Internet services. "Your argument makes no sense,'' U.S. Circuit Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob Lewis. ''When you go back to the office, have a big chuckle. I'm not missing this. This is ridiculous. Counsel!' The Justice Department, which has lobbied aggressively on the subject, warned in court papers that failure to expand the wiretap requirements to the fast-growing Internet phone industry ''could effectively provide a surveillance safe haven for criminals and terrorists who make use of new communications services.''
What's worth mentioning is that on a wide scale VoIP services are often banned in many countries, ISPs don't tend to tolerate the traffic which on the other hand directly bypasses their VoIP offers, and even China, one of the largest telecom market continues to have concerns about VoIP. Companies also seem to be revising their practices while trying to block Skype, among the most popular VoIP applications. Rather interesting, T-Mobile just announced that it would ban VoIP on its 3G network, but is it inability to achieve compliance or direct contradiction with their business practices?
Whatever the reason, VoIP communications aren't everyone's favorite, but represent a revolution in cheap, yet reliable communications. The more easily a network is made wiretap-ready, the easier for attackers in both, the short, and the long-term to abuse the backdoored idea itself, so don't. You can actually go through the 2005's Wiretap Report and figure out the cost of wiretapping, limiting it by promoting insecure networks isn't going to solve anything, given you actually know what you're looking for at the bottom line.
Image courtesy of EFF's "Monsters of Privacy" Animation.
Related resources :
VoIP, FCC, CALEA
Communications Assistance for Law Enforcement Act and Broadband Access and Services
Secure VoIP - Zfone
Sniffing VoIP Using Cain
Oreka VoIP Sniffer
"The skepticism expressed so openly toward the administration's case encouraged civil liberties and education groups that argued that the U.S. is improperly applying telephone-era rules to a new generation of Internet services. "Your argument makes no sense,'' U.S. Circuit Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob Lewis. ''When you go back to the office, have a big chuckle. I'm not missing this. This is ridiculous. Counsel!' The Justice Department, which has lobbied aggressively on the subject, warned in court papers that failure to expand the wiretap requirements to the fast-growing Internet phone industry ''could effectively provide a surveillance safe haven for criminals and terrorists who make use of new communications services.''
What's worth mentioning is that on a wide scale VoIP services are often banned in many countries, ISPs don't tend to tolerate the traffic which on the other hand directly bypasses their VoIP offers, and even China, one of the largest telecom market continues to have concerns about VoIP. Companies also seem to be revising their practices while trying to block Skype, among the most popular VoIP applications. Rather interesting, T-Mobile just announced that it would ban VoIP on its 3G network, but is it inability to achieve compliance or direct contradiction with their business practices?
Whatever the reason, VoIP communications aren't everyone's favorite, but represent a revolution in cheap, yet reliable communications. The more easily a network is made wiretap-ready, the easier for attackers in both, the short, and the long-term to abuse the backdoored idea itself, so don't. You can actually go through the 2005's Wiretap Report and figure out the cost of wiretapping, limiting it by promoting insecure networks isn't going to solve anything, given you actually know what you're looking for at the bottom line.
Image courtesy of EFF's "Monsters of Privacy" Animation.
Related resources :
VoIP, FCC, CALEA
Communications Assistance for Law Enforcement Act and Broadband Access and Services
Secure VoIP - Zfone
Sniffing VoIP Using Cain
Oreka VoIP Sniffer
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking
I've once mentioned various privacy issues related to mobile devices, the growing trend of "assets tracking", and of course, cell phones tracking. Yesterday I came across to great summary of the current situation -- privacy groups make a point of it. From the article :
"Real-time tracking of cell phones is possible because mobile phones are constantly sending data to cell towers, which allows incoming calls to be routed correctly. The towers record the strength of the signal along with the side of the tower the signal is coming from. This allows the phone's position to be easily triangulated to within a few hundred yards. But the legal grounds for obtaining a tracking order is murky -- not surprising since technology often outpaces legislation. The panel agreed that Congress should write rules governing what level of suspicion cops need to have before tracking people through their cell phones."
While on the other hand, there's also an ongoing commercialization of the service by the industry itself, if the government were to start using practices like these with grey subpoenas, it would undermine the customers' trust in the industry and BigBrother is going to get even bigger. Enthusiasts are already experimenting with DIY cell phone tracking abilities, so if you worry about being tracked through your phone, you should also start worrying about having an extra one in your bag. Physical insecurities such as digital forensics on cell phones, even counter-offerings are today's reality, while flexible lawful wiretapping may still be taking one way or another -- I guess the NSA got all the attention recently, with their domestic spying program.
As the Mindmaker pointed out, we must assume that we are trackable wherever we go, but I think this dependence would get even more abused in the future by the time proposed laws match with the technology.
"Real-time tracking of cell phones is possible because mobile phones are constantly sending data to cell towers, which allows incoming calls to be routed correctly. The towers record the strength of the signal along with the side of the tower the signal is coming from. This allows the phone's position to be easily triangulated to within a few hundred yards. But the legal grounds for obtaining a tracking order is murky -- not surprising since technology often outpaces legislation. The panel agreed that Congress should write rules governing what level of suspicion cops need to have before tracking people through their cell phones."
While on the other hand, there's also an ongoing commercialization of the service by the industry itself, if the government were to start using practices like these with grey subpoenas, it would undermine the customers' trust in the industry and BigBrother is going to get even bigger. Enthusiasts are already experimenting with DIY cell phone tracking abilities, so if you worry about being tracked through your phone, you should also start worrying about having an extra one in your bag. Physical insecurities such as digital forensics on cell phones, even counter-offerings are today's reality, while flexible lawful wiretapping may still be taking one way or another -- I guess the NSA got all the attention recently, with their domestic spying program.
As the Mindmaker pointed out, we must assume that we are trackable wherever we go, but I think this dependence would get even more abused in the future by the time proposed laws match with the technology.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Monday, May 08, 2006
Shaping the Market for Security Vulnerabilities Through Exploit Derivatives
In a previous post "0bay - how realistic is the market for security vulnerabilities?" I gave a brief overview of the current market infomediaries and their position, listed various research I recommend you to go through, and speculated on an auction based market model.
During April, at the CanSecWest Security Conference "Groups argued over merits of flaw bounties" some quotes :
"The only economic model that does not make sense to me is the vendor's," Sutton said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay for them." - Michael Sutton
"What I can give people who find vulnerabilities is a small amount of fame. iDefense can give them $10,000." - Darius Wiles
"As a civil rights issue, selling vulnerabilities is just fine. As a keeping-the-customers safe issue, it's junk." - Novell director of software engineering Crispin
"If I come to you and offer to sell you a vulnerability in your product, I am going to be cuffed and arrested," he told the representatives of software makers on the panel." - Matthew Murphy
And the discussion is reasonably pretty hot with a reason. Back in January Microsoft expressed their opinion on the informediaries based market model like :
"One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, a spokesperson for Microsoft, based in Redmond, Wash., said paying for flaws is not the best way to secure software products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the spokesperson said in a statement sent to eWEEK. "
and while Microsoft talks about responsible disclosure, that's exactly the type of model I don't really think exist anymore. Peter Mell made a good point that "I don't support this activity. Basically, it enables third parties to unfairly focus attention on a particular vendor or product. It does not help security in the industry," Mell said in an interview with eWEEK." -- but it still offers the opportunity to bring order into the chaos doesn't it?
The WMF vulnerability apparently got purched for $4000 and I among the few scenarios that I mentioned were on vendors purchasing vulnerabilities and requested vulnerabilities, or a reverse model :
"requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?"
Coming across 0day vulnerabilities for sale, I also came across Rainer Boehme's great research on various market models, among them exploit derivatives. Have you ever though of using exploit derivatives, on the called "futures market"? I think the idea has lots of potential, and he described it as :
"Instead of trading sensitive vulnerability information directly, the market mechanism is build around contracts that pay out a defined sum in case of security events. For instance, consider a contract that pays its owner the sum of 100 EUR on say 30 June 2006 if there exists a remote root exploit against a precisely specified version of ssh on a defined platform."
The OS/Vendor/Product/Version/Deadline type of reverse model that I also mentioned is a good targeted concept if it were used by vendors for instance, and while it has potential to have a better control over the market, the lack of common and trusted body to take the responsibility to target Windows and Apple 50/50 for istance, still makes me think. The best part is how it would motivate researchers at the bottom line -- deadlines result in spontaneous creativity sometimes.
More on the topic of security vulnerabilities and commercializing the market, in a great article by Jennifer Granick (remember Michael Lynn's case?) she said that :
"I'm more concerned that commercialization, while it promotes discovery, will interfere with the publication of vulnerability information. The industry adopted responsible disclosure because almost everyone agrees that members of the public need to know if they are secure, and because there is inherent danger in some people having more information than others. Commercialization throws that out the window. Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem."
Who should be empowered at the bottom line, the informediaries centralizing the process, or the security researchers/vulnerability diggers starting to seek bids for their reseach efforts?
On the other hand, I think that the current market model suffers from a major weakness and that is the need for achieving faster liquidity if we can start talking about such.
Basically, sellers of vulnerabilities want to get their commissions as soon as possible, which is where the lucrative underground market easily develops. While I am aware of cases where insurers are already purchasing vulnerabilities to hedge risks until tomorrow I guess, anyone would put some effort into obtaining a critical MS vulnerability given a deadline and hefty reward, but who's gonna act as a social planner here?
During April, at the CanSecWest Security Conference "Groups argued over merits of flaw bounties" some quotes :
"The only economic model that does not make sense to me is the vendor's," Sutton said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay for them." - Michael Sutton
"What I can give people who find vulnerabilities is a small amount of fame. iDefense can give them $10,000." - Darius Wiles
"As a civil rights issue, selling vulnerabilities is just fine. As a keeping-the-customers safe issue, it's junk." - Novell director of software engineering Crispin
"If I come to you and offer to sell you a vulnerability in your product, I am going to be cuffed and arrested," he told the representatives of software makers on the panel." - Matthew Murphy
And the discussion is reasonably pretty hot with a reason. Back in January Microsoft expressed their opinion on the informediaries based market model like :
"One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, a spokesperson for Microsoft, based in Redmond, Wash., said paying for flaws is not the best way to secure software products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the spokesperson said in a statement sent to eWEEK. "
and while Microsoft talks about responsible disclosure, that's exactly the type of model I don't really think exist anymore. Peter Mell made a good point that "I don't support this activity. Basically, it enables third parties to unfairly focus attention on a particular vendor or product. It does not help security in the industry," Mell said in an interview with eWEEK." -- but it still offers the opportunity to bring order into the chaos doesn't it?
The WMF vulnerability apparently got purched for $4000 and I among the few scenarios that I mentioned were on vendors purchasing vulnerabilities and requested vulnerabilities, or a reverse model :
"requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?"
Coming across 0day vulnerabilities for sale, I also came across Rainer Boehme's great research on various market models, among them exploit derivatives. Have you ever though of using exploit derivatives, on the called "futures market"? I think the idea has lots of potential, and he described it as :
"Instead of trading sensitive vulnerability information directly, the market mechanism is build around contracts that pay out a defined sum in case of security events. For instance, consider a contract that pays its owner the sum of 100 EUR on say 30 June 2006 if there exists a remote root exploit against a precisely specified version of ssh on a defined platform."
The OS/Vendor/Product/Version/Deadline type of reverse model that I also mentioned is a good targeted concept if it were used by vendors for instance, and while it has potential to have a better control over the market, the lack of common and trusted body to take the responsibility to target Windows and Apple 50/50 for istance, still makes me think. The best part is how it would motivate researchers at the bottom line -- deadlines result in spontaneous creativity sometimes.
More on the topic of security vulnerabilities and commercializing the market, in a great article by Jennifer Granick (remember Michael Lynn's case?) she said that :
"I'm more concerned that commercialization, while it promotes discovery, will interfere with the publication of vulnerability information. The industry adopted responsible disclosure because almost everyone agrees that members of the public need to know if they are secure, and because there is inherent danger in some people having more information than others. Commercialization throws that out the window. Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem."
Who should be empowered at the bottom line, the informediaries centralizing the process, or the security researchers/vulnerability diggers starting to seek bids for their reseach efforts?
On the other hand, I think that the current market model suffers from a major weakness and that is the need for achieving faster liquidity if we can start talking about such.
Basically, sellers of vulnerabilities want to get their commissions as soon as possible, which is where the lucrative underground market easily develops. While I am aware of cases where insurers are already purchasing vulnerabilities to hedge risks until tomorrow I guess, anyone would put some effort into obtaining a critical MS vulnerability given a deadline and hefty reward, but who's gonna act as a social planner here?
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Thursday, May 04, 2006
The Current State of Web Application Worms
Remeber the most recent Yahoo! Mail's XSS vulnerabilities, or the MySpace worm? I just read through a well written summary on Web Application Worms by Jeremiah Grossman, from WhiteHat Security, "Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense", an excerpt :
"Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal--browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, blogs, message boards, or any other web-based applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users. Especially when the malware originates from trusted websites and aggressive authors. In this white paper we will provide an overview of XSS; define XSS worms; and examine propagation methods, infection rates, and potential impact. Most importantly, we will outline immediate steps enterprises can take to defend their websites."
It provides an overview of Cross-Site Scripting (XSS), Methods of Propagation, comments on the First XSS Worm, a worst case scenario, and of course protection methods, nice graphs and overview of this emerging trend. In my "Future Trends of Malware" research I indeed pointed out on its emergence :
"How would a malware author be able to harness the power of the trust established between, let’s say, ComScore’s top 10 sites and their visitors? Content spoofing is the where the danger comes from in my opinion, and obvious web application vulnerabilities, or any bugs whose malicious payload could be exposed to their audiences. In case you reckon, a nasty content spoofing on Yahoo!’s portal resulted in the following possibility for driving millions of people at a certain URL, if I don’t trust what I see on Yahoo.com or Google.com, why bother using the Net at all is a common mass attitude of course. Any web property attracting a relatively large number of visitors should be considered as a propagation vector, for both, malware authors, and others such as phishers, or botnet brokers for instance."
Monetizing mobile malware is among the other trends I also indicated, and the RedBrowser seems to be the most recent example of this as it randomly chooses a premium-rate number from the following list, and sends a SMS message generating revenue for the attacker : 08293538938, 08001738938, 08180238938, 08229238938, 08441238938, 08287038938, 08187938938, 08189038938, 08217838938, 08446838938.
I summarized the key points back than as :
"The number and penetration of mobile devices greatly outpaces that of the PCs. Malware authors are actively experimenting and of course, progressing with their research on mobile malware. The growing monetization of mobile devices, that is generating revenues out of users and their veto power on certain occasions, would result in more development in this area by malicious authors. SPIM would also emerge with authors adapting their malware for gathering numbers. Mobile malware is also starting to carry malicious payload. Building awareness on the the issue, given the research already done by several vendors, would be a wise idea."
Among the first folks to discuss the topic of web application malware was Robert from CGISecurity.com in his "Anatomy of Web Application Worm" paper back in 2002, and with the easy and speed of discovering web application vulnerabilities in major portals it's up to the imagination of the attacker -- as the paper points out Samy only wanted to make 1 million friends, what if he wanted to do something else?
"Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense" also argues on Samy being the fastest worm, though single-packet UDP worms, according to a research on the "Top Speed of Flash Worm" by "Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line" rates.
Is it the speed or the size of the infected targeted group that matters, and what if Web 2.0 worms can achieve exactly the two of these?
More resources on the topic in case you are interested :
Web-based Malware & Honeypots - phpBB bots/worms
New MySpace XSS worm circulating
Description of a Yahoo! Mail XSS vulnerability
Evolution of Web-based worms
The Latest in Internet Attacks: Web Application Worms
Web Application Worms : Myth or Reality?
Analysis of Web Application Worms and Viruses
Paros - for web application security assessment
"Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal--browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, blogs, message boards, or any other web-based applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users. Especially when the malware originates from trusted websites and aggressive authors. In this white paper we will provide an overview of XSS; define XSS worms; and examine propagation methods, infection rates, and potential impact. Most importantly, we will outline immediate steps enterprises can take to defend their websites."
It provides an overview of Cross-Site Scripting (XSS), Methods of Propagation, comments on the First XSS Worm, a worst case scenario, and of course protection methods, nice graphs and overview of this emerging trend. In my "Future Trends of Malware" research I indeed pointed out on its emergence :
"How would a malware author be able to harness the power of the trust established between, let’s say, ComScore’s top 10 sites and their visitors? Content spoofing is the where the danger comes from in my opinion, and obvious web application vulnerabilities, or any bugs whose malicious payload could be exposed to their audiences. In case you reckon, a nasty content spoofing on Yahoo!’s portal resulted in the following possibility for driving millions of people at a certain URL, if I don’t trust what I see on Yahoo.com or Google.com, why bother using the Net at all is a common mass attitude of course. Any web property attracting a relatively large number of visitors should be considered as a propagation vector, for both, malware authors, and others such as phishers, or botnet brokers for instance."
Monetizing mobile malware is among the other trends I also indicated, and the RedBrowser seems to be the most recent example of this as it randomly chooses a premium-rate number from the following list, and sends a SMS message generating revenue for the attacker : 08293538938, 08001738938, 08180238938, 08229238938, 08441238938, 08287038938, 08187938938, 08189038938, 08217838938, 08446838938.
I summarized the key points back than as :
"The number and penetration of mobile devices greatly outpaces that of the PCs. Malware authors are actively experimenting and of course, progressing with their research on mobile malware. The growing monetization of mobile devices, that is generating revenues out of users and their veto power on certain occasions, would result in more development in this area by malicious authors. SPIM would also emerge with authors adapting their malware for gathering numbers. Mobile malware is also starting to carry malicious payload. Building awareness on the the issue, given the research already done by several vendors, would be a wise idea."
Among the first folks to discuss the topic of web application malware was Robert from CGISecurity.com in his "Anatomy of Web Application Worm" paper back in 2002, and with the easy and speed of discovering web application vulnerabilities in major portals it's up to the imagination of the attacker -- as the paper points out Samy only wanted to make 1 million friends, what if he wanted to do something else?
"Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense" also argues on Samy being the fastest worm, though single-packet UDP worms, according to a research on the "Top Speed of Flash Worm" by "Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line" rates.
Is it the speed or the size of the infected targeted group that matters, and what if Web 2.0 worms can achieve exactly the two of these?
More resources on the topic in case you are interested :
Web-based Malware & Honeypots - phpBB bots/worms
New MySpace XSS worm circulating
Description of a Yahoo! Mail XSS vulnerability
Evolution of Web-based worms
The Latest in Internet Attacks: Web Application Worms
Web Application Worms : Myth or Reality?
Analysis of Web Application Worms and Viruses
Paros - for web application security assessment
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)