[SecurityRatty] tag: holidays

Online Newbies need a online safety class.

Thu, 17 Apr 2008 12:58:36 +0000

Stumbled across this article and I like this guy!
Great tips, read em twice.

School Holidays & Spyware!

Here’s a few tips to try to prevent costly repair work -
1. Tell the kids to stop and think (or ask you) before clicking on any warning message or offer to fix their ’security or spyware problems’. The only genuine warning messages that you will get are from your own installed antivirus or antispyware programs.

Security talk on the radio

Sun, 20 Jan 2008 16:12:00 +0000

I took my security tips and news to the airwaves yesterday morning when I was a guest on the Travel'n-On radio show on Clear Channel.

My good friends Ian and Tonya Fitzpatrick are the hosts of the Saturday morning radio show, Travel'n-On. Being the consummate travelers they are, Ian and Tonya are always looking out for those who are considering going away on holidays or business. They asked me to share some thoughts on security for travelers wishing to protect themselves when away from home.

One of the first things to keep in mind when leaving your home for any period, is to safeguard it from unwanted intruders. Try to hide the fact that you are not at home. Make arrangements with a friend to collect your mail or ask the Post Office to hold it for a period until your return. The same thing goes for paper delivery. Nothing signals to a thief that you are away, quicker than an overflowing mailbox or a week's worth of newspapers laying in the driveway.

Depending where in the world you are headed, you may not want to overly advertise where you are from. There is of course a big difference between going to a beach in Cancun and a business trip to Caracas. If you are visiting a city or country where you may possibly be a target for terrorists or organized criminals, you should think twice about wearing baseball caps and sweat shirts that may signal the country from which you come.

When traveling in more dangerous areas, try and blend in as much as possible. At all times, be highly aware of your surroundings and do not let your guard down. If you can afford to bring your own security with you, then obviously they will be concentrating on your physical security which will allow you to go about your business with less distractions.

Both the State Department ( Office of American Citizens Services and Crisis Management) and the CIA compile and make available information for would-be travelers. Information ranges from arriving at the airport to being taken hostage. Thankfully, the latter does not happen often to casual travelers but it is good to be aware of the possibility, especially in these dangerous times.

Dutch company sells media player -- with a worm

Sun, 06 Jan 2008 21:00:00 +0000

A batch of digital media players sold by a Dutch importer over the holidays appear to have been infected with a nasty stocking stuffer -- a worm.

2008 - The Year of IT Risk Management?

Fri, 04 Jan 2008 10:23:00 +0000

I've been busy over the holidays enjoying everyones blogs and articles recapping 2007 and making predictions for 2008. Among other things highlighted in those articles, a common point pertains to Securityworks around "true" IT Risk Management (what I mean by "true" is the message is coming from companies who didn't adjust their marketing to be en vogue - e.g., SIEM products or Vulnerability Assessment products).

Before IT Risk Management was "cool" Securityworks has been out their working away on it (for over 4 years now).

One of my favorites that highlights this prediction for 2008 is over at Rational Survivability.

-snip-

Compliance stops being a dirty word & Risk Management moves beyond buzzword
Today we typically see the role of information security described as blocking and tackling; focused on managing threats and vulnerabilities balanced against the need to be "compliant" to some arbitrary set of internal and external policies. In many people's assessment then, compliance equals security. This is an inaccurate and unfortunate misunderstanding.

In 2008, we'll see many of the functions of security -- administrative, policy and operational -- become much more visible and transparent to the business and we'll see a renewed effort placed on compliance within the scope of managing risk because the former is actually a by-product of a well-executed risk management strategy.

We have compliance as an industry today because we manage technology threats and vulnerabilities and don't manage risk. Compliance is actually nothing more than a way of forcing transparency and plugging a gap between the two. For most, it's the best they've got.

What's traditionally preventing the transition from threat/vulnerability management to risk management is the principal focus on technology with a lack of a good risk assessment framework and thus a lack of understanding of business impact.

The availability of mature risk assessment frameworks (OCTAVE, FAIR, etc.) combined with the maturity of IT and governance frameworks (CoBIT, ITIL) and the readiness of the business and IT/Security cultures to accept risk management as a language and actionset with which they need to be conversant will yield huge benefits this year.

-snip-

Well said (but then again I'm biased)!

The New Media Malware Gang - Part Two

Fri, 28 Dec 2007 15:17:45 +0000

How you would you go for ruining the Xmas holidays of a malware gang directly related to the RBN, Storm Worm, Possiblity Media's malware attack, and the malware embedded at the Syrian Embassy's web site, the way they've ruined the holidays for lots of security folks out there? You disclose all of their publicly known and currently active "online properties", submit them to Stopbadware, then see how they reply with a "Die();" message on one of their IPs (85.255.116.206), which is instantly confirming the positive ROI of your actions. The New Media Malware gang currently operates the following domains/IPs :

flashupdate.net/images/index.php
taktomi.ru/NewYear/ad
l0calh0st.jino-net.ru/tds3
jkh-novgorod.ru/wstat/adpack/
natural-amber.com/spl2/index.php
s0s1.net/mp3/index.php
trffc.org/in.cgi?default
home-xxx.com/shaven/index.shtml
85.255.116.206/ax2/load.php
testers.x5x.ru/subpage/index.php
traffurl.ru/sliv/?91956802f6fabf
88.255.94.250/ddd/index.php
91.192.105.6/images
r52.juhost.ru/ip/index.php
orentraff.cn/tdsslam/index.php?out=1193100109
xll-g.com/beaty/13389babe/cumoninn.com.html
xmaturelife.com/0419/kim5.html
e-learningcenter.ru/eng/index_files/input000.htm
apnea.health-hack.com/old/index.php
milk0soft.com/ipck/index.php
85.255.116.206/ax3/loadj947.php
85.255.116.206/ax2/tet.php
85.255.116.206/ax3/tet.php
spl.vip-ddos.org
spl.vip-ddos.org/index.php

Now go migrate your "infrastructure" on the 31st of December. Happy holidays to you too!

Storm-Bot stripshow analysis

Sun, 23 Dec 2007 19:06:00 +0000

Merry Christmas from the RBN. Now on a PC near you, a stripshow from Santa's helpers. Or not.
The ISC reported the expected Storm surge Christmas eve at 0000 GMT.
hxxp://merrychristmas.com/stripshow.exe (modified to protect the innocent) yields a hash of 2BBA62FBC3B9AF85C3C7D64A82E1237C. Once executed it immediately copies itself as disnisa.exe to C:\WINDOWS and adds a startup registry key for the same.

Current AV detection includes:
Kaspersky stripshow.exe - Email-Worm.Win32.Zhelatin.pd.
eTrust-Vet - Win32/Sintun.AT
Microsoft - Trojan:Win32/Tibs.gen!ldr
Symantec - Trojan.Peacomm.D

After a quick time check to Microsoft's time server, this variant switches immediately to very noisy P2P on a variety of ports. In addition to the ISC-recommended HTTP and email blocks for outbound to merrychristmasdude.com, you have to consider if you really need outbound UDP traffic above 1024. I'm a firm believer in deny all and make exceptions only via legitimate business case. If you can achieve such lockdown, even though your hosts may suffer infection, they won't be communicating with their friends and neighbors.
From API analysis we see a few interesting tidbits:

w32tm /config /update
403014 Copy(c:\malware\stripshow.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
402ba0 WinExec(w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov,100)
77e7d0b7 WaitForSingleObject(788,64)
402ba8 WinExec(w32tm /config /update,100)
40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)
71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71a5716a LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71aa14eb GlobalAlloc()
40da1b bind(8c, port=26790)
77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)

Nice, do a little time sync, allow ourselves through the firewall, then bind, listen, and wait.
First, add another registry entry,

0cd2d RegCreateKeyExA (HKLM\Software\Microsoft\Windows\ITStorage\Finders,)

then start connecting:

71a54cee LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
77e7ac53 CreateRemoteThread(h=ffffffff, start=71a519c4)
40d9f1 connect( 193.33.146.178:24714 )
40d9f1 connect( 74.60.173.98:3887 )
40d9f1 connect( 58.74.135.13:30843 )
40d9f1 connect( 222.119.113.135:22295 )
40d9f1 connect( 71.234.220.147:20232 )
40d9f1 connect( 76.84.231.43:14172 )
40d9f1 connect( 124.5.147.194:16544 )
40d9f1 connect( 58.8.236.130:13224 )
40d9f1 connect( 190.79.151.75:2952 )
40d9f1 connect( 58.8.122.191:29646 )

Once this little bugger hits the network, expect flood-like traffic.
My infected sandbox victim exhausted my 1.5mb DSL connection instantly, in part from a ton of inbound responses from peers being logged at my firewall:

SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=59178 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=60978 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=4987 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=6619 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=13762 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=18384 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=19891 PROTO=UDP SPT=24045 DPT=26790 LEN=33

At last, the peer list referred to by the ISC, written to C:\WINDOWS (many more entries not included):

[config]
[local]
uport=20142
[peers]
00003D6C8F338A3FDD3DF3648666F55C=0CCE03EE2BD100
0100A634122F3553A046EC451061927C=0CCEEF9C5BF700
02007E238D780D25FD5511285E2E596E=0CD9D73081A500
03001E62DC533E7AF6161729A953891B=180BB9671B4800
0400EB5EC13599373A3D544A2D6AF94F=180FAC024F7300
05004710B3440F5D2117CE555A62D04A=1810D0AE22DA00
06001471521206296D099433C93EC427=1813911C2E6100
07002D6D5B0FE3019C56B1290A564E59=1820B08043D700
0800A2417153943DC23C6C5C817C4159=18257B254F2600

There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes.
User awareness, as always, is your strongest defense.
Cheers and happy holidays, except for you RBN a$$h0735.

Happy Holidays from Silver Bullet

Fri, 21 Dec 2007 14:07:55 +0000

Get the Flash Player to see this player.

Speaking of Security Podcast #43

Sun, 17 Dec 2006 21:00:00 +0000

Click here to listen/download (10:58).

To close out our first year of the podcast, we take a look at how people can break into the information security industry. We speak with two established experts and investigate the various avenues people can take to get into this business as well as learn what skills one would need to be successful.

Please note that the Podcast Team will take a break for the holidays. Expect a new episode for the week of January 8, 2007. Happy New Year!

Related Links:

Kevin Fu, University of Massachusetts Amherst
National Science Foundation (NSF)
Institute of Electrical and Electronics Engineers (IEEE)