softsecurity.com All in one

New version of PC Acme Professional is released

Thu, 24 Apr 2008 10:26:00 GMT

PC Acme Professional 7.6.4 has been released today. The changes are made to monitoring agent.

New versions of PC Acme Lite and Standard

Mon, 04 Feb 2008 14:43:00 GMT

PC Acme Lite 7.7 and PC Acme Standard 7.7 have been released.

New versions of PC Acme 6 products

Thu, 27 Dec 2007 14:33:00 GMT

PC Acme 6.5, PC Acme Net 6.5 and PC Acme Pro 6.5 have been released.

Happy 4th of July

Sat, 05 Jul 2008 04:23:07 GMT

For all of my blasting of the TSA and the US Government for our strange, inappropriate, inadequate, and sometimes unacceptable security practices, I am damn proud to be an American. There’s many countries I’ve visited in this world, and I love many of them, but none like the good old U.S.A. For all [...]

Virus Center: Independence Day brings down attack on computer users

Fri, 04 Jul 2008 17:39:02 GMT

Sophos is warning computer users of a widespread email spam campaign that poses as a video of American Independence Day fireworks, but is really an attempt to lure innocent victims into having their c...

Storm Worm´s Independence Day campaign

Fri, 04 Jul 2008 15:44:39 GMT

A Storm Worm’s Independence Day campaign is circulating online using email as propagation vector, attempting to trick users into visiting a Storm Worm infected host, where a multitude of what looks like over five different exploits attempt to automatically infect the visitors next to the malware binary fireworks.exe. Historically, Storm Worm is constantly changing its [...]

MS readies Vista code injection risk fix

Fri, 04 Jul 2008 09:52:20 GMT

Redmond security gnomes get tough Critical bug fixes are on the agenda for this month's monthly patch update from Microsoft.…

Off the wire: Book review - Google Apps Hacks

Fri, 04 Jul 2008 03:28:57 GMT

With all Google's offerings, getting the best out of them and discovering cool features can sometimes be time consuming. Fortunately, there's "Google Apps Hacks", a typical O'Reilly title that cuts to...

Off the wire: An introduction to the Kismet packet sniffer

Fri, 04 Jul 2008 00:07:44 GMT

Kismet is a wireless "detector, sniffer, and intrusion detection system," and one of the growing list of essential open source tools for computer network security professionals.

Say it ain´t so AVG, say it ain´t so: AVG LinkScanner = Badware?

Thu, 03 Jul 2008 21:11:01 GMT

The Register covered a very interesting story about AVG. Apparently AVG is spamming the Internet with traffic that looks to be coming from Internet Explorer. AVG software pre-crawls search results to try to protect users, but uses a user agent that makes the software appear to be Internet Explorer. This pre-crawling is flooding websites with meaningless traffic (Slashdot claims it [...]

On deck from MS: Four ´important´ patches but nothing for IE

Thu, 03 Jul 2008 19:57:45 GMT

Next Tuesday, Microsoft plans to ship four security updates for multiple flaws affecting Windows, Microsoft SQL Server and Microsoft Exchange Server but the absence of fixes for publicly known Internet Explorer issues is causing raised eyebrows among security professionals. According to the company’s advance notice for July’s Patch Tuesday, all four bulletins will be rated “important,” [...]

Review: Google Apps Hacks

Thu, 03 Jul 2008 19:54:27 GMT

Author: Philipp Lenssen Pages: 361 Publisher: O'Reilly ISBN: 059651588X Introduction Practically everyone on the Internet uses Google for one of its many services. Once only a search engi...

Microsoft Patch Tuesday for July 2008: four bulletins

Thu, 03 Jul 2008 19:00:00 GMT

Microsoft will patch four vulnerabilities on Tuesday July 8, 2008. All four are rated "Important." Details on each bulletin are inside.Read More...

Apple caught neglecting iPhone security

Thu, 03 Jul 2008 18:37:44 GMT

If you’re waiting on iPhone 2 to standardize your business on the awesome new device (yeah, I’ll be on line to buy one), you might want to pay attention to the conspicuous absence of iPhone security patches over the last four months. As WaPo’s Brian Krebs reports, the iPhone runs a stripped down version of Mac [...]

Opera patches serious code exection flaw

Thu, 03 Jul 2008 18:11:19 GMT

Opera Software has joined the list of browser vendors shipping fixes for serious remote code execution vulnerabilities. The company’s new Opera 9.5.1 patches at least four security issues, the most serious being a flaw reported by Microsoft’s Billy Rios that could be used to execute arbitrary code. Opera is withholding details on the high-risk flaw until a [...]

Airport security part 4: Attack of the body scanners!

Thu, 03 Jul 2008 17:52:00 GMT

If you read my blog postings semi-often, you know that I’m very, very critical of problems with airport security. Nicole Wong of the Boston Globe reported that Boston’s Logan International Airport will become the next airport to implement full-body scanners (thanks for the link from the LiquidMatrix guys!) that can see through clothing to detect whether [...]

Matasano Unwraps Its 'Firewall Mixer'

Thu, 03 Jul 2008 17:35:00 GMT

New control and change management tool for big, multivendor firewall deployments

Can Mozilla´s security metrics project end the patch-counting nonsense?

Thu, 03 Jul 2008 17:08:56 GMT

In partnership with indie security consultant Rich Mogull (left) Mozilla has launched a valuable Security Metrics Project that could help to — we can only hope — put an end to the silly notion that patch-counting helps to determine a product’s security posture. The idea is to develop a metrics model that goes beyond simple [...]

Microsoft touts trustworthy browsing with IE8

Thu, 03 Jul 2008 15:45:09 GMT

If it asks if you'd like to see some puppies, just say no Microsoft has detailed a raft of security improvements due to appear in Internet Explorer 8. The second beta of Redmond's web browser will be packed full of features designed to thwart phishing and drive-by download attacks, Redmond explained on Wednesday.…

Security World: Rise in SQL injection attacks exploiting unverified user data input

Thu, 03 Jul 2008 14:35:02 GMT

Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application developm...

Getaway day: How to secure your laptop for holiday travel

Thu, 03 Jul 2008 14:24:20 GMT

It’s getaway day and as we prepare to hit the road, trudge through airport security and snag that car rental, spare a thought for the valuable data that travels with you on that trusty old laptop. According to a recent study by the Ponemon Institute, more than 637,000 notebooks vanish each year in mid-to-large airports. With some [...]

Off the wire: SQL Server and the Windows Server 2008 firewall

Thu, 03 Jul 2008 14:19:54 GMT

For those of you migrating from Windows Server 2003 or earlier to Windows Server 2008, if you have not previously heeded the advice to enable the firewall, you may be surprised by connectivity failure...

NoScript vs. Internet Explorer 8 Filters

Thu, 03 Jul 2008 13:20:17 GMT

NoScript plugin writer Giorgio Maone posted a commentary on IE 8’s new filters, drawing comparisons to his own widely popular NoScript Firefox plugin. Maone writes: I´m happy to learn that IE8 is going to implement a less ambitious version of a feature which NoScript users have enjoyed for more than one year now. The announcement posts seem not [...]

Gmail, Yahoo and Hotmail´s CAPTCHA broken by spammers

Thu, 03 Jul 2008 12:46:22 GMT

Breaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service [...]

Scareware runs amok on PlayStation site

Thu, 03 Jul 2008 12:20:49 GMT

Sony gamed by hackers Gamers visiting the US Sony PlayStation website risk malware infection after the site was hit by hackers.…

Built-in browser expiry proposed to fight botnet menace

Thu, 03 Jul 2008 10:53:00 GMT

45% fail to update surfing software, report finds Nearly half (45.2 per cent) of all internet surfers neglect to regularly update their browser software. Slackness in applying updates in a timely fashion leaves an estimated 637 million surfers vulnerable to drive-by download attacks, according to a new survey.…

Off the wire: Writing policy for confined SELinux users

Thu, 03 Jul 2008 05:30:04 GMT

The SELinux management environment (system-config-selinux) has been updated and includes the ability to build customized SELinux policy modules for the confinement of users.

Security World: Recent potential email and Web threats

Thu, 03 Jul 2008 04:00:03 GMT

MX Logic published a new monthly report that aims to help inform organizations about potential email and Web threats in advance so they can take preventative action. The July forecast calls for:S...

Virus Center: Visitors to Sony Playstation website at risk of malware infections

Thu, 03 Jul 2008 01:04:43 GMT

Researchers at Sophos are warning lovers of video games that pages on the US-based Sony PlayStation website have been compromised by hackers. Experts have discovered that cybercriminals have injected ...

Multiple Facebook vulnerabilities reported on Full-Disclosure

Thu, 03 Jul 2008 00:42:16 GMT

Jouko Pynnonen posted a message to the Full-Disclosure mailing list today, citing multiple “script injection” vulnerabilities within Facebook. I’m not sure if this is a surprise to anybody out there, it’s certainly not to me, as numerous web applications have major problems with Cross-site Scripting vulnerabilities, but I think this is important to note due [...]

Antivirus vendor introducing virtual keyboard for secure Ebanking

Wed, 02 Jul 2008 22:53:25 GMT

Kaspersky’s most recent product launch of the Kaspersky Internet Security 2009, is featuring a virtual keyboard “a secure pop-up that enables logins, passwords, bank card details and other important personal information to be entered safely to prevent the theft of confidential information” aiming to protect users from keyloggers, and consequently provide a safer Ebanking experience. [...]

Off the wire: Whitepaper - Backup and recovery best practices for Microsoft SQL Server 2005

Wed, 02 Jul 2008 22:53:22 GMT

To help you choose from among the available configuration options and backup and recovery procedures, HP has conducted extensive laboratory tests to determine best practices.

Matasano ships Web-based firewall manager

Wed, 02 Jul 2008 22:47:06 GMT

The firewall is one of the few security tools that has been proven to be very effective at improving a company’s security posture. However, staying on top of policies — and responding to change requests — while trying to manage multiple firewalls from different vendors can be a never-ending nightmare for IT admins. In steps Matasano [...]

Snuggly the Security Bear

Sat, 05 Jul 2008 16:11:18 GMT

All I can say is hahahaha! And then I cry because of how true this sarcastic little video is. He’s not scary, he’s snuggly and secure. Snuggly the Security Bear

Friday Squid Blogging: Giant Squid Found off Santa Cruz Coast

Fri, 04 Jul 2008 22:20:55 GMT

It's twenty-five feet long, with tenticles the size of human legs.

Time Bomb Neckties

Fri, 04 Jul 2008 20:18:37 GMT

Not recommended to wear at the airport.

Encrypting Disks

Fri, 04 Jul 2008 19:10:18 GMT

The UK is learning: The Scottish Ambulance Service confirmed today that a package containing contact information from its Paisley Emergency Medical Dispatch Centre (EMDC) has been lost by the courier, TNT, while in transit to one of its IT suppliers. The portable data disk contained a copy of records of 894,629 calls to the ambulance service's Paisley EMDC since February 2006. It was fully encrypted and password protected and includes the addresses of incidents, some phone numbers and some patient names. Given the security measures and the complex structure of the database it would be extremely difficult to gain access to any meaningful information. News story here. That's what you want to do. There is no problem if encrypted disks are lost. You can mail them directly to your worst enemy and there's no problem. Well, assuming you've implemented the encryption properly and chosen a good key. This is much better than what the HM Revenue & Customs office did in November. I wrote about disk and laptop encryption previously.

The Antivirus Industry in 2008

Fri, 04 Jul 2008 16:38:43 GMT

The folks at Ikarus Security Software seem to have enjoyed drinking of the truth serum, to come up with such a realistic retrospective of the antivirus industry for the past 10 years, summarized in a single cartoon. Congrats, keeping it realistic means taking the issues seriously, compared to living in a self-serving twisted reality on their own. There's no such thing as cat and mouse game anymore, since the mouse has gotten bigger than the cat.

Maybe privacy is dead after all

Fri, 04 Jul 2008 15:52:58 GMT

At least it will be for YouTube viewers if this judge has his way. I rarely agree with Michael Arrington, but in this case he’s right: with all due respect, Judge Stanton is an idiot. If nothing else, this judge needs to go back and review some recent history about what can happen when [...]

Hundreds of Thousands of Laptops Lost at U.S. Airports Annually

Fri, 04 Jul 2008 14:20:38 GMT

This is a weird statistic: Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday. Laptops are most commonly lost at security checkpoints, according to the survey. Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-sized airports, and 69 percent are not reclaimed. Travelers seem to lack confidence that they will recover lost laptops. About 77 percent of people surveyed said they had no hope of recovering a lost laptop at the airport, with 16 percent saying they wouldn't do anything if they lost their laptop during business travel. About 53 percent said that laptops contain confidential company information, with 65 percent taking no steps to protect the information. I don't know how to generalize that to a total number of lost laptops in the U.S.; let's call it 750,000. At $1,000 per laptop -- a very conservative estimate -- that's $750 million in lost laptops annually. Most are lost at security checkpoints, and I'm sure the numbers went up considerably since those checkpoints got more annoying after 9/11. There aren't a lot of real numbers about the costs of increased airport security. We pay in time, in anxiety, in inconvenience. But we also pay in goods. TSA employees steal out of suitcases. And opportunists steal hundreds of millions of dollars of laptops annually.

Random Stupidity in the Name of Terrorism

Thu, 03 Jul 2008 18:57:04 GMT

An air traveller in Canada is first told by an airline employee that it is "illegal" to say certain words, and then that if she raised a fuss she would be falsely accused: When we boarded a little later, I asked for the ninny's name. He refused and hissed, "If you make a scene, I'll call the pilot and you won't be flying tonight." More on the British war on photographers. A British man is forced to give up his hobby of photographing busses due to harrassment. The credit controller, from Gloucester, says he now suffers "appalling" abuse from the authorities and public who doubt his motives. The bus-spotter, officially known as an omnibologist, said: "Since the 9/11 attacks there has been a crackdown. "The past two years have absolutely been the worst. I have had the most appalling abuse from the public, drivers and police over-exercising their authority. Mr McCaffery, who is married, added: "We just want to enjoy our hobby without harassment. "I can deal with the fact someone might think I'm a terrorist, but when they start saying you're a paedophile it really hurts." Is everything illegal and damaging now terrorism? Israeli authorities are investigating why a Palestinian resident of Jerusalem rammed his bulldozer into several cars and buses Wednesday, killing three people before Israeli police shot him dead. Israeli authorities are labeling it a terrorist attack, although they say there is no clear motive and the man -- a construction worker -- acted alone. It is not known if he had links to any terrorist organization. New Jersey public school locked down after someone saw a ninja: Turns out the ninja was actually a camp counselor dressed in black karate garb and carrying a plastic sword. Police tell the Asbury Park Press the man was late to a costume-themed day at a nearby middle school. And finally, not terrorism-related but a fine newspaper headline: "Giraffe helps camels, zebras escape from circus": Amsterdam police say 15 camels, two zebras and an undetermined number of llamas and potbellied swine briefly escaped from a traveling Dutch circus after a giraffe kicked a hole in their cage. Are llamas really that hard to count? EDITED TO ADD (7/2): Errors fixed.

July 2008 Advance Notification

Thu, 03 Jul 2008 17:34:00 GMT

Hello, Bill here. I wanted to let you know that we just posted our Advance Notification for next week´s bulletin release which will occur on Tuesday, July 8, 2008 around 10 a.m. Pacific Standard Time. It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change. As part of our regularly scheduled bulletin release, we´re currently planning to release: · Four Microsoft Security Bulletins rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer. As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated. We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification. Finally, in late July, we´ll also be releasing KB946928 which updates the infrastructure of the Windows Update client itself. For more information on this update, please visit the Microsoft Update blog. As always, we´ll be holding the July edition of the monthly security bulletin webcast on Wednesday, July 9, 2008 at 11 a.m., Pacific Standard Time. We will review this month´s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can´t make the live webcast, you can listen to it on-demand as well. You can register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374629&Culture=en-US Thanks, Bill Sisk *This posting is provided "AS IS" with no warranties, and confers no rights.*

Gmail, Yahoo and Hotmail´s CAPTCHA Broken

Thu, 03 Jul 2008 13:36:21 GMT

It's one thing to start efficiently registering thousands of email accounts at reputable email providers by automatically breaking their CAPTCHA authentication, and entirely another to build a business model on the top of it next to the opportunity to abuse if for your own malicious purposes. Which is exactly what we have here, an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second.

Gmail, Yahoo and Hotmail´s CAPTCHA broken by spammers :

"Breaking Gmail, Yahoo and Hotmail´s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services."

Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers.

Related posts:
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Browser Insecurity

Thu, 03 Jul 2008 13:02:54 GMT

This excellent paper measures insecurity in the global population of browsers, using Google's web server logs. Why is this important? Because browsers are an increasingly popular attack vector. The results aren't good. ...at least 45.2%, or 637 million users, were not using the most secure Web browser version on any working day from January 2007 to June 2008. These browsers are an easy target for drive-by download attacks as they are potentially vulnerable to known exploits. That number breaks down as 577 million users of Internet Explorer, 38 million of Firefox, 17 million of Safari, and 5 million of Opera. Lots more detail in the paper, including some ideas for technical solutions. EDITED TO ADD (7/2): More commentary.

1500 posts!

Thu, 03 Jul 2008 00:45:03 GMT

This is officially post 1500 on the blog. In just under five years, I’ve written 1500 blog posts, some inane “look at me” posts (like this one:-)), some of which I’m pretty proud of. The true count of the posts I’ve written is a bit higher, but I lost more than a few [...]

Chinese Bloggers Bypassing Censorship by Blogging Backward

Wed, 02 Jul 2008 21:25:19 GMT

With China trying to silence over 30,000 rioters during the weekend, by deleting forum postings and deactivating accounts mentioning the riot, Chinese bloggers have started using a widget they originally came up in order to bypass the "Great Firewall of China" by blogging backward, vertically and horizontally :

"So bloggers on forums such as Tianya.cn have taken to posting in formats that China's Internet censors, often employees of commercial Internet service providers, have a hard time automatically detecting. One recent strategy involves online software that flips sentences to read right to left instead of left to right, and vertically instead of horizontally. China's sophisticated censorship regime -- known as the Great Firewall -- can automatically track objectionable phrases. But "the country also has the most experienced and talented group of netizens who always know ways around it," said an editor at Tianya, owned by Hainan Tianya Online Networking Technology Co., who has been responsible for deleting posts about the riot"

An old-school content obfuscation service that they could take advantage of, offers the opportunity to turn a short message into spam or a fake PGP encrypted file, where both parties can easily decode them to the original.

Spammmic is what I have in mind.

You need a PI license to repair computers?

Wed, 02 Jul 2008 12:33:01 GMT

This is just silly! I wonder if some Texas lawmaker isn’t proactively protecting his pr0n collection from the computer repair guys? If a computer repair technician needs a private investigator’s license, what do real forensics specialist need? I’d hate to be the test case, but this really needs to see a court room.

Dan Wallach on Electronic Voting Machines

Wed, 02 Jul 2008 12:15:27 GMT

It's been a while since I've written about electronic voting machines, but Dan Wallach has an excellent blog post about the current line of argument from the voting machine companies and why it's wrong. Unsurprisingly, the vendors and their trade organization are spinning the results of these studies, as best they can, in an attempt to downplay their significance. Hopefully, legislators and election administrators are smart enough to grasp the vendors´ behavior for what it actually is and take appropriate steps to bolster our election integrity. Until then, the bottom line is that many jurisdictions in Texas and elsewhere in the country will be using e-voting equipment this November with known security vulnerabilities, and the procedures and controls they are using will not be sufficient to either prevent or detect sophisticated attacks on their e-voting equipment. While there are procedures with the capability to detect many of these attacks (e.g., post-election auditing of voter-verified paper records), Texas has not certified such equipment for use in the state. Texas´s DREs are simply vulnerable to and undefended against attacks.

Network Security Podcast, Episode 110

Wed, 02 Jul 2008 03:26:18 GMT

Ever have one of those days where just about nothing seems to go right? That just about describes today. Rich had to bail tonight due to family obligations, though it sounds like it’s the fun type of obligation, not like having dinner with Aunt Ethel or something. We had a guest lined [...]

Nugache Worm Writer Arrested

Tue, 01 Jul 2008 18:57:48 GMT

A 19-year old from Wyoming will plead guilty.

Don´t lose your laptop at the airport!

Tue, 01 Jul 2008 17:17:51 GMT

I don’t know about other travelers, but losing my laptop while flying to or from a client site is one of my bigger fears. I have so much sensitive information on my drive that I’d panic if it was out of my site for more than the thirty seconds it takes to X-ray my [...]

Decrypting and Restoring GPcode Encrypted Files

Tue, 01 Jul 2008 13:26:39 GMT

The futile attempt to directly attack the encryption algorithm used by the GPcode ransomware, is prompting Kaspersky Labs to invest in a more pragmatic solutions to the problem, with a new version of the StopGpcode tool released last week. More info :

"It turns out that if a user has files that are encrypted by Gpcode and versions of those same files that are unencrypted, then the pairs of files (the encrypted and corresponding unencrypted file) can be used to restore other files on the victim machine. This is the method that the StopGpcode2 tool uses.

Where can these unencrypted files be found? They may be the result of using PhotoRec. Moreover, these files may be found in a backup storage or on removable media (e.g., the original files of photographs copied to the hard disk of a computer that has been attacked by Gpcode may still be on a camera´s memory card). Unencrypted files may also have been saved somewhere on a network resource (e.g., films or video clips on a public server) that the Gpcode virus has not reached."

As the customer support desk behind GPcode pointed out in an interview, the malware is prone to evolve, and the simplistic file deletion process will be replaced by secure file deletion in order to render all data recovery tols useless, unless of course backups of the affected data are available. They often aren't, and depending on the importance of the files encrypted, the successful ransom is all a matter of the momentum.

"A person, presumably the author of Gpcode, contacted at one of the e-mail addresses left behind by the program stated that future development efforts will likely increase the key size to 4,096 bits, "if AV companies or other (people) crack the current key, but (that's) impossible. The self-proclaimed author, who used the name "Daniel Robertson," also said that other standard techniques to defeat antivirus will be added, including polymorphic encryption, anti-heuristic features and the ability to self propagate, turning the program into a computer virus. It well pays back itself," he said"

There are even more pragmatic approaches to dealing with this problem, next to backups undermining their business model. Try following the virtual money for instance.

Kill Switches and Remote Control

Tue, 01 Jul 2008 12:48:37 GMT

It used to be that just the entertainment industries wanted to control your computers -- and televisions and iPods and everything else -- to ensure that you didn't violate any copyright rules. But now everyone else wants to get their hooks into your gear. OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed. The Pentagon wants a kill switch installed on airplanes, and is worried about potential enemies installing kill switches on their own equipment. Microsoft is doing some of the most creative thinking along these lines, with something it's calling "Digital Manners Policies." According to its patent application, DMP-enabled devices would accept broadcast "orders" limiting capabilities. Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class. The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards. Once we go down this path -- giving one device authority over other devices -- the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override? How do we prevent this from being abused? Can a burglar, for example, enforce a "no photography" rule and prevent security cameras from working? Can the police enforce the same rule to avoid another Rodney King incident? Do the police get "superuser" devices that cannot be limited, and do they get "supercontroller" devices that can limit anything? How do we ensure that only they get them, and what do we do when the devices inevitably fall into the wrong hands? It's comparatively easy to make this work in closed specialized systems -- OnStar, airplane avionics, military hardware -- but much more difficult in open-ended systems. If you think Microsoft's vision could possibly be securely designed, all you have to do is look at the dismal effectiveness of the various copy-protection and digital-rights-management systems we've seen over the years. That's a similar capabilities-enforcement mechanism, albeit simpler than these more general systems. And that's the key to understanding this system. Don't be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good "manners" on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music to a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible. "Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure -- or more polite. This essay originally appeared in Wired.com.

Summarizing June's Threatscape

Tue, 01 Jul 2008 12:29:06 GMT

June's threatscape that I'll summarize in this post based on all the research conducted during the month, was a very vibrant one. With the return of GPcode, a remotely exploitable flaw in the Zeus crimeware kit allowing both, researchers and malicious parties to assess the severity of a particular banker malware campaign, the increasing use of malicious doorways next to ICANN and IANA's DNS hijacking, all speak for themselves and how diverse the threats and, of course, the abilities to maintain a decent situatiational awareness about what's going on have become.
01. U.K's Crime Reduction Portal Hosting Phishing Pages - nothing new here since vulnerable sites are to be "remotely file included" and SQL injected to locally host anything on behalf of a malicious party. Risk and responsibility forwarding is one thing, but having a crime reduction portal hosting phishing pages is entirely another. The phishing pages was shut down in less than 12 hours upon notification
02. Price Discrimination in the Market for Stolen Credit Cards - Tracking down "yet another stolen credit cards for sale" service in the wild, the price discremination that they applied greatly reflects the current lack of transpararency for a potential buyer of stolen credit cards, and how higher profit margins are driving the entire business model. With script kiddies running their own botnets and undermining the sophisticated botnet master's high profit margin business model by undercutting their prices, stolen credit cards are not what they used to be - an exclussive good. Nowadays, they are a commodity good and often a bargain
03. Blackhat SEO Redirects to Malware and Rogue Software - Sampling an active blackhat SEO campaign out of the hundreds of thousands currently active online, releaved a large portfolio of domains serving Zlob variants by pitching them as fake codecs that the end user should download if they are to view the non existent adult content at the sites. Where's the OSINT mean? It's in the fact that the codecs and the fake security software phone back to UkrTeleGroup Ltd's network
04. Using Market Forces to Disrupt Botnets - With the current oversupply of malware infected hosts, and botnet masters embracing the services model for anything malicious, in this post I discussed the radical security approach of puchasing already infected malware hosts on a per country basis, disinfecting them and forcing them to update all the software on the infected PCs. Of course, on an opt-in basis. The possibility to directly provide incentives for botnet hunters to shut down whatever they come across to on a daily basis, and that's a lot of botnets, is also there
05. Who's Behind the GPcode Ransomware? - The title speaks for itself, the research with enough actionable intelligence gathered in the shortest timeframe possible is already proving accurate and highly valuable. How come? Stay tuned for more developments
06. ImageShack Typosquatted to Serve Malware - In a rare instance of a creative attack combining typosquatting in order to impersonate ImageShack and serve malware by redirecting users to an image file that is actually forwarding to the binary, I was recently tipped by the folks at TrendMicro who are also following this that the site is up and running again. Not for long
07. Fake YouTube Site Serving Flash Exploits - Next to using the usual set of exploits courtesy of a commodity web malware exploitation kit, this campaign was also using flash exploits. Even more interesting is the fact that the password stealer obtained was attempting to phone back to a misconfigured malware command and control interface, basically allowing you to assess the campaign from the eyes of the "campaigner"
08. Monetizing Web Site Defacements - Web site defacements are getting monetized just like SQL injections are in order to locally host a blackhat search engine optimization campaign on a vulnerable site with a high page rank. In this post I've assessed such monetization courtesy of a web site defacer at The Africa Middle Market Fund
09. Malicious Doorways Redirecting to Malware - Yet another large domains portfolio exposed though a malicious doorway redirecting to fake porn and video sites serving Zlob variants, tracking down the initial spamming of the malicious doorways across multiple vulnerable forums and guestbooks
10. The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw - When cyber criminals get advised to patch their vulnerable versons of the Zeus Crimeware Kit, you know there's a monoculture in the crimeware market. This flaw released publicly in May, 2008, not just allows others to hijack someone's ebanking botnet, but also, vendors and researchers to better assess a vulnerable Zeus command and control location
11. Fake Celebrity Video Sites Serving Malware - When templates for fake video and adult sites are just as available as they are now, anyone can take advantage of this cheap social engineering track that seems to work just fine. Compared to relying on blackhat search optimization to acquire traffic, some of the campaigns were SQL injected at vulnerable sites in order to drive traffic to them, next to several other tactics which when combined can result in a lot of people unknowingly visiting the sites
12. Phishing Campaign Spreading Across Facebook - An internal phishing campaign was circulating across Facebook, which got taken care of thanks to coordinated efforts with Facebook's security folks. There's also an indicating tha they are currently typosquatting other social networking sites like Hi5 for instance
13. Underground Multitasking in Action - As a firm believed in taking a random sample for a particular threat segment, this was once of these cases confirming the confidence I've built into anticipating upcoming tactics and strategies to be used
14. An Update to Photobucket's DNS Hijacking - Despite that Photobucket didn't oficially acknowledge the DNS hijacking, the hosting provider the NetDevilz hacking team used issued a statement. Ironically, the Turkish hacking group used the same provider weeks later to redirect ICANN and IANA's domains to Atspace.com
15. Fake Porn Sites Serving Malware - Among the largest domains portfolio of malware serving porn sites I've exposed in a while, all of them naturally remain active since they are hosted on a partition of RBN's diverse network. Visualizing a malicious doorway or the entire ecosystem provides a better understanding at how structured the ecosystems are
16. Backdoording Cyber Jihadist Ebooks for Surveillance Purposes - Despite that in this case we have a cyber jihadist backdoording his own released books, the international intelligence community next to law enforcement are known to have expressed interest in backdooring suspect's PCs, so why not SQL inject the cyber jihadist forums themselves?

17. Right Wing Israeli Hackers Deface Hamas's Site - When you read that Hamas's site is hacked, you ask yourself the following, do they even have a web site that's up the running? The answer to which would be the fact that even Hezbollah has been maintaining an Internet infrastructure since 1998

18. ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group - A fact is a fact, no comment here, go through all the technical details of the hijacking, including some actionable intelligence on who's behind the hijacking

19. The Malicious ISPs You Rarely See in Any Report - Who's tolerating malicious activities on their network, and how is the RBN related to all this? Well, when combined, the tiny parts of these ISPs represent a tiny part of the Russian Business Network itself

Microsoft Windows Server Update Services (WSUS) Blocked from Deploying Security Updates

Mon, 30 Jun 2008 20:24:00 GMT

Hi. Bill here. I want to let you know that we have just posted Microsoft Security Advisory 954960, which contains information regarding deployment Issues with Microsoft Windows Server Update Services (WSUS) version 3.0 and 3.0 Service Pack 1. Under specific conditions, the issue does not let clients detect any updates from a WSUS server on systems with Microsoft Office 2003 installed. While the notification of this issue went out as a Security Advisory, this issue is not a security vulnerability in WSUS or Microsoft Office 2003, but it does address customers´ overall security. This issue only affects the ability of client machines to synchronize with a WSUS server. We encourage affected customers to implement the manual workarounds, included in the Advisory, which enable clients to synchronize with a WSUS server and will be updated when our ongoing work in testing the permanent solution is complete. This issue is not related to Microsoft Security Advisory 954474 where systems were blocked from deploying security updates using System Center Configuration Manager 2007. Thanks, Bill Sisk *This posting is provided "AS IS" with no warranties, and confers no rights.*

Pentagon Consulting Social Scientists on Security

Mon, 30 Jun 2008 18:13:28 GMT

This seems like a good idea: Eager to embrace eggheads and ideas, the Pentagon has started an ambitious and unusual program to recruit social scientists and direct the nation´s brainpower to combating security threats like the Chinese military, Iraq, terrorism and religious fundamentalism. The article talks a lot about potential conflicts of interest and such, and less on what sorts of insights the social scientists can offer. I think there is a lot of potential value here.

Security and Human Behavior

Mon, 30 Jun 2008 17:17:06 GMT

I'm writing from the First Interdisciplinary Workshop on Security and Human Behavior (SHB 08). Security is both a feeling and a reality, and they're different. There are several different research communities: technologists who study security systems, and psychologists who study people, not to mention economists, anthropologists and others. Increasingly these worlds are colliding. Security design is by nature psychological, yet many systems ignore this, and cognitive biases lead people to misjudge risk. For example, a key in the corner of a web browser makes people feel more secure than they actually are, while people feel far less secure flying than they actually are. These biases are exploited by various attackers. Security problems relate to risk and uncertainty, and the way we react to them. Cognitive and perception biases affect the way we deal with risk, and therefore the way we understand security—whether that is the security of a nation, of an information system, or of one's personal information. Many real attacks on information systems exploit psychology more than technology. Phishing attacks trick people into logging on to websites that appear genuine but actually steal passwords. Technical measures can stop some phishing tactics, but stopping users from making bad decisions is much harder. Deception-based attacks are now the greatest threat to online security. In order to be effective, security must be usable—not just by geeks, but by ordinary people. Research into usable security invariably has a psychological component. Terrorism is perceived to be a major threat to society. Yet the actual damage done by terrorist attacks is dwarfed by the secondary effects as target societies overreact. There are many topics here, from the manipulation of risk perception to the anthropology of religion. There are basic research questions; for example, about the extent to which the use and detection of deception in social contexts may have helped drive human evolution. The dialogue between researchers in security and in psychology is rapidly widening, bringing in more and more disciplines—from security usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. About a year ago Ross Anderson and I conceived this conference as a way to bring together computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others -- all of whom are studying the human side of security. I've read a lot -- and written some -- on psychology and security over the past few years, and have been continually amazed by some of the research that people outside my field have been doing on topics very relevant to my field. Ross and I both thought that bringing these diverse communities together would be fascinating to everyone. So we invited the people we have been reading, and asked them who else to invite. The response was overwhelming. Almost everyone we wanted was able to attend, and the result was a 42-person conference with 35 speakers. We're most of the way through the morning, and it's been even more fascinating than I expected. (Here's the agenda.) We've talked about detecting deception in people, organizational biases in making security decisions, building security "intuition" into Internet browsers, different techniques to prevent crime, complexity and failure, and the modeling of security feeling. I had high hopes of liveblogging this event, but it's far too fascinating to spend time writing posts. If you want to read some of the more interesting papers written by the participants, this is a good page to start with. I'll write more about the conference later. EDITED TO ADD (6/30): Ross Anderson has a blog post, too. And I should add that this was an invitational event -- which is why you haven't heard about it before -- and that the room here at MIT is completely full.

The Malicious ISPs You Rarely See in Any Report

Mon, 30 Jun 2008 14:31:08 GMT

The recently released badware report entitled “May 2008 Badware Websites Report" lists several Chinese netblocks tolerating malicious sites on their networks. As always, these are just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org used for the purposes of their report. In the long term however, with the increasing prelevance of fast-fluxing, a country's malicious rating could become a variable based on the degree of dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, forwarding the risk and the malicious infrastructure to malware infected hosts, and exploited web servers, creates a "twisted reality" where the countries with the most disperse infrastructure act as a front end to the countries abusing it, ones that make it in any report, since they are the abusers.

The report lists the following malicious netblocks, a great update to a previous post on "Geolocating Malicious ISPs" :

- CHINANET-BACKBONE No.31,Jin-rong Street
- CHINA169-BACKBONE CNCGROUP China169
- CHINANET-SH-AP China Telecom (Group)
- CNCNET-CN China Netcom Corp.
- GOOGLE - Google Inc.
- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
- SOFTLAYER - SoftLayer Technologies Inc.
- THEPLANET-AS - ThePlanet.com Internet Services, Inc.
- INETWORK-AS IEUROP AS
- CHINANET-IDC-BJ-AP IDC, China

With some minor exceptions though, in the face of the following ISPs you rarely see in any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the "the whole is greater than the sum of it's parts", in this case, the parts represent RBN's split network. Since it's becoming increasingly common for any of these ISPs to provide standard abuse replies and make it look like there's a shutdown in process, the average time it takes to shut down a malware command and control, or a malicious domain used in a high-profile web malware attack is enough for the campaign to achieve its objective. The evasive tactics applied by the malicious parties in order to make it harder to assess and prove there's anything malicious going on, unless of course you have access to multiple sources of information in cases when OSINT isn't enough, are getting even more sophisticated these days. For instance, the Russian Business Network has always been taking advantage of "fake account suspended notices" on the front indexes of its domains, whereas the live exploit URLs and the malware command and controls remained active.

And while misconfigured web malware exploitation kits and malicious doorways continue supplying good samples of malicious activity, we will inevitable start witnessing more evasive practices applied in the very short term.

Related posts:
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Last call for WAF and Code Review

Mon, 30 Jun 2008 13:42:35 GMT

Today’s the day. According to Payment Card Industry Data Security Standards (PCI-DSS) requirement 6.6, today is the last day having code review and/or a web application firewall (WAF) is optional. If you’re a merchant accepting credit cards online, you have to meet this requirement for any and all assessments from July 1, 2008 [...]

Top Ten Anti-Terrorism Patents

Mon, 30 Jun 2008 12:21:50 GMT

This is not a joke. The Airplane Trap Door is my favorite. Perhaps this would make a good Movie-Plot Threat Contest for next year.

ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group

Mon, 30 Jun 2008 00:40:57 GMT

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket´s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.

Read more here - "ICANN and IANA´s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.com

More details will be posted as soon as they emerge.

UPDATE:

The ICANN has restored access to its domains, and as in every other DNS hijacking the correct records will be updated on a mass scale in 24/48 hours. Some press coverage :

Ankle-biting hackers storm net's overlords, hijack their domains
Hackers hijack critical Internet organization sites
No such thing as a guaranteed safe site
Good Always Comes Out of Bad
Hackers Deface ICANN, IANA Sites
ICANN publicity may have triggered malicious behavior
Turkish Hackers Relive Memories in Photobucket
ICANN Web Site Compromise

Moreover, according to an article at Computerworld, the ICANN weren't aware of the hijack :

"A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he find out more."

Let's hope that they issue a statement on the situation once they know more about how it happened. More comments follow from the ICANN - "Turkish Hacker Group Strikes Again, This Time Victims are ICANN and IANA" :

"Latest response received by CircleID from ICANN states that the problem took place at their registrar level. A Whois look up shows Register.com as the registrar for the hacked domains. ICANN has further stated that the registrar "fixed the dns redirection within 20 minutes of us notifying them of the problem. The registrar is actively investigating what happened and has promised to report back to us on what happened."

This is the second time in a row when DNS hijacking happens through Register.com compared to Comcast.net's one done through Network Solutions.

ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group

Sat, 28 Jun 2008 01:10:17 GMT

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket´s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.

Read more here - "ICANN and IANA´s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.com

More details will be posted as soon as they emerge.

UPDATE:

The ICANN has restored access to its domains, and as in every other DNS hijacking the correct records will be updated on a mass scale in 24/48 hours. Some press coverage :

Ankle-biting hackers storm net's overlords, hijack their domains
Hackers hijack critical Internet organization sites
No such thing as a guaranteed safe site
Hackers Deface ICANN, IANA Sites
ICANN publicity may have triggered malicious behavior
Turkish Hackers Relive Memories in Photobucket
ICANN Web Site Compromise

Moreover, according to an article at Computerworld, the ICANN weren't aware of the hijack :

"A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he find out more."

Let's hope that they issue a statement on the situation once they know more about how it happened. More comments follow from the ICANN - "Turkish Hacker Group Strikes Again, This Time Victims are ICANN and IANA" :

"Latest response received by CircleID from ICANN states that the problem took place at their registrar level. A Whois look up shows Register.com as the registrar for the hacked domains. ICANN has further stated that the registrar "fixed the dns redirection within 20 minutes of us notifying them of the problem. The registrar is actively investigating what happened and has promised to report back to us on what happened."

This is the second time in a row when DNS hijacking happens through Register.com compared to Comcast.net's one done through Network Solutions.

ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group

Sat, 28 Jun 2008 00:29:02 GMT

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket´s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.

Read more here - "ICANN and IANA´s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.com

More details will be posted as soon as they emerge.

UPDATE:

The ICANN has restored access to its domains, and as in every other DNS hijacking the correct records will be updated on a mass scale in 24/48 hours. Some press coverage :

Ankle-biting hackers storm net's overlords, hijack their domains
Hackers hijack critical Internet organization sites
No such thing as a guaranteed safe site
Hackers Deface ICANN, IANA Sites
ICANN publicity may have triggered malicious behavior
Turkish Hackers Relive Memories in Photobucket

Moreover, according to an article at Computerworld, the ICANN weren't aware of the hijack :

"A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he find out more."

Let's hope that they issue a statement on the situation once they know more about how it happened. More comments follow from the ICANN - "Turkish Hacker Group Strikes Again, This Time Victims are ICANN and IANA" :

"Latest response received by CircleID from ICANN states that the problem took place at their registrar level. A Whois look up shows Register.com as the registrar for the hacked domains. ICANN has further stated that the registrar "fixed the dns redirection within 20 minutes of us notifying them of the problem. The registrar is actively investigating what happened and has promised to report back to us on what happened."

This is the second time in a row when DNS hijacking happens through Register.com compared to Comcast.net's one done through Network Solutions.