Roy Firestein

Another Password Analysis

February 20th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Here’s an analysis of 30,000 passwords from phpbb.com, similar to my analysis of 34,000 MySpace passwords: The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords “must be between 6 and 10 characters, and contain at least 1 number or punctuation character.” Most people satisfied this requirement by simply appending “1″ to…

Gaza victims describe being used as human shields by Hamas

February 19th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Members of a Gaza family whose farm was turned into a “fortress” by Hamas fighters have reported that they were helpless to stop Hamas from using them as human shields. They told the official Palestinian Authority daily newspaper that for years Hamas has used their property and homes from which to launch rockets into Israel.

Computer Virus Epidemiology

February 18th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
“WiFi networks and malware epidemiology,” by Hao Hu, Steven Myers, Vittoria Colizza, and Alessandro Vespignani. Abstract In densely populated urban areas WiFi routers form a tightly interconnected proximity network that can be exploited as a substrate for the spreading of malware able to launch massive fraudulent attacks. In this article, we consider several scenarios for the deployment of malware that…

Twitter squeeks by again. “Don’t Click” was good POC

February 15th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

A very clever hacker used an IFRAME technique to spread a Twitter worm today. The worm did nothing more than post a message to twitter saying “Don’t Click” which of course people would click and off it went. Great write up here.

I say Twitter got lucky because they still allow, nay encourage, URL obfuscation using tinyURL and do nothing to check the URL’s posted. Next step, as I outlined in a column at CIOUpdate in December (Social Networks are Risky Business), is for the hacker to post a link to a page that installs malware on the victim’s computer. That will be bad.

Sad to be the one to say this, but Twitter is going to have to take responsibility for the health of its own community. It is going to have to start checking of posted URLs to make sure they do not lead to drive-by downloads.

Post from: ThreatChaos

Twitter squeeks by again. “Don’t Click” was good POC

Researchers have hope of cheap, distributed zero-day worm defense

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.

Security Assessment of the Transmission Control Protocol (TCP)

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Posted by Fernando Gont on Feb 12

Hello, folks,

The United Kingdom’s Centre for the Protection of National

Infrastructure has just released the document "Security Assessment of

the Transmission Control Protocol (TCP)", on which I have had the

pleasure to work during the last few years.

The motivation to produce…

Factors Determining Installed WLAN Quality

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I had an interesting phone discussion a couple days ago with Veriwave’s CTO, Tom Alexander and VP of Marketing, Eran Karoly.  We were talking about field tools for testing the quality of installed wireless LANs.  At a high level, we all agreed that much of the field testing and verification for WLANs today have centered around data related to site surveys, such as signal strength, RF interference, and the coverage “footprint”.

There are many existing tools for testing wireless coverage ranging from embedded supplicant software & Netstumbler to more complex commercial tools such AirMagnet Site Surveyor or Motorola’s LANPlanner.  Check out my blog for more information about site surveys, including the difference between active and passive site surveys.  More sophisticated wireless engineers might also gather data regarding RF interference with a spectrum analyzer, such as the WiSpy DBx, or AirMagnet Spectrum Analyzer.

However, our conversation highlighted the need to expand WLAN installation and verification tools beyond the focus on complete WiFi coverage with low interference.  How do wireless vendors and/or VARs ensure that an organization’s business and technical requirements have been met?   A focus on signal strength neglects other critical areas such as roaming, quality of service, and security.  Additionally, there is often no verification of the proper configuration of the *wired* network.

We discussed how many of the testing tools available today focus on the wireless infrastructure (the APs, arrays, WLAN controllers) and lacked visibility into the client side of the equation.  Most testing seems to concentrate on laptops – but what about wireless VOIP phones, hand-held scanners, printers, and RFID?

The three of us on the phone, as well as everyone I have discussed this with since, seems to understand the inherent value of a more robust way to validate WLAN installations.  However, what are the costs?  Personally, I don’t see a good cost model for a product of this nature.  It seems that a system that tests both the infrastructure and clients across many functional boundaries would be extremely expensive, especially for a field testing unit (where vendors or VARs might need more than one kit as they are running multiple projects).

Many wireless LAN vendors can justify the capital expenditure of Veriwave’s existing test beds, because they are involved with testing new product lines, etc.   However, many vendors seem to have a bare bones professional services group and turn over that work to VARs.  I also can’t see many VARs purchase uber expensive field testing tools – many are too small to afford tools like the AirMagnet suite, let alone something more costly.  If VARs do purchase, they will inevitably have to pass along the cost to their customers. Is this viable either?  Why would a customer pay a higher cost to insure themselves against a WLAN that wasn’t properly field verified?  Customers should be able to do this by properly scoping their projects and enforcing the terms of their contract.

What do you think?  Do you see the value of such a tool?  Do you see an appropriate cost model?  Sound off in the comments below!

- WiFi Jedi

FaceBook Joins OpenID: Goodbye OpenID, Bonjour Open Connect?

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Great news for OpenID aficionados, the largest identity social network is embracing OpenID. With 221M users, one could easily conclude that OpenID has just received the stimulus package that it needed to finally achieve critical mass. But, what does it really mean for OpenID? While we are all looking forward to the day FaceBook becomes both an OpenID provider and relying party, the initial impact is more likely to be a significant change in the OpenID user interface. As shown, here and there, is clear that from a UI standpoint, Google and FaceBook are converging in terms of how to achieve login and exchange of personal data across relying parties and social networks.

While FaceBook will likely integrate OpenID as the “alternate” login method for FaceBook Connect, Google and its followers will do the same with Open Social and Google Friends Connect (in the case of Google, you may also get the friendly Yahoo!, MySpace and AOL followers). By becoming the alternate login method (but a more obscure one), the risk for OpenID is to be relegated to the level of OAuth and SAML as authentication protocols without any consumer brand recognition. Alternatively, OpenID may rise above the “open stack” plumbing to become the network mark that ensures interoperability across the FaceBook and Google networks. That my friend, is of course politics, but with a Facebook on board, it would appear that this week, this old chimera of federated Internet identity may have made a significant leap forward.

EFF releases 2009 update to their Legal Guide for Bloggers [Security4all]

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

As we have seen in “The dangers of blogging. Some tips for safe blogging.“, blogging can sometimes get people into trouble. Even with the best of intentions.

This is why “The Legal Guide for Bloggers from the EFF” is a valuable resource. They just made an update to this already excellent document!!!

EFF has revised and expanded the Legal Guide for 2009, with new questions and a revised layout. These FAQs are, unsurprisingly, comprised of the questions we are frequently asked. This update includes answers to questions about relatively recent phenomena, such as disemvowelling, as well as discussion of the rights of bloggers as journalists and your right to blog anonymously. If you run a blog, or just participate in comments, you’re sure to find useful information in the updated Legal Guide. (Source: EFF.org)

Spread the word and keep on blogging!

Related posts:

• The dangers of blogging. Some tips for safe blogging.
• The use of LinkedIN by Belgian CEOs
• Example Social Media Guidelines for Employees
• The dangers of social networking and some countermeasures
• Bloggers under fire second time this week
• Using social media as a marketing tool (for your blog)

Post to webappsec mailing-list on WAF and pen-test: dead again

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

There is no doubt in my mind that some very strong experts out there have put WAF or WAF-like technology to good use.  However, WAF is dead and dying regardless.

I think that very large-installation, Internet-facing web applications require Anti-DDoS technology in the form of an appliance, preferably one that does rate-based behavior detection.  I often feel that those same organizations also require SLB appliances, although I prefer to see these integrated with a switch fabric in a chassis-based, large backplane network switch.  In a year’s time, SLB Layer-2 technology could be replaced by VMware DRS clustering and/or an equivalent like Microsoft PRO.  I was always a fan of Anycast to replace SLB at Layer-3.  I continue to suggest these models/architectures today.

Can whitelist WAF technology be used by those same devices in the short-term (Anti-DDoS or SLB appliance)?  Absolutely, as long as it’s done by an expert and tuned to the applications.  Should these devices sometimes be separated out of a traditional operational role, due to auditability and for compliance scoping purposes?  Probably not.  Should they perform monitoring, debugging capability, or solving hard production problems?  Probably not.

The reason that the first question is a yes, and the others are a no is because Anti-DDoS and SLB devices are already performance-ready-capable of providing WAF whitelisting functionality (note: not in all cases, but this works especially well for devices that provide rate-based behavior detection before mitigation).  Monitoring does NOT require an inline device.  All it requires is network taps (or potentially port-mirroring, but most professionals recommend taps over SPAN ports).  Also, infrastructure is changing rapidly, so it’s not wise to invest in a dying model.

Additionally, I know that companies like Sourcefire and Reflex Systems are integrating at the VMsafe API layer, which is a hypervisor introspection layer much like XenAccess.  This is really where much of the AV/IDS/IPS/HIMS/DLP/WAF/blacklisting-whitelisting technology belongs.  VNET will also change the introspection layer (in addition to almost completely eliminating the physical network layer and SIM/SEM/SIEM/NMS/EMS moves & changes), as it simply adds to introspection functionality.  I have already alluded to Cisco AXG becoming a VNET “module”, but what if Reflex Systems or StoneSoft start integrating WAF not only as a VNSS (Virtual Network Security System), but also at the hypervisor introspection layer?

Fortunately, for application security, server virtualization and the evolutions it’s bringing with it e.g VNET and VMsafe, are going to dominate traditional networks and cut their existing budgets.  Unfortunately for application security, the new virtualization evolution also brings with it tons of object reuse (there are at least two new controls channels available to adversaries), and new ways of establishing covert channels.

This means a few things.  First of all, the word “firewall” is dead, and therefore, the word “web application firewall” and the associated acronym, WAF, are also dead.  Imagine today if there existed a control channel that, when taken over by adversaries, it became a covert channel that had unlimited object reuse control of every physical RAM on every computer in existence all at once.  This is cloud computing, but virtualized.

Not only that, but we are saying that adversaries have already bypassed traditional firewalls by using the application layer i.e.  Hacking Intranets from Jeremiah Grossman.  Thus, this master, covert control channel is already on its way to being built (at least as man-in-the-browser).  Imagine for a second that you don’t use NoScript with Firefox and additionally implement the features of Chrome by using multiple Firefox profiles.  Imagine for a second that you are a regular user, with all of those Clickjacking and modern application attacks available to anyone who wants to get to you.

Like many of us used the words “brick-and-mortar” to describe backwards-companies during the dotCom bubble, I think “fire-and-wall” well-describes organizations that continue to cling to traditional networks and network security as answers to Internet, Enterprise IT, and any operational risk.

Do I intend to sell you on the idea that we should all instead jump to Fortify RTA or Microsoft SRE?  No.  There are potential consequences to any of this.  This is only the functionality required to reduce risk to applications, not the assurance that risks have been removed.

TCSEC says that we need to balance functionality and assurance.  But nobody ever bothered to do any assurance.  Assurance is the Microsoft SDL, SDL Pro, and SDL-IT.  @Stake and Foundstone are gone and have split into tons of fractured security evaluation and risk assessment boutiques that have 1-300 developer-security-tester guru’s that mix SAST and DAST with expert review.

But the SAST+DAST market is less than $100M, while WAF is at least 20% more than that (although probably inflated).

I hate to be the bearer of bad news, but you don’t just say “DO BOTH” because nobody will do the SAST+DAST work.  We tried that last time, when tcp_wrappers and the DEC firewall came about  The underground that wanted to keep their covert control channels alive started dumping rootkits on pre-pwned Unix machines.  Then Dildog and others made it possible to easily access Windows machines, and after that – botnets and the like have reigned.  There are already backdoors in our web applications.  OWASP Scrubbr is not going to save us all by itself.

Who did the work back then?  OpenBSD?  Certainly not Microsoft, and even today their SDL appears to be failing by some, but imagine if it did not exist at all.  We obviously have to do better with assurance practices.

Can functionality-based controls work easier, better, and faster than assurance ones?  Are they that less complex and easier to train?  Or is there just more written about them because it’s easier to SELL them by baking them into products rather than customizing them to an ISV organization or an Enterprise development team?

If you are part of the group that is spending $120M on WAF technology, then you are hurting the SAST+DAST market because you’re taking away that spending.  Clearly, risk analysis is not taking place and people are spending based on familiarity in addition to PCI-DSS requirement 6.6, which all but forces the inequality to happen.

Look at the best in exploitation-countermeasure functionality-based controls that work on object reuse problems e.g. DEP, ASLR, SafeSEH, SafeInt, et al.  Are adversaries still bypassing these?  Security researchers in the offensive-research space are.  These countermeasures are closer to the code (even HIPS is closer than network-based IPS), like many WAF suggestions.  Is is true that we still require assurance even after 15 years of exploitation-countermeasure optimization?  I remember when stack-guard protections were first coming out – they were seen as a huge joke (i.e. toy/researcher technology), much like Fortify RTA, CORE GRASP, Microsoft AntiXSS-SRE/AntiCSRF, GDS Security GPF, and HDIV are seen now.

I know to many of you out there, this looks like a rant, and I really could go on forever about this topic.  So, go to the datacenter, give your WAFs a hug, and continue to buy into the “functionality is better than assurance” argument.  You’ll feel better in the morning, right after you forget that you just opened up your database to any talented people who want to make money from the data in it.

Also, pen-testing is dead.  We no longer need to prove that applications are insecure.  We know they’re insecure – no matter how many functionality controls you layer on top of them.  Unless YOU prove that the applications that YOU are responsible for ARE secure, you are working against the rights of users, consumers, cardholder data, personally identifiable information tied to healthcare and financial records, trade secrets, and the ability to control our critical infrastructure.  Enjoy.

Researchers Hack Faces In Biometric Facial Authentication Systems

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Hackers crack facial-recognition biometrics

Boxee and Apple TV is a Great Mix

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

If you like watching TV but hate paying the monthly cable bill (add me to that list) have a look at Boxee. It can be loaded onto any computer however the Apple TV is an ideal platform for its magic. Boxee allows you to access all of your media that you have on your local network but includes movie reviews, song lyrics and much more to enhance the experience. You can also have it setup so that you can see what your friends are watching, I am not sure if this is a good feature but if you are on Facebook many hours a day this will probably be a welcome feature. 

"Boxee is the developer of the first “social” media center. boxee plays media from your computer and other devices in your home network, as well as connect you to various Internet sources that allow you to stream or download movies, tv shows, music and photos."

Via: Apple TV Hacks

Code Of The Common Cold Cracked

February 13th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Scientists have begun to solve some of the mysteries of the common cold by putting together the pieces of the genetic codes for all the known strains of the human rhinovirus. The researchers say this work provides a powerful tool that may lead to the development of the first effective treatments against the common cold. The study also sheds light on the suspected cause of asthma and acute asthma attacks.

SQL Server Database Hack Tricks Forensics

February 10th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Demo shows how attackers can hide their tracks using anti-forensics methods.

The Economics of Cybercrime and the Law of Malware Probability

February 10th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Racial Profiling No Better than Random Screening

February 10th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Not that this is any news, but there’s some new research to back it up: The study was performed by William Press, who does bioinformatics research at the University of Texas, Austin, with a joint appointment at Los Alamos National Labs. His background in statistics is apparent in his ability to handle various mathematical formulae with aplomb, but he’s apparently…

Crimeware in the Middle – Adrenalin

February 10th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
What is Adrenalin? Adrenalin is an alternative to the Zeus crimeware kit that never actually managed to scale the way Zeus did. Following recently leaked copies of what is originally costing a hefty $3000, crimeware kit Adrenalin, it’s time to profile the kit, discuss its key differentiation factors from Zeus, and emphasize on why despite the fact that it leaked, the kit is not going to take any of Zeus-es market share. At least not in its current form.

In the spirit of the emerging copycat web malware exploitation kits, Adrenalin too, isn’t coded from scratch, but appears that — at least according to cybercriminals questioning its authenticity on their way to secure a bargain deal when purchasing it — Adrenalin is using portions of Corpse’s original A-311 release.

Adrenalin’s description and features :
“Injections system – inserting html / javascript code in the page / files / javascript or substitution of one code by another injection occurs in the stream mode, ie the modified page is loaded at once!
(not as in the other BHO based trojans with insertions only after the full load the page (causing javascript problems) or limiting the impact (if for instance the user is on a mobile device connection). In our implementation, all works quickly and efficiently!

- The collection of pieces of text from the html pages, as one of the modes of operation injector (balance, etc ..)

- Ftp grabbing – sniffer handles traffic and rip out from access to FTP. All of this is going in an easy to read and process the form

- Collector of certificates. Pulling out of all installed certificates including attempts to commit, and certificates that are marked as uncrackable. Certificates neatly stored for each individual bot.

- Page redirector. allows you to replace a page or separate framing in the network. everything is done completely unnoticed. substitution of the content occurs in the interior windsurfing, and even then the browser and any special lotion can be confident that is what you want.

- Domain redirector. forwards all requests from the original site on the fake. address bar, and all references point to the original course can also be used to block access to certain sites

- Universal form grabbing puller forms, can strip the data from the virtual keyboard these forms can rip off, even with not fully loaded pages. As distinguished from the other crimeware kits working through the tracking of users clicking buttons / links it intercepts the data has already been formed, which can be seen in the log. Data can be collected all the running, and keyword (filter)
to delete the logs; noise over debris to chat and not necessary for the work sites.

All data are transmitted in encrypted form, which is important to bypass the protection, like for instance ZoneAlarm’s ID Lock. Undoubted advantage is also that the logs are sent instantly – in parallel with the data sent to the original site. No need to worry that the victim will go into an offline and accumulated locally log form grabbing are not able to send.

- Screenshots at the address
- TAN grabbing. The technology allows to effectively collect workers TANs
- Periodic cleaning of cookies/flashcookie.
- Grabbing around-the-forms words (without adjustment – Adrenalin defines its own algorithm that it must be collected. algorithm Improved!)
- The collection of passwords,  for instance Protected Storage (IE auto complete, protected sites, outlook)
- Classic keylogger
- Cleaning system from BHO trojans, advertising panels and other debris. As is well known – are less vulnerable machines, and want to put on something more. Cleaning system greatly increases the chances of survival
- Anti-Anti Rootkit mechanisms
- Work on the system without the EXE file
- User-friendly format logs! Forget the piles of files stupid!
- Socks4 / 5 + http (s) proxy server enabled on the infected host
- Shell + Backshell enabled on the infected host
- Socks admin
- Management of each bot individually, or simultaneously (Downloading files, updating settings, etc.)
- Requires PHP on the web based command and control host
- Ability to output commands (including downloads), taking into account the country’s bot (function as a resident loader statistically for programs) – and other small pleasures“

Without the web injection and the TAN grabbing ability, Adrenalin is your typical malware kit, whose only differentiation factor would have been the customer support in the form of the managed undetected malware binaries that naturally comes with it. However, it’s TAN grabbing ability, proprietary collection of data “around the forms”, stripping content from virtual keyboards and automatic certificates collection on per host basis, and its ability to clean the system from competing BHO-based trojans, make it special.

How do you actually measure the popularity of crimeware kit? Based on the the market share of the crime kit, or based on another benchmark? It’s all a matter a perspective and a quantitative/qualitative approach. For instance, I can easily argue that if the very same community was build around Adrenalin the way it was built around Zeus making the original Zeus release looks like an amateur-ish release, perhaps Adrenalin would have scaled pretty fast. Some of the community improvements include :

- Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
- Modified Zeus Crimeware Kit Gets a Performance Boost
- Zeus Crimeware Kit Gets a Carding Layout

For the time being, the innovation or user-friendly features boosting the popularity of Zeus come from the third-party coders improving the original Zeus release. Moreover, not only are they improving it, they’re also looking for vulnerabilities within the different releases, and actually finding some. What does this mean? It means that we have clear evidence of crimeware monoculture, with a single kit maintaining the largest market share.

With the cybercrime ecosystem clearly embracing the outsourcing concept for a while, it shouldn’t come as a surprise, that botnets running the Zeus crimeware are offered for rent at such cheap rates that purchasing the kit and putting efforts into aggregating the botnet may seem a pointless endeavor in the eyes of a prospective cybercriminal, even an experienced one interested in milking inexperienced cybercriminals not knowing the real value of what they’re doing.

Moreover, speaking of monetization, the attached screenshots represent a very decent example of monetizing the reconaissance process of E-banking authentication that cybercriminals or vendors of crimeware services undertake in order to come up with the modules targeting the financial institutions of a particular country. Is this monetization just “monetization of what used to be a commodity good/service” as usual taking into consideration this overall trend, or perhaps there’s another reason for monetizing snapshots of E-banking authentication activities in order to later on achieve efficiency in the process of abusing them? But of course there is, and in that case it’s the fact that no matter that a potential cybercriminal has obtained access to a crimeware kit, its database of injects is outdated and therefore a new one has to be either built or purchased.

With Adrenalin now leaked to the general script kiddies and wannabe cybercriminals, it’s only a matter of time until a community is build around it, one that would inevitably increase is popularity and prompt others to introduce new features within the kit.

Related posts:
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal’s Security Key

Pathetic DDoS vs Metasploit (round 2)

February 9th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
It looks like our little DDoS buddy got sent home from school early today — the flood started up again, this time ignoring the DNS name for the metasploit.com web site and instead targeting both IP addresses configured on the server. While SSL service is still unaffected (including Online Update over SVN), folks who wish to visit the Metasploit web site will need to do so using an alternate port until we roll out the next countermeasure.

http://metasploit.com:8000/

We also host the main web server for Attack Research, which can now be accessed at:

http://www.attackresearch.com:8000/

Thanks for your patience,

-HD

Virtual Networking Improving Collaborative Terrorism Analysis

February 8th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Via NY News Daily -

When a cell of 10 Islamic militants stole into the Indian port city of Mumbai in November and began to unleash a fusillade of hell on two hotels, a train depot in rush hour and a Jewish center, US spooks scrambled to make sense of it all. About 20 analysts from across the globe immediately convened – not in the same room, but on two classified Web sites called Intellipedia and A-space.

One participant in the A-space Mumbai discussion even posted an ominous message titled, “Next Mumbai: Indian Mujahadeen.” That terror group, typed the analyst a few days after the massacre of about 200 Indians, Americans and westerners, “has now threatened to carry out attacks on Mumbai, Agencies reported.”

While about 20 analysts were active in assembling, discussing and dissecting incoming intelligence and news reports on the mayhem which unfolded over three days, other simply watched and read. The sites logged more than 7,000 page views.

To avoid a repeat of politically-tainted intel on Iraq prior to the 2003 US invasion, policymakers and politicos are strictly banned from getting access to Intellipedia and A-space. About half of the roughly 9,000 intel analysts with high enough clearances have signed up to use it, officials said.

“There’s a lot of expertise and accumulated knowledge that doesn’t fit easily on a piece of paper,” Wertheimer told The Mouth in a recent interview at the DNI’s Liberty Crossing complex in Virginia.

Besides tossing around theories with other analysts, the users – who cannot post anonymously – plunge into secret databases previously off-limits to other spy agencies, though intel from the most sensitive human assets is verboten, he said. “What used to take months is taking days. What used to take hours is taking minutes,” Wertheimer added.

Analysts now compare notes from across the continent – or oceans – about targets such as Chinese submarines and North Korean and Iranian nuclear facilities. But the biggest and most heavily-trafficked A-space page is devoted to the Afghanistan-Pakistan border, where the US is battling the Taliban and hunting Al Qaeda leadership, one source said. Another page set up to collect intel on potential threats to President Obama’s Inauguration events also attracted interest, when assets such as GoogleEarth imagery and other information feeds were added.

“The last time there was an Inauguration (in 2004), you couldn’t look at realtime traffic cams,” marveled one official involved in the new program.

UNIX / Linux: Display Large Colourful Text Banner On Screen

February 8th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I know how to use old banner command to print a large, high quality banner on the screen or printer. Recently, I saw colorful banner on friends laptop. How do I display large colourful characters on screen, especially on terminal? How do I create colorful text banners on screen?

Answer to “UNIX / Linux: Display Large Colourful Text Banner On Screen“

Copyright © nixCraft. All Rights Reserved. Support nixCraft when you shop at amazon. Thanks!

Pathetic DDoS vs Security Sites

February 8th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
On Friday, starting around 9:00pm CST, the main metasploit.com was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the metasploit.com host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request. At the same time, Packet Storm and Milw0rm were being hit as well. About 95% of the bots would intermittently resolve metasploit.com and follow the target address with the connection flood. The other 5% continued to bang on the main metasploit.com IP address and port even after the host record was changed.

Solving this involved parking the metasploit.com host record at 127.0.0.1 and moving the other host names and services to a spare IP address. This allows for www.metasploit.com and most of our other domains and services to work properly. The only drawback is that until the flooding stops, we can’t use the metasploit.com A record, which happens to be the default for updating the Metasploit Framework installation. A fun side effect is that they handed us full control of the DDoS stream: we can point the metasploit.com record anywhere we like and the connection flood will follow it.

We will continue to find other ways to mitigate the flood; but until we can safely use the metasploit.com name again, our standard online update mechanism is going to fail. If you are trying to check out a fresh copy of Metasploit from subversion, use the https://www.metasploit.com/svn/framework3/ URL for now. As of 9:30am CST, the Immunity web site is being hit as well. If anyone has information on the folks involved, we would love to hear from you

PHP filesystem attack vectors

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
ascii writes”On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it “secret” [4],…

Google warns entire Internet is malware (CNET) (Yahoo Security)

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

QuickPwn and PwnageTool Updated for iPhone 3G 2.2.1 firmware

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
The iPhone Dev Team has released updated QuickPwn and Pwnage tools for the recent 2.2.1 firmware update – still no sign of redsn0w (the jailbreak for the iPod Touch 2G) but they say they are working on it… In the meantime, here is the low down on using the their latest tools.

1. GOLDEN RULE: If you have a 3G iPhone running 2.2 firmware and you want to keep your ability to use yellowns0w (or the option to use it in the future) do NOT use QuickPwn, and do not use the official ipsw or the iTunes update process without using PwnageTool.

2. Yellowsn0w will NOT work with the baseband version (02.30.03) that is present in the recent 2.2.1 update – you will need to create a custom ipsw that will allow you to update safely without affecting the baseband.

3. Please read all parts of this post before downloading and using these tools.

4. Read items 1, 2 and 3 again and again.

5. At the bottom of this post are the bittorrent files for the latest versions of PwnageTool and QuickPwn.

6. These apps are suitable for the recent 2.2.1 release.

7. The Yellowsn0w version has been updated to 0.9.7. Yellowsn0w is available from Cydia or Installer – this version allows compatibility with pwned 2.2.1 system (not baseband) – again – remember 0.9.7 yellowsn0w DOES NOT WORK WITH 2.2.1 (02.30.03) directly – you need to be running a ‘pwned’ version of 2.2.1 which doesn’t upgrade the baseband.

8. Users of OS X 10.5.6 will be unable to use DFU mode correctly, please see the note towards the end of this post to easily fix this issue.

Interview with an Adware Developer

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Fascinating: I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has. IE has…

Mac trojan horse discovered in pirated Photoshop (Macworld.com) (Yahoo Security)

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Facebook group to CC all email to Home Secretary

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

A UK Facebook group plans to protest the government’s consultation into further communications monitoring by cc’ing Home Secretary Jacqui Smith on every one of their emails for a day.

A group called, unsurprisingly ‘cc all your emails to Jacqui Smith” Day’ plans to bombard Smith with every mail for 24 hours to show their objection to a massive database of UK communications, including emails and instant messages.

Infringement

“The government has unveiled plans for a private company to run a ’superdatabase’ that will track all our emails, calls, texts, internet use and so on. This is an immense infringement of civil liberties, not to mention a major risk to our private data, but it won’t make us any safer,” reads the group’s mission statement.

“The sheer amount of information that the Government intends to collect will be impossible to analyse properly and will undoubtedly turn up false positives while missing potential security threats among the morass of spam emails and private chat.

“So, for one day, we should send a message to the Home Office – ‘you want to see our emails? OK then, here they are.’”

Disbelief

There’s understandable disbelief that a government with a track record of losing classified data is seeking to set up a database straight out of George Orwell’s nightmares.

Although much of the justification for looking into the scheme has been under the umbrella of ‘anti-terrorism’, there have been widespread rumblings of malcontent about what many see as a huge breach of privacy.

The group has not yet finalised a date for the protest, but it has sailed past 3,000 members already.

Conficker Worm Seizes UK City's Hospital Network

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Via The Register UK -

Staff at hospitals across Sheffield are battling a major computer worm outbreak after managers turned off Windows security updates for all 8,000 PCs on the vital network, The Register has learned.

It’s been confirmed that more than 800 computers have been infected with self-replicating Conficker code. Insiders at Sheffield Teaching Hospitals Trust said they suspect many more machines are affected but have not been reported to IT.

The Trust told The Register it now has the outbreak under control and is engaged in “clearing up” remnants. Non-urgent appointments in the medical imaging department had to be cancelled while its computers were disinfected. A Trust spokeswoman said no other direct impact on patient care was known.

The decision to disble automatic security updates was taken during Christmas week after PCs in an operating theatre rebooted mid-surgery. Conficker was detected on December 29.

David Whitham, the Trust’s informatics director, said in a statement: “We do not know how the virus entered the network but at around the same time as the virus became evident the automatic update process had been temporarily disabled following problems with a number of PCs in theatres.

“This decision was taken by the IT Change Advisory Board to prevent further disruption in theatres which could have affected patient care.” No individual was responsible for the move, the Trust added.

People close to the incident criticised the management decision to disable updates across the entire network rather than only where the reboots caused a problem. “Don’t you just hate it when your boss is so computer illiterate yet has the power to veto the simplest of ideas to catastrophic end,” said one, who asked to remain anonymous.

In internal emails seen by The Register, staff were warned not to make details of the outbreak public. “Please note that this incident could over the next few days attract outside interest from the press… If you are at any time approached by anyone to give information relating to the current problem then please refer them to me in the first instance,” IT services manager Carol Hudson wrote.

A source said executives had not contacted Microsoft or other external security professionals for help eradicating Conficker, but the Trust disputed this. “Our IT team have been working very closely with external anti-virus specialists to remove the remnants from the network,” Whitham said.

The trust argued that the consequences of its decision making had not cost public money, “just time and effort by the IT teams”. It added: “A lot of lessons have been learned during the outbreak and they are being fully documented and discussed to prevent a repeat.”

A Conficker outbreak is also currently affecting the Ministry of Defence. It’s thought the worm acts to make infected machines vulnerable to further malware and harvests private information, though experts have warned its full purpose may not have been revealed yet.

Microsoft released a patch for the Conficker exploit in October, so updated machines should be unaffected. Until late December, Sheffield Teaching Hospitals Trust had a policy in place that would apply security updates across its network a few weeks after the patch release, and enforce a reboot.

Yesterday it was reported three in ten Windows PCs remain vulnerable to Conficker.

‘Amazing’ worm attack infects 9 million PCs

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Calling the scope of the attack “amazing,” security researchers at F-Secure Friday said that 6.5 million Windows PCs have been infected by the “Downadup” worm in the last four days, and that nearly 9 million have been compromised in just over two weeks.

Six Worst Routing Attacks

February 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

We seem to have an odd fascination with lists. From top 10 worst/best to lists to make sure to remember to pick up bread and milk on the way home (nb. must pick up milk). At any rate, I stumbled across this story this morning on Network World where Carolyn Duffy Marsan lists off the six worst internet routing attacks. Both overt and accidental.

From Network World:

Pakistan Telecom blocks YouTube

In February 2008, Pakistan Telecom inadvertently brought down the entire YouTube site worldwide for two hours as it was attempting to restrict local access to the site. When Pakistan Telecom tried to filter access to YouTube, it sent new routing information via BGP to PCCW, an ISP in Hong Kong that propagated the false routing information across the Internet.

ICANN puts root server at risk

The Internet Corporation for Assigned Names and Numbers (ICANN) screwed up in November 2007 when it renumbered the DNS root server “L” that it operates. ICANN failed to notice several unauthorized L root servers operating across the Internet until six months later. By May 2008, ICANN had all the bogus L root servers turned off.

Are there any major ones that were missed that you think should be a part of this list?

For the full article read on.

Article Link