softsecurity.com In focus

Friday Squid Blogging: Natural Squid Steganography

Fri, 10 Oct 2008 22:58:41 GMT

Squid can communicate with each other without any other fish noticing: Squid and their relatives have eyes that are sensitive to polarised light and to them and are known to use it to signal to one another. Their predators on the other hand, like seals or whales, don't share this ability and cannot see the squids' signals. Most of all, the polarised iridescent light, is not affected by the chromatophores and passes through unaltered. This means that camouflaged squid can have entire visual conversations while remaining invisible to passing predators. In the world of squid, conversations carry secrets wrapped in lies.

Recording Notice: Security Roundtable - Blogger Ethics

Fri, 10 Oct 2008 22:45:16 GMT

Michael Santarcangelo and I will be recording the next episode of the Security Roundtable tomorrow morning at 7:00 am PDT. You can listen to the podcast live at http://hak5radio.com:8000/srt.mp3.m3u We’ll be joined by our friend Jennifer Leggio to talk about blogger ethics, public relations and anything else that comes to mind. If you can’t listen [...]

The More Things Change, the More They Stay the Same

Fri, 10 Oct 2008 18:30:19 GMT

Guess the year: Murderous organizations have increased in size and scope; they are more daring, they are served by the most terrible weapons offered by modern science, and the world is nowadays threatened by new forces which, if recklessly unchained, may some day wreck universal destruction. The Orsini bombs were mere children's toys compared with the later developments of infernal machines. Between 1858 and 1898 the dastardly science of destruction had made rapid and alarming strides... No, that wasn't a typo. "Between 1858 and 1898...." This quote is from Major Arthur Griffith, Mysteries of Police and Crime, London, 1898, II, p. 469. It's quoted in: Walter Laqueur, A History of Terrorism, New Brunswick/London, Transaction Publishers, 2002.

Brute force attacks against WPA/WPA2 using Nvidia cards

Fri, 10 Oct 2008 14:39:30 GMT

According to The Register, Russian company Elcomsoft has made a major jump in cracking WPA and WPA2 passwords using Nvidia graphic cards to brute force the passwords. They say that a system with two Nvidia GTX 280 video cards in it can crack the passphrase 100 times faster than anything before. Does that mean it’s time [...]

Data Mining for Terrorists Doesn't Work

Fri, 10 Oct 2008 12:35:43 GMT

According to a massive report from the National Research Council, data mining for terrorists doesn't work. Here's a good summary: The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google. They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities). But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so." A summary of the recommendations: U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter. Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase. To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework. Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers." Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation. The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism. Here are more news articles on the report. I explained why data mining wouldn't find terrorists back in 2005. EDITED TO ADD (10/10): More commentary: As the NRC report points out, not only is the training data lacking, but the input data that you'd actually be mining has been purposely corrupted by the terrorists themselves. Terrorist plotters actively disguise their activities using operational security measures (opsec) like code words, encryption, and other forms of covert communication. So, even if we had access to a copious and pristine body of training data that we could use to generalize about the "typical terrorist," the new data that's coming into the data mining system is suspect. To return to the credit reporting analogy, credit scores would be worthless to lenders if everyone could manipulate their credit history (e.g., hide past delinquencies) the way that terrorists can manipulate the data trails that they leave as they buy gas, enter buildings, make phone calls, surf the Internet, etc. So this application of data mining bumps up against the classic GIGO (garbage in, garbage out) problem in computing, with the terrorists deliberately feeding the system garbage. What this means in real-world terms is that the success of our counter-terrorism data mining efforts is completely dependent on the failure of terrorist cells to maintain operational security. The combination of the GIGO problem and the lack of suitable training data combine to make big investments in automated terrorist identification a futile and wasteful effort. Furthermore, these two problems are structural, so they're not going away. All legitimate concerns about false positives and corrosive effects on civil liberties aside, data mining will never give authorities the ability to identify terrorists or terrorist networks with any degree of confidence.

Sequoia´s helping decide the election? God help us!

Fri, 10 Oct 2008 00:02:49 GMT

Rich and I talked about electronic voting earlier this week on the podcast and it’s something I’ve never been a big fan of. But Wired’s story on the voting issues Palm Beach Florida had in their judicial election race quite frankly scares the snot out of me! In nearly half a dozen recounts, Sequoia’s optical [...]

Update 1: Microsoft Security Advisory 951306

Thu, 09 Oct 2008 23:00:00 GMT

Hello, Bill here, I wanted to let you know that we have just updated Microsoft Security Advisory (951306). Exploit code has been published on the Internet for the vulnerability addressed by this Advisory. Our investigation has shown that it does not affect customers who have applied the workarounds listed in the Advisory. At this time, we are not aware of attacks attempting to use the vulnerability. We will continue to monitor the situation and post updates to the Advisory and the MSRC Blog as we become aware of any important new information. Bill Sisk *This posting is provided "AS IS" with no warranties, and confers no rights.*

Nonviolent Activists Are Now Terrorists

Thu, 09 Oct 2008 19:07:17 GMT

Heard about this: The Maryland State Police classified 53 nonviolent activists as terrorists and entered their names and personal information into state and federal databases that track terrorism suspects, the state police chief acknowledged yesterday. Why did they do that? Both Hutchins and Sheridan said the activists' names were entered into the state police database as terrorists partly because the software offered limited options for classifying entries. I know that once we had this "either you're with us or with the terrorists" mentality, but don't you think that -- just maybe -- the software should allow for a little bit more nuance?

Cisco Ooops: drug runner music on VPN CD

Thu, 09 Oct 2008 17:51:20 GMT

Imagine popping in your Cisco VPN installation CD only to have Mexican music start playing rather than having the installer start. That is apparently exactly what happened to Dave Fumberger yesterday. Someone at the plant who makes the Cisco CD’s apparently burnt his or her mix tapes to the CD rather than the Cisco software [...]

October 2008 Advanced Notification

Thu, 09 Oct 2008 16:40:00 GMT

Hello, Bill here. I wanted to let you know that we just posted our Advance Notification for next week´s bulletin release which will occur on Tuesday, Oct. 14, 2008 around 10 a.m. Pacific Standard Time. It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change. As part of our regularly scheduled bulletin release, we´re currently planning to release: · Four Microsoft Security Bulletins rated as Critical, six rated Important, and one rated Moderate. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer. As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated. We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification. We also want to announce the availability of the Exploitability Index in upcoming security bulletin summaries and the official release of Microsoft Active Protections Program, which were both announced at Black Hat in August. The Exploitability Index provides additional information to help customers prioritize deployment of monthly security bulletins while the Microsoft Active Protections Program provides vulnerability information to security software providers in advance of Microsoft´s monthly security bulletin releases. Both the Exploitability Index and Microsoft Active Protection Program provide additional support to customers and partners to defend against emerging online threats. As always, we´ll be holding the October edition of the monthly security bulletin webcast on Wednesday, Oct. 15, 2008 at 11 a.m., Pacific Standard Time. We will review this month´s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can´t make the live webcast, you can listen to it on-demand as well at the same URL. In addition, we´ll also be posting the text of the questions and answers from each month´s webcast. You can see a full listing of the posted questions and answers on this page. You can register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374639&Culture=en-US Thanks, Bill Sisk *This posting is provided "AS IS" with no warranties, and confers no rights.*

"New Attack" Against Encrypted Images

Thu, 09 Oct 2008 12:44:14 GMT

In a blatant attempt to get some PR: In a new paper, Bernd Roellgen of Munich-based encryption outfit PMC Ciphers, explains how it is possible to compare an encrypted backup image file made with almost any commercial encryption program or algorithm to an original that has subsequently changed so that small but telling quantities of data 'leaks'. Here's the paper. Turns out that if you use a block cipher in Electronic Codebook Mode, identical plaintexts encrypt to identical ciphertexts. Yeah, we already knew that. And -1 point for a security company requiring the use of Javascript, and not failing gracefully for a browser that doesn't have it enabled. And -- ahem -- what is it with that photograph in the paper? Couldn't the researchers have found something a little less adolescent? For the record, I doghoused PMC Ciphers back in 2003: PMC Ciphers. The theory description is so filled with pseudo-cryptography that it's funny to read. Hypotheses are presented as conclusions. Current research is misstated or ignored. The first link is a technical paper with four references, three of them written before 1975. Who needs thirty years of cryptographic research when you have polymorphic cipher theory? EDITED TO ADD (10/9): I didn't realize it, but last year PMC Ciphers responded to my doghousing them. Funny stuff.

Step by step guide to the DNS vulnerability

Thu, 09 Oct 2008 12:22:52 GMT

Got a few minutes? Actually, more than just a few to be truthful. If you’re at all curious about the intimate details of how Dan Kaminsky’s DNS vulnerability works, then you should review Steve Friedl’s “An Illustrated Guide to the Kaminsky DNS Vulnerability“. This is not for the faint of heart or short of time; [...]

Cybercriminals Abusing Lycos Spain To Serve Malware

Thu, 09 Oct 2008 09:28:17 GMT

Spanish cybercriminals have recently started taking advantage of the bogus accounts at Lycos Spain, which they seem to be registering on their own, by releasing a do-it-yourself malicious link generator redirecting to fake YouTube and Adobe Flash video pages. Whereas the concept of abusing legitimate web services for infection and propagation isn't new, what's new is the fact that the FTP access is efficiently abused.

Here's a description of the link generator :

"Download the program and run it asks for an ID (identifier), then copy it and paste it there, then press' Create Installer 'and the program will create the Installer! (this program to run a simulation that is installing the Adobe Flash and indicates to our page that "has been installed Adobe Flash," in order to show the video when YouVideo refresh the page, this you must file tie it in with your server! and what flames or Installer Setup (simulating being an installer)! Now you need to upload that file you've joined an FTP, click Next and put the path of that file in the next step!"

Whereas the tool is exclusively relying on Lycos Spain to host the binaries and the campaign itself, the recent blackhat SEO campaign relying on pre-registered Windows Live Spaces and AOL Journals syndicating hot Google Trends keywords, further indicates the malicious attacker's capabilities of efficiently abusing legitimate services. And with the process of bogus accounts registration performed automatically, or outsourced entirely, malicious services aiming to automate the abuse process are only going to get more efficient.

Commoditization of Anti Debugging Features in RATs - Part Two

Thu, 09 Oct 2008 09:00:40 GMT

Yet another piece of malware promoted as a RAT (remote access tool) includes what's turning into the defacto set of anti-debugging features within RATs.

As the authors point out, the Anti Virtual PC, VMware, Virtualbox, Sandboxie, ThreatExpert, Anubis, CWSandbox, Joebox, Norman Sandbox features inevitably increase the server size. Next to the product, there's always the managed service of ensuring a lower detection rate for binaries submitted to the authors.

NoScript protects from ClickJacking

Wed, 08 Oct 2008 14:46:57 GMT

Stop reading this and go update your NoScript plugin to get the latest version with ClearClick enabled! And if you’re not already using Firefox with NoScript, there’s nothing I can do to help you. Seriously, with all the talk about clickjacking over the last couple of weeks and proof of concept code being released [...]

Big Surprise: Data mining doesn´t catch terrorists

Wed, 08 Oct 2008 14:14:09 GMT

A government panel released a report yesterday that says that data mining, at least the way the government does it, doesn’t catch terrorists. Their findings show that pattern-based data mining, looking for a related set of activities, won’t catch terrorists because they’re each person is too unique and they’re doing everything they can to blend [...]

Chinese Monitoring Skype Messages

Wed, 08 Oct 2008 12:55:52 GMT

This is the best article I've read on the story.

Network Security Podcast, Episode 123

Wed, 08 Oct 2008 02:23:46 GMT

Rich and I relaxed a little tonight, with no guests to impress (or corral) We had the live stream going and had a few listeners providing feedback via Twitter. This is part of our ongoing efforts to improve the podcast and hopefully grow our audience. I mean get more listeners, not just help our current [...]

Do-Not-Call Lists

Tue, 07 Oct 2008 21:51:16 GMT

Turns out you can add anyone's number -- or remove anyone's number -- to/from the Canadian do-not-call list. You can also add (but not remove) numbers to the U.S. do-not-call list, though only up to three at a time, and you have to provide a valid e-mail address to confirm the addition. Here's my idea. If you're a company, add every one of your customers to the list. That way, none of your competitors will be able to cold call them.

Recording notice: NSP 123

Tue, 07 Oct 2008 18:27:14 GMT

Rich and I will be recording episode 123 of the Network Security Podcast tonight at 5:00 PDT. We’ll start the live stream at http://hak5radio.com:8000/netsecpodcast.mp3.m3u at 5:00, start recording a few minutes after and hopefully wrap up in 30 minutes. Since Rich and I almost never actually finish on time, but it’s a goal. Tonight’s guest: Us. [...]

Summarizing Zero Day's Posts for September

Tue, 07 Oct 2008 15:54:00 GMT

As usual, here's September's summary of all of my posts at Zero Day. You may also want to catch up and go through August's and July's summaries, next to adding my personal RSS feed or Zero Day's main feed to your RSS reader.

Notable article for September - Spamming vendor launches managed spamming service.

01. DoS vulnerability hits Google's Chrome, crashes with all tabs
02. Malware and spam attacks exploiting Picasa and ImageShack
03. Spamming vendor launches managed spamming service
04. Facebook introducing new security warning feature
05. Google downplays Chrome's carpet-bombing flaw
06. Targeted malware attack against U.S schools intercepted
07. The most "dangerous" celebrities to search for in 2008
08. Norwegian BitTorrent tracker under DDoS attack
09. Attacker: Hacking Sarah Palin's email was easy
10. Bill O'Reilly's web site hacked, attackers release personal details of users
11. India's government: At last, we've cracked Blackberry's encryption
12. Memory exhaustion DoS vulnerability hits Google's Chrome
13. 44% of second hand mobile devices still contain sensitive data
14. Spammers attacking Microsoft's CAPTCHA -- again

Now he´s done it! Security Mike sells out

Tue, 07 Oct 2008 14:49:22 GMT

I think it’s a cyclical thing: start your career as a corporate slave, break free of the shackles to go out on your own, a few years later go back to the corporate job for a steady paycheck. Lather, Rinse, Repeat. It’s a pretty standard formula, base at least in part on the ‘grass is [...]

A Diverse Portfolio of Fake Security Software - Part Eight

Tue, 07 Oct 2008 12:21:00 GMT

In the spirit of "taking a bite out of cybercrime", here are the latest fake security software domains, typosquatted and already acquiring traffic through a dozen of malware campaigns redirecting to most of them :

antivirus-scanner-online.com (67.205.75.14)

archivepacker.com (78.157.142.111)
winpacker.com
xh-codec.net

securedownloadcenter.com (89.18.189.44)
winupdates-server.com
browserssecuritypage.com
megatradetds0.com

quickscanpc.com (78.159.118.144)
clickchecker6.com

gensoftdownload.com (91.203.93.25)

online-av-scan2008.com (66.232.105.232)
anothersoftportal09.com
bigfreesoftarchive.com
celebs-on-video-08.com
celebs-on-video-2008.com
cleansoftportal2009.com
hot-p0rntube.com
hot-porn-tube-2008.com
hot-porn-tube2008.com
hot-porn-tube2009.com
justdomain08.com
new-porntube-2008.com
online-av-scan2008.com
s0ftvvarep0rtal.com
s0ftvvareportal.com
s0ftvvareportal08.com
s0ftwarep0rtal08.com
softportalforfun.com
softportalforfun08.com
softportalforfun2008.com
softvvareportal.com
softvvareportal08.com
softvvareportal2008.com
trustedsoftportal06.com
trustedsoftportal2008.com

antivirus-online-08.com (89.187.48.155; 218.106.90.227)
anti-virus-xp.com
anti-virus-xp.net
anti-virusxp2008.net
antimalware09.com
antivirxp.net
av-xp08.net
av-xp2008.com
av-xp2008.net
avx08.net
axp2008.com
e-antiviruspro.com
eantivirus-payment.com
ekerberos.com
online-security-systems.com
xpprotector.com
youpornzztube.com

sp-preventer.com (92.241.163.32)
spypreventers.com

u-a-v-2008.com (92.241.163.31)
uav2008.com

power-avcc.com (92.62.101.57)
power-avc.com
pvrantivirus.com

m-s-a-v-c.com (92.62.101.55)
ms-avcc.com
ms-avc.com

wav2008.com (92.241.163.30)
wiav2009.com
win-av.com
windows-av.com
windowsav.com

You know the drill.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

The Seven Habits of Highly Ineffective Terrorists

Tue, 07 Oct 2008 11:48:53 GMT

Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we're ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place. Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf. If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections. Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers: Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved. Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States. The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida. For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terrorist group with a totally different political platform. Many new al-Qaida members say, unconvincingly, that they decided to become a jihadist after reading an extreme, anti-American blog, or after converting to Islam, sometimes just a few weeks before. These people know little about politics or Islam, and they frankly don't even seem to care much about learning more. The blogs they turn to don't have a lot of substance in these areas, even though more informative blogs do exist. All of this explains the seven habits. It's not that they're ineffective; it's that they have a different goal. They might not be effective politically, but they are effective socially: They all help preserve the group's existence and cohesion. This kind of analysis isn't just theoretical; it has practical implications for counterterrorism. Not only can we now better understand who is likely to become a terrorist, we can engage in strategies specifically designed to weaken the social bonds within terrorist organizations. Driving a wedge between group members -- commuting prison sentences in exchange for actionable intelligence, planting more double agents within terrorist groups -- will go a long way to weakening the social bonds within those groups. We also need to pay more attention to the socially marginalized than to the politically downtrodden, like unassimilated communities in Western countries. We need to support vibrant, benign communities and organizations as alternative ways for potential terrorists to get the social cohesion they need. And finally, we need to minimize collateral damage in our counterterrorism operations, as well as clamping down on bigotry and hate crimes, which just creates more dislocation and social isolation, and the inevitable calls for revenge. This essay previously appeared on Wired.com.

Web Based Malware Emphasizes on Anti-Debugging Features

Tue, 07 Oct 2008 07:42:00 GMT

Following the ongoing development of a particular web based malware, always comes handy in terms of assessing the commoditization of anti-debugging features within modern malware. With plain simple, "managed binary crypting and firewall bypassing verification" on demand in February, to August's overall anti antivirus software mentality as a key differentiation factor of the malware.

So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer protection, as well as anti heuristic scanning with a simple junk data adding feature in order to maintain a smaller binary size.

Here's a translated description :

"- The binary works under admin and under normal user
- The binary is always run as the "current user"
- An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
- binary file size is 25k, the size can be reduced once it's crypted

- Doesn't take advantage of BITS protocol
- Doesn't allow an infected host to be infected twice
- Bypassing NAT and supporting "always-on" connections
- A simple, easy to configure web based admin panel"

What if the buyer doesn't care about the quality assurance practices applied? Managed lower AV detection and firewall bypassing service comes into play.

Fake Windows XP Activation Trojan Wants Your CVV2 Code

Tue, 07 Oct 2008 00:01:01 GMT

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.

Clickjacking

Mon, 06 Oct 2008 19:45:02 GMT

Good Q&A on clickjacking: In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car. "Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread.

New Cross-Site Request Forgery Attacks

Mon, 06 Oct 2008 11:42:04 GMT

Interesting: CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don't verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will (unbeknownst to the user) send a request to a second site, and the second site will mistakenly think that the user authorized the request. If a user visits an attacker's website, the attacker can force the user's browser to send a request to a page that performs a sensitive action on behalf of the user. The target website sees a request coming from an authenticated user and happily performs some action, whether it was invoked by the user or not. CSRF attacks have been confused with Cross-Site Scripting (XSS) attacks, but they are very different. A site completely protected from XSS is still vulnerable to CSRF attacks if no protections are taken. Paper here.

Friday Squid Blogging: Close-Up of a Long-Finned Squid Tentacle

Fri, 03 Oct 2008 22:25:00 GMT

Wow.

Article in the Irish Times

Fri, 03 Oct 2008 19:43:49 GMT

On Wednesday I was interviewed by the Irish Times.