Cryptome Under Fire

John Young at Cryptome.org is reporting that its hosting provider decided to terminate their relationship on the basis of violating their Acceptable Use Policy :

"This notice of termination is surprising for Verio has been consistently supportive of freedom of information against those who wish to suppress it. Since 1999 Cryptome has received a number of e-mailed notices from Verio's legal department in response to complaints from a variety of parties, ranging from British intelligence to alleged copyright holders to persons angry that their vices have been exposed (see below). In every case Verio has heretofore accepted Cryptome's explanation for publishing material, and in some cases removal of the material, and service has continued. In this latest instance there was no notice received from Verio describing the violation of acceptable use to justify termination of service prior to receipt of the certified letter, thus no opportunity to understand or respond to the basis for termination."

Guess who'll be the first echo-cursing in an unnamed CavePlex? That'll be Osama Bin Laden feeling sorry for not making copies of key documents on how the U.S Coast Guard is vulnerable to TEMPEST attacks. Cutting out the sarcasm, Cryptome is an OSINT heaven, no doubt about it, but it's also an initiative debunking the entire concept that secrecy actually results in improved and sustained security on an international level.

The data collected at Cryptome would never be destroyed, mainly because it's all digital, it's all distributable, and it simply wants to be free. Thought of the day - The man who brought fire to the world got burned at the stake.

Video Demonstration of Vbootkit

Orignally introduced at this year's Blackhat con in Amsterdam, the Vbootkit is a kit showcasing the execution of unsigned code on Windows Vista. Recently, the researchers released two videos demonstrating the attack worth watching. Here's the authors' research itself. Answering the mythical question on which is the most secure OS, direct the reply in a "which is the most securely configured one" manner, and you'll break through the technology solution myopia and hopefully enter the security risk management stage. A secure OS from what? Nothing's unhackable, the unhackable just takes a little while -- where the invisible incentivising in the desired direction is the shortcut.

Malicious Keywords Advertising

Blackhat SEO's been actively abused by spammers, phishers and malware authors, each of them contributing to the efficiency of the underground ecosystem. Comments spam, splogs, coming up with ways to get a backlink from a .EDU domain, the arsenal of tools to abuse traffic acquisition techniques has a new addition - paid keyword advertising directly leading to sites hosting exploit code :

"Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or Cars.com, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post-logger" on the PC."

Here's another interesting subdomain that was using JPG images to "break the .exe extension ice" and redirect to anything malicious - pagead2.googlesyndication.com.mmhk.cn

What's the most cost-effective approach, yet the most effective one as well when it comes to that sort of scheme? On a quarterly basis, a "for-the-masses" zero day vulnerability becomes reality. The fastest exploitation of the "window of opportunity" until a patch is released and applied, is abused by embedding the exploit into high traffic web sites, or even more interesting, exploiting a vulnerability in a major Web 2.0 portal to further spread the first zero day. Therefore, access to top web properties is a neccessity, and much more cost effective compared to using AdSense. I wouldn't get surprised to find out that hiring a SEO expert to reposition the malicious sites is also happening at the time of blogging. Some details at McAfee's blog.

Despite the amateurs using purchased keywords as an infection vector, at another malicious url _s.gcuj.com we have a decent example of a timely exploitaition with _s.gcuj.com/t.js and _s.gcuj.com/1.htm using Microsoft's ANI cursor vulnerability to install online games related trojans - _t.gcuj.com/0.exe_ The series of malicious URLs are mostly advertised or directly injected into Chinese web forums, guestbooks etc. Here are some that are still active, the majority of AVs thankfully detect them already :

_cool.47555.com/xxxx.exe_
_d.77276.com/0.exe_
_www.puma163.com/pu/pu.exe_
_rzguanhai.com/server.exe_

The key point when it comes to such attackers shouldn't be the focus on current, but rather on emerging trends, and they have to do with anything, but malicious parties continuing to use AdSense to direct traffic to their sites in the long term. Watch a video related to the attacks, courtesy of Exploit Prevention Labs.

Conventional Weaponry VS Cyber Terrorism

Insightful comment on how assymetric warfare and abusing the most versatile communication medium is something conventional weaponry cannot and should not aim to fight :

"Terrorists use a flat, open network of communications and pass their information mainly through the Internet, Lute said as he briefed the group at the Pentagon. These are aspects that defy U.S. military capability. “We buy airplanes, ships and tanks and recruit and train soldiers to deal with the geographics of a tangible target,” he said. “We can bomb training camps, and we can hunt down the enemy, but we can’t bomb the Internet.” By using a nodal network to spread their extremist ideologies, Lute said, terrorists are able to easily recruit members, acquire weapons, build leaders and receive financial backing."

A short excerpt from a previous post :

"A terrorists' training camp is considered a military target since it provides them the playground to develop their abilities. Sooner or later, it will feel the heat and dissapear from the face of the Earth, they know it, but don't care mainly because they've already produced and are distributing Spetsnaz type of video training sessions. So abusing information or the information medium itself is much more powerful from their perspective then destroying their means for communication, spread propaganda, and obviously recruit."

Reminds me of a great cartoon where soldiers are in the middle of a network centric warfare situation, all the equiptment on the field is in smoke or doesn't work, and soldiers beg the generals for more "shock and awe" action and less ELINT attacks. Which, of course, doesn't mean known adversary locations shouldn't get erased from the face of the Earth. Post strike imagery courtesy of FAS, here's the rest of the collection.

Malware Infected Removable Media

In a previous post I discussed various thought to be outdated physical security threats such as leaving behind CDs and DVDs malware ready and taking advantage of the auto loading feature most people conveniently have turned on by default. Seems like on purposely leaving behind pre-infected removable media with the hope that someone will pick them up and act as a trojan horse themselves, still remains rather common. Unless your organization has taken the necessary removable media precautions, a story on USB sticks with malware should raise your awareness on an attacker's dedication to succeed :

"Malware purveyors deliberately left USB sticks loaded with a Trojan in a London car park in a bid to trick users into getting infected. The attack was designed to propagate Trojan banking software that swiped users' login credentials from compromised machines. Check Point regional director Nick Lowe mentioned the ruse during a presentation at the Infosec trade show on Tuesday, but declined to go into further details, citing the need for confidentiality to protect an investigation he's involved in."

From an attacker's perspective that's an investment given USB sticks are left in parking lots around major banks, and finding a 1GB USB stick laying around would make someone's day for sure. Despite that in this case it's a banking trojan we're talking about, on a more advanced level, corporate espionage could be the main aim though the exploitation of various techniques.

Outsourcing The Spying on Your Wife

Targeted attacks and zero day malware have always been rubbing shoulders, and it's not just a fad despite that everyone's remembering the wide-scale malware outbreaks attacking everything and everyone from the last couple of years. But the days of segmenting targeted attacks per country, city, WiFi/Bluetooth spot coverage are only emerging.

The idea of profitably serving a demand for a service however, is promting detective agencies to adapt to today's standards for surveillance and snooping in the form of using malware to obtain the necessary information. And despite that commercially obtainable surveillance tools are cheaply available to everyone interested and taking the risk of using them, customers obviously prefer to leave it to the "pros". Here's a story of an "adaptive" detective agency using targeted emails with malware to spy :

"The jury of five woman and seven men heard how the agency used "Trojan" computer viruses, which were hidden inside emails and attacked computers when opened, allegedly created by American-based IT specialist Marc Caron. Hi-tech devices used to bug phones were installed by interception specialist Michael Hall, the court was told. Prosecutors said a number of them were fitted to BT's telegraph polls and inside junction boxes, but BT eventually hid a camera in one of the boxes and caught him at work."

Here're more details on the targeted attack :

"Mrs Mellon opened it because it "purported to show what her husband was up to", said Ms Moore. It is alleged the agency hacked into emails to snoop on Tamara Mellon. The Trojan then recorded "every keystroke that was made", she said, including such things as bank account numbers and passwords. "They didn't take any money. They didn't steal anything, but from time to time they had a little snoop on behalf of their clients," Ms Moore said."

I imagine a questionnaire from such a detective agency in the form of the following :

- The victim's IT literacy from 0 to 5?
- Are they aware of the concept of anti virus and a firewall?
- List us all their contact points in the form of IM and email accounts
- Are they mobile workers taking advantage of near-office WiFi spots?

You get the point. Hopefully, such services wouldn't turn into a commodity, or even if they do, I'm sure they'll somehow figure out a way to legally forward the responsibility to the party that initiated the request.

Related posts:
HP Spying on Board of Directors' Phone Records
HP's Surveillance Methods
Mark Hurd on HP's Surveillance and Disinformation