Archive for April, 2009
Cablevision Goes for U.S. Broadband Speed Record – 101 Mbps
April 28th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
The new service will offer download speeds of 101 megabits per second and upload speeds of 15 Mbps for a cost of $99.95 per month. It will be available May 11 to all 5 million of the people in areas served by Cablevision, mainly in the New York City suburbs. In Japan, J:Com uses the same technology to offer 160 Mbps service for 6,000 yen ($60)/mo.
Ultrasound imaging now possible with a smartphone
April 21st, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Computer engineers at Washington University in St. Louis are bringing the minimalist approach to medical care and computing by coupling USB-based ultrasound probe technology with a smartphone, enabling a compact, mobile computational platform and a medical imaging device that fits in the palm of a hand.
Humanity’s earliest written works go online
April 21st, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
(AP) — National libraries and the U.N. education agency put some of humanity’s earliest written works online Tuesday, from ancient Chinese oracle bones to the first European map of the New World.
Further evidence on how the online and the private truly MESH
April 17th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Once again, folks from the Office attended “Canada’s web conference”, MESH 2009, in Toronto – a place where flacks, marketers, hackers, people with money to spend, people looking for money, and activists gather and talk about how the web is “affecting media, marketing, business and society as a whole”.
Just ten minutes at this conference is a lesson in how much human communication has changed. People don’t generally put up their hands to ask questions – instead they send messages to the organizers through Twitter. When Toronto Mayor, David Miller (who is known for using the web to get information out to citizens) gave his keynote, and was subsequently interviewed onstage, he paused several times to either tweet or to read new messages he was receiving. And gone are the days of hanging around after a presentation to fill out a feedback form – at this conference people send tweets about the quality of a speaker or session as it’s unfolding, causing others to abandon simultaneously-running sessions to join the one that’s getting all the attention.
All it takes is a quick glance at some of the sessions that were offered (“managing your persona online”; how to integrate social media into your marketing plan”; and “using online word of mouth” are just a few examples) to see how privacy is intertwined with the new online reality. One keynote speaker, Jessica Jackley, co-founder of kiva.org, the world’s first peer-to-peer online micro-lending web site, is living proof of how the Internet can be used for good. But isn’t privacy also a theme here, what with the online financial transactions that make the whole thing possible, not to mention the protection of the personal details of both the lenders and entrepreneurs?
The MESH conference tagline is “connect, share and inspire” and one of the themes is while social media can be “a difficult reality for some companies, it also offers tremendous opportunities for both businesses and individuals to communicate, collaborate, entertain and inform”. These are exciting words and ideas – as long as we don’t forget the important privacy implications that go hand-in-hand with them.
iBotnet: Researchers find signs of zombie Macs
April 17th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Malware hunters at Symantec have discovered a direct link between a malicious file embedded in pirated copies of Apple’s iWork 09 software and what appears to be the first Mac OS X botnet launching denial-of-service attacks.
Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware [...]
Botnets: Coming To A Social Network Near You
April 17th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
I've dealt with a lot of different types of bots over the years. The communication channels amongst the botnets have varied from unsophisticated IRC command and control (C&C) servers to advanced peer-to-peer (P2P) protocols. For botnet herders, the problem is flying under the radar of network security professionals monitoring their networks looking for anomalies. The infosec pros who know their networks inside and out are likely to pick up on strange protocols pretty quickly which is one of the reasons HTTP bots have been so effective.
New solo album – You Are Only Here Once
April 14th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Hey everyone,
Finally this thing is finished! It has 10 freshly baked keyboard-piano-electronic tracks. Some are tunes and a few others are songs!
Below are a few for you to check out.
There are a limited number of physical copies that were made and the full album will be up on sale online in May.
And here’s a video of ‘Punching Keys’:
5 Ways To Survive a Data Breach Investigation
April 14th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
When the digital forensics crew comes in to investigate a possible data breach, company execs often make matters worse by not being prepared. Here are five ways to keep it from happening to you.
New technology watches the watchers to tell them what they should have watched
April 14th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Or, a new technology that supervises the people who are paid to stare at screens, tracking their eyes to let them know what parts of the screens they’ve been missing. See: Eyeball spy turns the tables on Big Brother – tech – 14 April 2009 – New Scientist via Boing Boing, which doesn’t miss a thing and never needs a newfangled gadget tell it that.
TEDTalks : A bold plan for mass adoption of electric cars – Shai Agassi (2009)
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Shared by royfire
Highly recommended!
Forget about the hybrid auto — Shai Agassi says it’s electric cars or bust if we want to impact emissions. His company, Better Place, has a radical plan to take entire countries oil-free by 2020.
Updating Windows is like wearing seatbelts
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
When I was a structural engineer in the auto industry several decades ago (just trying that phrase on for size as I approach the midpoint of my first century), I became obsessed with the value of seat belts and safety. My kids were required to use car seats. I would not start the car if everyone was not buckled up. In the crash tests I ran with one of GM’s biggest vehicles, the Chevroolet Caprice Classic, the value of seat belts was dramatically demonstrated. We ran tests with one inch of slack space between the test dummy and its shoulder belt. That one inch meant increased G forces measured by the accelerometers in the dummy’s chest. With the belt cinched up so there was no slack the dummy experienced less than 50 G’s. With one inch of slack ite experienced greart than 50 g’s, a lethal load. Survival and death were determined by how tight you wore your shoulder belt.
What really got under my skin was news reports of traffic fatalities that failed to mention whether or not the victims were belted in. It seemed like the writers of those stories where evincing compassion for the victim’s families who did not need to hear about how stupid their loved one was to cause his or her own death by negligence. See? I can get pretty passionate on the subject.
I am starting to feel the same way about news reports of major infections. Take the just reported story:
Conficker worm hits University of Utah computers.
The AP reports that
University of Utah officials say a computer virus has infected more than 700 campus computers, including those at the school’s three hospitals.
We know two things from this story even though they go unreported. 1. The University of Utah does not have an effective solution for updating Windows machines. You cannot get infected with Conficker if you patched your system anytime in the last six months. 2. The University of Utah does a really bad job with anti-virus software as well. All AV software has signatures for Conficker by this time.
Why do journalists not ask hard questions? Why don’t they ask the police officer on the scene if victims were wearing seatbelts? Why don’t they ask IT admins why they were not patched?
Post from: ThreatChaos
Updating Windows is like wearing seatbelts
Essential PHP Techniques for Web Designer and Developers
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
In this post, you will find 30 PHP tutorial and techniques that are not too complex and different. You can easily learn this techniques and implement them for your next project.
Security is about outcomes, not about process
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology.
Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes.
Here’s a quick gut check: which would you rather tell the board or your customers? (1) “We had no security incidents last year, and aren’t sure why,” or (2) “Our customer database was pillaged 9 times, despite a cross-organizational investment in ISO 27001 which was aligned with our balanced scorecard and measured to be in the top quartile of all infosec programs?”
However people orient themselves around security, what they worry about is not “does the organization follow COBIT or ITIL?” but, “will they protect the information I’m giving them?”
Across the variety of orientations which exist within security, outcomes are what counts. Some examples:
- Compliance officers want to keep the CEO out of jail. All the process in the world is useful because when they’re not, they can talk about their plans for correcting that.
- Applied Researchers ask “did you pwn it?” They’re concerned with testing a hypothesis, which is “this system resists this type of attack”
- Law enforcement wants to catch the bad guy (or gal). Much of the friction between civil libertarians and law enforcement comes from a conflict about prioritization of goals.
We’ve focused on process because we have so little data on outcomes. People will talk about their training processes. But when you ask them, did that process work? no one wants to say.
For us to mature as a discipline and as part of the organizations we support, we must go from talking about what might happen to what does happen.
Build Your Own Linux Distribution with Revisor [Linux]
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Shared by royfire
That’s old!
Find yourself making the same customizations over and over again every time you install a Linux system? Revisor, a free distribution customizer, lets you pick the packages and tweaks you want to see kept in, then compiles and compresses it all into a CD, DVD, or USB-friendly ISO image for you to install or live-boot with. PC Plus has a step-by-step guide to using Revisor on Fedora, but you can compile nearly any type of desktop with this tool. [PC Plus]
Mythbusters vaporize a car with a rocket sled doing 650mph
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Jamie and Adam are not satisfied with the two semis not pancaking a compact and fusing together…so they go to New Mexico to get a rocket to smash into a car at 650 mph…watch the car pretty much erase.
Tweenbots
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Tweenbots: Tweenbots are human-dependent robots that navigate the city with the help of pedestrians they encounter. Rolling at a constant speed, in a straight line, Tweenbots have a destination displayed on a flag, and rely on people they meet to read this flag and to aim them in the right direction to reach their goal. Given their extreme vulnerability, the…
15 Years of Anti-Piracy Warnings
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
TechDirt points to Guardian collection of anti-piracy warnings, dating back to video cassettes.
TEDTalks : A bold plan for mass adoption of electric cars – Shai Agassi (2009)
April 13th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Forget about the hybrid auto — Shai Agassi says it’s electric cars or bust if we want to impact emissions. His company, Better Place, has a radical plan to take entire countries oil-free by 2020.
Book: iPhone Hacks
April 12th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
The iPhone is an internet-connected multimedia smartphone. Chances are if you own an iPhone (or iPod) , you long to discover its hackability. And a new book from O'Reilly iPhone Hacks can help you do just that. This book covers over 100 tips & tools for unlocking the power of your iPhone / iPod touch. With this book you can pushing the iPhone and iPod touch beyond their limits.
Read more: Book: iPhone Hacks
Copyright © nixCraft. All Rights Reserved. Support nixCraft when you shop at amazon. Thanks!
Wikileaks Posts ACTA Documents Revealing Enforcement Cooperation and Practices Info
April 12th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Wikileaks has posted additional original ACTA documents, including draft language for several sections of the treaty. The leaked documents are consistent with earlier reports on the Enforcement of Intellectual Property Rights Chapter. The leak package also includes the Canadian non-paper on institutional arrangements for ACTA (Canada has since supplied draft treaty language that has not been leaked).
The one document this is completely new is the release of the non-paper on International Enforcement Cooperation and Enforcement Practices, which would form Chapters 3 and 4 of ACTA. The basis for discussion for the International Enforcement Cooperation (Chapter 3) are:
- Affirm the importance of international cooperation in the context of IPR enforcement, including the investigation and prosecution of international IPR crimes regardless of the location of the right holder or the origin of the infringing goods.
- Improve coordination of anti-counterfeiting and anti-piracy strategies, including fostering closer cooperation among their respective enforcement officials, through practices such as: shared risk analysis, exchange of best practices, and exchange of relevant information for use in enforcement actions, where appropriate.
- Providing for an effective exchange of information and evidence related to IPR crimes between their law enforcement agencies. This enforcement cooperation should be done in a manner that is appropriate with the factual circumstances and consistent with existing international agreements.
- Providing capacity building and technical assistance in improving IPR enforcement, both for developing country parties to the ACTA and for third countries. These initiatives could be undertaken through, or in conjunction with, the private sector or relevant international organizations.
- Working closely with developing country partners to strengthen their domestic legislation, and assisting them improving their national anti-counterfeiting, anti-piracy, and enforcement capacities through sharing IPR enforcement best practices and relevant technical assistance.
The basis for discussion for the Enforcement Practices (Chapter 4) are:
Domestic Coordination
- Promoting internal coordination and joint action, where appropriate, among its government agencies concerned with IPR enforcement through coordination bodies or other relevant mechanisms.
- Maintaining formal or informal mechanisms for consulting with rights holders and other relevant stakeholders to promote more effective IPR action.
IPR Enforcement Expertise
Developing expertise within domestic law enforcement structures to ensure effective handling of IPR matters. One way of doing this would be maintaining specialized authorities for the investigation and prosecution of IPR infringement cases.
Public Awareness
Undertaking measures designed to raise awareness among government officials and the public regarding the importance of protecting IPR (ie. the problems associated with IPR infringement, such as health risks, economic damage, and other detrimental effects).
Risk Management Techniques
Adoping and sharing practices that assist in better identifying and targeting for inspection shipments that contain counterfeit trademark goods or pirated copyright goods. Such activities could include:
b. exchanging available data with other Parties regarding significant customs seizures of counterfeit and pirated goods wherever possible, including international networks;
c. sharing information with other Parties on approaches that are developed to provide greater effectiveness in targeting shipments that could contain counterfeit and pirated goods;
d. providing that its competent authorities may conduct post-entry examinations of business records, methods of payment, purchasing contracts, and importers' internal controls to track illicit financial gains and expose business practices related to trademark counterfeiting and copyright piracy.
Publication of Enforcement Procedures and Practices
- Identify publicly competent authorities for IPR enforcement and contact points for assistance to right holders.
- Providing that relevant laws, regulations, procedures, final judicial decisions and general administrative rulings pertaining to IPR enforcement are in writing. The judicial decisions and administrative should state the relevant findings of fact and the reasoning or the legal basis on which the decisions and rulings are based and should be published or made available to the public (e.g., through the Internet).
- Publicizing information on its efforts to provide effective enforcement of intellectual property rights in its civil, administrative, and criminal systems, including any statistical information that the Party may collect for such purposes.
IPR Enforcement Information Sharing
An ACTA Party's sharing of information related to the IPR enforcement with the public is without prejudice to the need to protect investigative techniques, confidential law enforcement information, and privacy rights.
Twitter Worm(s), (Sun, Apr 12th)
April 12th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
We’ve received a number of reports from readers pointing to articles about this weekends Twitter XSS worm, F-Secure has detailsand an update warning about more to come. Keeping in touch has never been easier.
Conficker Finally Awakes & Dumps Payload
April 10th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
So it seems something big was brewing with Conficker, they just didn’t want to do what everyone expected and unleash it on April 1st when all eyes were on them.
Smart move really, they kept quiet and waited a week or so after before dropping some fairly serious and complex payloads (encrypted rootkits).
It seems like they [...]
Read the full post at darknet.org.uk
A truly marvellous proof of a transaction
April 10th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
When you transact with an EMV payment card (a “Chip and PIN” card), typical UK operation is for the bank to exchange three authentication “cryptograms”. First comes the request from the card (the ARQC), then comes the response from the bank (the ARPC) and finally the transaction certificate (TC). The idea with the transaction certificate is that the card signs off on the correct completion of the protocol, having received the response from the bank and accepted it. The resulting TC is supposed to be a sort of “proof of transaction”, and because it certifies the completion of the entire transaction at a technical level, one can presume that both the money was deducted and the goods were handed over. In an offline transaction, one can ask the card to produce a TC straight away (no AQRC and ARPC), and depending on various risk management settings, it will normally do so. So, what can you do with a TC?
Well, the TC is sent off to the settlment and clearing system, along with millions of others, and there it sits in the transaction logs. These logs get validated as part of clearing and the MAC is checked (or it should be). In practice the checks may get deferred until there is a dispute over a transaction (i.e. a human complains). The downside is, if you don’t check all TCs, you can’t spot offline fraud in the chip and pin system. Should a concerned party dispute a transaction, the investigation team will pull the record, and use a special software tool to validate the TC – objective proof that the card was involved.
Another place the TC gets put is on your receipt. An unscientific poll of my wallet reveals 13 EMV receipts with TCs present (if you see a hex string like D3803D679B33F16E8 you’ve found it) and 7 without – 65% of my receipts have one. The idea is that the receipt can stand as a cryptographic record of the transaction, should the banks logs fail or somehow be munged.
But there is a bit of a problem: sometimes there isn’t enough space for all the data. It’s a common problem: Mr. Fermat had a truly marvellous proof of a proposition but it wouldn’t fit in the margin, and unfortunately while the cryptogram fits on the receipt, you can’t check a MAC without knowing the input data, and EMV terminal software developers have a pretty haphazard approach to including this on the receipts… after all, paper costs money!
Look at the following receipts. Cab-Inn Aarhus has the AID, the ATC and various other input goodies to the MAC (sorry if I’m losing you in EMV technicalities); Ted Baker has the TC, the CVMR, the TSI, TVR and IACs (but no ATC), and the Credit Agricole cash withdrawal has the TC and little else. One doesn’t want to be stuck like Andrew Wiles spending seven years guessing the input data! Only at one shop have I seen the entire data required on the receipt (including CID et al) and it was (bizarrely) from a receipt for a Big Mac at McDonalds!
Various POS receipts
Now in case of dispute one can brute force the missing data and guess up to missing 40 bits of data or so without undue difficulty. And there is much wrangling (indeed the subject of previous and current legal actions) about exactly what data should be provided, whether the card UDKs should be disclosed to both sides in a dispute, and generally what constitutes adequate proof.
A “fake” transaction certificate
But most worrying is something I observed last week, making a credit card purchase for internet access at an Airport: a fake transaction certificate. I can tell its a fake because it firstly its the wrong length, and secondly, it’s online — I only typed in my card number, and never plugged my card into a smartcard reader. Now I can only assume that some aesthetically minded developer decided that the online confirmation needed a transaction certificate so took any old hex field and just dumped it. It could be an innocent mistake. But whether or not the “margin was too small” to contain this TC, its a sad reflection on the state of proof in EMV when cryptographic data fields only appear for decorative purposes. Maybe some knowledgeable reader can shed some light on this?
Virtualization changes the rules
April 9th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
One of the areas that I have see that has been growing in most of the Datacenters I have had a chance to consult in is the Virtualization. Many companies and government agencies are looking at virtualization to reduce their operational costs and at the same time gain some of the advantages of virtualization, but an area that I have seen that the virtualization vendors and most system integrator is overlooking is how virtualization changes the way networks are designed and how it also changes the processes for the security team. The biggest mistake I have seen is the mixing of environments without doing a proper risk assessment and segmenting your averments appropriately, you can see this in:
- Mixing VDI machines (High Risk users have control!!) with server machines (Here is most of the data you want secured).
- Having DMZ server and Internal server on a same Hypervisor Cluster.
- Having the Lab Environment and production environments mixed on a same group of clusters.
This are only some basic examples. There is currently development and research being done by the bad guys on how to do VM Escapes and gain access to the physical host, all major vendors have released patches for this and still you do not see questions for this in any of the major risk assessment companies and guides out there. Another area that it is grossly overlook is how do you design your network and storage infrastructure, where do you put your IDS/IPS boxes? how do you segment traffic? in fact one of the major buzz words in converged networks where you have FCoE, ISCSI and NFS running on the same network where you are moving Ethernet communication packets so if a box is compromised or a piece of network equipment is compromised and the attacker can sniff or perform a MITM attack he can see not only the network traffic but the storage traffic giving a greater amount of access to the data. Many designs are badly done where they not only do not segregate on witch physical set of server what VM’s will be hosted but they have LUNs in the SAN where they have the machines mixed, so if an attacker gains access to the physical server he can also have access to VM’s of different levels of classification.
Another great area of change many times overlooked is procedures, and in an IT environment there are plenty:
- Backup procedures.
- Change Management and Patch Management.
- Incident Response
and this are only but a few of the procedures that must be modified when moving in to a virtual environment. Management as a whole changes, the admin of the physical servers have the power to change and control the VM’s in that environment, permissions will vary to grant the necessary access to the right people to manage the resources and the management system become one of the biggest area of risk if not secure properly. There must be a separation of the management network just like we separate the network and storage traffic. Also the management host must be hardened and all necessary precautions must me taken like having IPS monitoring the traffic to this systems, having proper logging set up, having HIPS on this boxes and proper change management since a compromise of one of this boxes means that the attacker gained the keys to the kingdom. This is just a rant on some of the main points that I see are not being addressed properly by the major virtualization vendors when they talk about virtualization and consolidation. The bad guys are doing their research and they even have attack code that will detect if the target is a VM we better catch up before it is to late.
App Store offers secure surfing tool for iPhone and iPod Touch
April 9th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Apple iPhone and iPod Touch users can download a free secure web browsing tool from the firm’s online App Store. The Trend Smart Surfing application was developed by security firm Trend Micro to protect Apple mobile devices from malware on the web.
The application uses Trend Micro’s web reputation technology to prevent iPhone and iPod Touch users from visiting sites that may contain malware. Legitimate websites are typically used by hackers to infect visitors’ computers with Trojans designed to steal personal information.
Code hidden in legitimate websites emerged as the weapon of choice in 2008 for cyber-criminals to pass on malware to unsuspecting users. The technology underlying the Smart Surfing tool enables it to link to the results of daily scans of more than five billion URL, e-mail and file queries.
Social Networking Identity Theft Scams
April 9th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Clever: I’m going to tell you exactly how someone can trick you into thinking they’re your friend. Now, before you send me hate mail for revealing this deep, dark secret, let me assure you that the scammers, crooks, predators, stalkers and identity thieves are already aware of this trick. It works only because the public is not aware of it….
Report: Cybercriminals Hacked US Electrical Grid
April 9th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
WSJ report says cyberspies from China, Russia and elsewhere have gained access to the U.S. electrical grid and have installed malware tools designed to shut down service.
Inside the GhostNet – Symantec video shows off the tool behind the espionage
April 9th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Researchers from Symantec have created a video that offers a rare look into the mechanics of an application used by criminals. Symantec looked at a rather famous application, the gh0st RAT Trojan, which is responsible for the creation of the GhostNet.
Inside a Zeus Crimeware Developer’s To-Do List
April 9th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Every then and now I get asked a similar question in regard to crimeware kits – which is the latest version of a particular crimeware/web malware exploitation kit?
The short answer is – I don’t know. And I don’t know not because I’m a victim of an outdated situational awareness, but due to the fact that nowadays third-party developers are so actively tweaking it that coming up with a version number would be inaccurate from my perspective. Therefore, whenever I provide such a version number, I try to emphasize and provide practical examples of how the current decentralization of coding from the core authors to third-party developers and, of course, scammers brand jacking the Zeus brand, is making the answer a little bit more complex than it may seem at the first place.
For instance, cybercriminals themselves have been capitalizing on this situation during the last two quarters, by speculating with the version numbers and offering backdoored copies of non-existent Zeus releases, in a attempt to hijack their Zeus botnets at a later stage — a practice that phishers have been taking advantage of for a while. Anyway, once I’m able to sort of cluster a particular third-party developer’s persistence in tweaking the Zeus crimeware kit, an interesting picture emerges. For instance, a team member from a third-party developer of backend systems for botnets that came up with the built-in MP3 player in a Zeus release, is also directly involved in developing the backend system and GUI for the Chimera botnet which the British Broadcasting Corporation purchased last month.
Let’s discuss the way the version number system in the Zeus crimeware, before we take a peek at a recent CHANGELOG, and a future TO-DO list from one of the third-party developers. Zeus version a.b.c.d means that change in A stands for a complete change in the bot, B stands for major changes that make previous bot versions incompatible, C stands for modifications and performance boosting, and D is a prophylactic change in order to avoid antivirus solutions from detecting it.
The Q&A applied in Zeus can be easily seen by taking a peek at some of the changes that took place in December, 2008 :
“Change 10.12.2008
- Documentation will no longer be available in a CHM format, instead in a plain-text format
- The bot is a now able to receive commands not only by using the send command function, but also during requests for files and logs changes
- Local data requests to the server and the configuration file can be encrypted with RC4 key depending on your choice
- In order to decrease the load on the server, a fully updated bot-to-server and server-to-bot communication protocol is introduced
Change 20.12.2008
– Small error fixed when sending reports
- The size of the report cannot exceed 550 characters
- Error fixed in the bot due to low timeout for sending POST requests resulting in dropping requests for log files bigger than 1 MB
Change 2.03.2009
- Changed the default cryptor routines
- Updated process of building the bot
- Optimized compressed of the binary
– Rewritten the process of assembling the configuration file
- Changed the MyMSQL tables
- Fixed fonts in the panel due to bogus displaying of characters
- Updated Geolocation database“
The following “To-Do” list, pretty similar to another one which I discussed last year (A Botnet Master’s To-Do List). What’s to come in the Zeus crimeware kit, at least courtesy of a sampled third-party developer? The following features have been in the works for several months now:
“- Compatibility with Windows Vista and Windows 7
- Improved WinAPI hooking
- Random generation of configuration files to avoid generic detection”
- Console-based builder
- Version supporing x86 processors
- Full IPv6 support
- Detailed statistics on antivirus software and firewalls installed on the infected machines“
The Zeus crimeware is not going away from the radar anytime soon, and the main reason for that is not the fact that its exclusive features outperform the ones in the Limbo crimeware and the Adrenalin crimeware, but due to the fact that Zeus has a much bigger fan base, and well established third-party community around it.
Image courtesy of Abuse.ch’s Zeus Tracker — the one that got DDoS-ed in February due to its apparent usefulness.
Related posts:
Crimeware in the Middle – Limbo
Crimeware in the Middle – Adrenalin
Crimeware in the Middle – Zeus
76Service – Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Friendly ‘Death Star’ Laser to Recreate Sun’s Power
April 8th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
The newly completed National Ignition Facility (NIF) has begun harnessing lasers to create a fusion reaction rivaling the power of a miniature sun. The lasers will eventually focus their power on compressing and heating a single, pea-sized fuel capsule to more than 180 million degrees Fahrenheit in order to trigger thermonuclear fusion.