[SecurityRatty] tag: independence

The Real Migration Problem

Tue, 09 Sep 2008 05:38:33 +0000

Preview of Tom Friedman's thinking for his new book - Hot, Flat and Crowded. Killer quote (emphasis added):

FP: And what about drilling? Republican presidential candidate Sen. John McCain, his running mate Gov. Sarah Palin, and President George W. Bush are implying that lifting environmental restrictions on drilling is the way to promote energy independence.

TF: Well, I think it’s patent nonsense. No one believes that somehow offshore, there’s enough oil in any near term and even the long term to provide us oil independence. It’s the wrong approach because in a world that’s hot, flat, and crowded, fossil fuels—and particularly crude oil—are going to be expensive and exhausting. Therefore the focus should be on the next great global industry: clean energy technology. When I hear McCain pounding the table for “drill, drill, drill,” it reminds me of someone pounding the table for IBM Selectric typewriters on the eve of the IT revolution.

I’m not against offshore drilling, by the way, because I believe the technology and the safety has improved far beyond where it was back in the 70s, 80s, and 90s, even. What I’m against is making it the centerpiece of our energy policy. If all McCain said was, “Let’s drill, but let’s also throw everything into innovating the next generation of clean-energy technologies,” I’d say, “You’ve got it exactly right, pal.”

Its funny because as someone who has done a half dozen legacy migration projects (with mental and emotional scars to prove it), I was thinking the same thing. The entrenched mindset. "If we just dig our trench deeper (in this case literally) then we will be ok."...at least until the person in question retires...

One of the legacy migration project I worked on, I was the third consultant that tried to get this company off of mainframe and onto distributed systems (which are no panacea but this company really did need to make the move). The core developers of the mainframe were actively hostile to change, as opposed to simply passive aggressive, which we expect. For example, if you asked about how a piece of functionality worked, say a report writer, the developer would not answer, stand up, walk out of the room, come back with a 800 page "data model", slam it on the table and walk out of the room. Good times.

A chief objection beyond fear of the unknown was the perceived lack of elegance in the distributed systems as opposed to the control from say JCL. Anyway, what progress I made was due to analogizing that we were leaving Greece which has a rich culture, history, philosophy and moving to Rome which maybe was not as elegant as Greece but still people like circuses, roads and acqueducts. So when, several times a day, a perceived go/ no go issue arose, I would gently remind the developers that "we are now in Rome and things work differently here."

Intransigently digging the trench deeper is not the way, instead we need to better understanding the energy problem in a larger context, and finding deployable technologies to help address it. If you think drill, drill, drill is the answer, then I think the answer for you is the same as someone who knows COBOL and flat refuses to learn modern languages even when that is required - a nice retirement house on a golf course somewhere.

Summarizing Zero Day's Posts for July

Fri, 08 Aug 2008 10:35:52 +0000

Different audience provokes different approach for communicating a particular event. In case you aren't reading ZDNet's Zero Day, where I blog next to Ryan Naraine and Nathan McFeters - join us.

Also, consider subscribing yourself to my personal RSS feed, or Zero Day's main feed in order to read all the posts. Here's a quick summary of my posts for last month :

01. Blizzard introducing two-factor authentication for WoW gamers
02. Sony PlayStation's site SQL injected, redirecting to rogue security software
03. 300 Lithuanian sites hacked by Russian hackers
04. Antivirus vendor introducing virtual keyboard for secure Ebanking
05. Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers
06. Storm Worm's Independence Day campaign
07. Approximately 800 vulnerabilities discovered in antivirus products
08. $1 Million prize offered for cracking an encryption algorithm
09. U.K's most spammed person receives 44,000 spam emails daily
10. Storm Worm says the U.S have invaded Iran
11. Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails
12. Verizon, Telecom Italia, and Brasil Telecom top the botnet charts in Q2 of 2008
13. XSS worm at Justin.tv infects 2,525 profiles
14. Remote code execution through Intel CPU bugs
15. Ringleader of cybercrime group to be offered a job as cybercrime fighter
16. Spam coming from free email providers increasing
17. Kaspersky's Malaysian site hacked by Turkish hacker
18. Georgia President's web site under DDoS attack from Russian hackers
19. 75% of online banking sites found vulnerable to security design flaws
20. McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position
21. Click fraud in 2nd quarter of 2008 more sophisticated, botnets to blame
22. How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability
23. DNS cache poisoning attacks exploited in the wild
24. The Neosploit cybercrime group abandons its web malware exploitation kit
25. OS fingerprinting Apple's iPhone 2.0 software - a "trivial joke"
26. HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame

Fort Lewis soldiers exposed by laptop theft

Fri, 11 Jul 2008 09:44:02 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08 (UPDATED 7/11/08 - Laptop with information about soldier found; Lacey teen arrested)

Organization:
United States Army

Contractor/Consultant/Branch:
Fort Lewis*

*The principal Fort Lewis maneuver units are the 1st Brigade, 25th Infantry Division and the 3d Brigade, 2nd Infantry Division. It is also home to the 593d Corps Support Group, the 555th Engineer Group, the 1st MP Brigade (Provisional), the I Corps NCO Academy, Headquarters, Fourth ROTC Region, the 1st Personnel Support Group, 1st Special Forces Group (Airborne), 2d Battalion (Ranger), 75th Infantry, and Headquarters, 5th Army (West). Fort Lewis has more than 25,000 soldiers and civilian workers, source: About Fort Lewis

Victims:
Soldiers

Number Affected:
~800 - 900

Types of Data:
"personal information"

Breach Description:
"A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials."

Reference URL:
KING Channel 5 News
Tacoma News

Report Credit:
Elisa Hahn, KING Channel 5 News

Response:
From the online sources cited above:

A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials.

In this case, an Army employee told Lacey police he left the laptop and a 500-gigabyte removable hard drive on the seat of his Dodge truck, parked unlocked in front of his house overnight July 3
[Evan] Storing personal information on removable devices such as laptops, external hard drives and flash drives without encryption, strike one. Moving the mobile device outside of a controlled area is strike two. Leaving the mobile device overnight in an unlocked vehicle in plain sight of passers-by is an emphatic strike three.

He reported them stolen about 10 a.m. on July 4.
[Evan] A soldier's personal information stolen on the day our country celebrates our independence is insulting.

A post spokeswoman said officials were notifying the involved soldiers out of concern that the case might put them at risk for identity theft.

the Army began no later than Wednesday notifying the affected soldiers through e-mail and phone calls. They’ll get follow-up letters.

Officials said the employee, a civilian military personnel specialist, appears to have violated Army standards and policies for protecting personal information and government property.

Army laptops and removable storage devices containing personal information are generally restricted to on-post workplaces but can be signed out with a supervisor’s permission.

They’re also supposed to be password-protected and personal information is supposed to be encrypted

The Army is assisting Lacey police with the theft investigation and conducting its own review, said Catherine Caruso, a Fort Lewis spokeswoman.

"We’re not releasing anything more about what information was inappropriately compromised or about the soldiers whose information was involved," Caruso said.

"Clearly it was personal information regarding 800 to 900 soldiers from Fort Lewis. Beyond that, we’d rather not specify."

there was no classified, secret or top-secret information on the laptop and the hard drive.

Caruso said the employee was working on a project regarding a particular unit at a location other than his office.

She said "it would be inappropriate to speculate" about what potential disciplinary action the worker might face if he is found to have broken security rules.
[Evan] It is probably inappropriate to speculate, but you know we will anyway. My guess is that there is another person looking for a job in the Olympia, Washington area.

Since the theft, post officials have set new training requirements for military personnel staff and prepared a memo for each employee to sign outlining the safeguarding and reporting requirements

Commentary:
When someone's poor judgment creates unnecessary risk to military personnel it carries a little more weight for me. These men and women give everything to protect us. Without them I wouldn't be able to write this, and without them you wouldn't be able to read it.

Past Breaches:
United States Army:
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

Storm Botnet Celebrates The Independence Day With New Wave Of Malware Spam

Fri, 04 Jul 2008 12:39:45 +0000

The group behind the Storm Botnet has always been conscious of timing and this time a new malware spam wave had started, dedicated to Independence day of course. This spam wave directs the user to click on a link that encourages the intended victim to download an infected fireworks.exe file. The Storm botnet launched the latest [...]

Kiva Update

Tue, 17 Jun 2008 05:21:07 +0000

About a year ago, we signed up for Kiva, which is a microlender. One of our first loans went to Sith Saron, who lives in Siem Reap Province in Cambodia. She needed a $1,000 for a cow, seeds, and a motorcycle for her farm.

Sith Saron is 37 years old and the mother of 7 children. She sells Khmer traditional cakes such as Num Korm, Num Bot, and Num Krouk to the people in her community and usually earns up to $4 each day. Her husband, meanwhile, works in his rice paddy growing crops as well as several kinds of vegetables. Two of her children are employed at a hotel, but the others are students.

The loan had a 18 month pay back date, and just a couple of weeks ago (about 10 months after taking out the loan), she paid the loan in full

Kiva is focused on serving the working poor

Kiva's mission is to connect people through lending for the sake of alleviating poverty.
Kiva is the world's first person-to-person micro-lending website, empowering individuals to lend directly to unique entrepreneurs in the developing world. The people you see on Kiva's site are real individuals in need of funding - not marketing material.
When you browse entrepreneurs' profiles on the site, choose someone to lend to, and then make a loan, you are helping a real person make great strides towards economic independence and improve life for themselves, their family, and their community. Throughout the course of the loan (usually 6-12 months), you can receive email journal updates and track repayments. Then, when you get your loan money back, you can relend to someone else in need.

I really like the last pay it forward part, so the lender can elect to take the money out of Kiva's system or loan it out again, in effect the last business is putting capital back into the system to help the next entrepreneur. Additionally, big props to Paypal which supports Kiva by acting as a transaction processor and waiving fees. What's all this mean? As Tom Barnett says:

everyone who wants to make a difference should just go ahead and get their own foreign policy and stop waiting on change from above.

I added the bold, because the bottom up tools that Kiva, Paypal and the Web give us are really unique, and really powerful to enable through microloans - entrepreuners who we may never meet in countries we may never go to be successful.

Crimeware in the Middle - Zeus

Thu, 24 Apr 2008 00:37:46 +0000

Virtual greed, or response rate optimization? The idea of converging phishing emails with embedded exploits and banking malware is nothing new, in fact phishers realizing that combining attack approaches can increase the chance of achieving their objective which in this case is either logging the authentication process or hijacking it, often forget that the phishing email could have succeeded without the embedded malware or exploit, which in many cases would have triggered an alarm.

Yesterday, Uriel Maimon posted an overview of the convergence of Rock Phish emails with Zeus, a crimeware kit used to deliver banking trojans :

"The Trojan that was used in this attack belonged to the "Zeus" family of malware. Zeus is a nefarious type of Trojan for multiple reasons:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. This means that the Rock group did not need to develop new skill-sets to write Trojan horses; they just purchased it on the open market. In the past 6 months RSA's Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other -- making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the "Remember this password?" checkbox?)... And the features-list goes on. As I look upon this blissful union of fraud and crime technologies, I can only envy the criminals who can find such coupling. Looking forward to my next birthday, I can only hope that I will have the opportunity to find such partnership in my own life (and maybe give my mother one less reason for disappointment)."

We cannot talk about Zeus unless we compare it to another such crimeware kit serving banking trojans, in this the Metaphisher kit. Metaphisher is particularly interested because of its much more customized GUI, it's modular nature, allowing its sellers to lower or increase the price depending on which modules you'd like included, and which ones you'd like excluded, where a module means a preconfigured fakes, TANs, and phishing pages for all the banks in a country of choice. Moreover, despite that both, Zeus and Metaphisher are open source, and therefore malicious parties visionary enough to build communities around their kits in order to enjoy the innovation brought by multiple parties, Metaphisher has a bigger community next to Zeus, considered as the MPack in the web malware exploitations kits, namely a bit of an outdated commodity that is of course still capable of doing what does best - hijacking E-banking sessions and logging them to the level of impersonation.

How are the authors of Zeus describing the kit themselves? Here's a description :

"ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not):

Bot: - Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).

- There has its own process, through this can not be detected in the process list.
- Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.
- Difficult to detect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
- Works in limited accounts Windows (work in the guest account is not currently supported).
- Nevid ekvaristiki for antivirus, Bot body is encrypted.
- Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.
- Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
- All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).
- Detecting NAT through verification of their IP through your preferred site.
- A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will apply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
- Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):
- Intercepting POST-data + interception hitting (including inserted data from the clipboard).
- Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).
- Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.
- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
- Customizable TAN-grabber for any country.
- Obtaining a list of questions and answers in the bank "Bank Of America" after successful authentication.
- Removing POST-needed data on the right URL.
- Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.
- Receiving certificates from the repository "MY" (certificates marked "No exports" are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.
- Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.
- Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.
- Keeps contents Protected Storage at first start the computer.
- Removes S ookies from the cache when Internet Explorer first run on a computer.
- Search on the logical disk files by mask or download a specific file.
- Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
- Getting screenshot with the victim's computer in real time, the computer must be located outside the NAT.
- Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).
- Socks4-server.
- HTTP (S) PROXY-server.
- Bot Upgrading to the latest version (URL new version set in the configuration file)."

What's most important to keep in mind in regarding to these crimeware kits, is that the sellers are shifting from product-centered to service-centered propositions, and while an year ago they would have been selling the kit only, today they've realized that it's the output of the kit in terms of logged stolen accounting data that they're selling. Committing identity theft and abusing stolen E-banking accounting data is already a service, compared to the product it used to be.

Related posts:
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key
Nuclear Grabber Kit
Apophis Kit

The DDoS Attack Against CNN.com

Tue, 22 Apr 2008 15:30:53 +0000

The DDoS attack against CNN.com, whether successful or not in terms of the perspective of complete knock-out, which didn't happen, is a perfect and perhaps the most recent example of a full scale people's information warfare in action. Utilizing the bandwidth of the over 200 million nationalism minded Chinese Internet users, can greatly outpace any botnet's capacity if coordinated, or though the use of automated DIY tools, like the ones we've seen released for the purpose of attacking CNN.com

CNN.com was indeed inacessible for a period of three hours according to NetCraft, and literally any web site performance monitoring too with a historical perspective for a host can prove the same :

"The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here."

Unrestricted warfare is all about bypassing the most fortified engagement points, and achieving asymmetric dominance by excelling where there are no engagement points, in order for the attacker to enjoy the pioneer advantage. Now that CNN.com was indeed slowed down to a situation where it was unnacessible, what remains to be answered is how was CNN.com DDoS? Throught a botnet, or through the collective bandwidth of virtually recruited Chinese citizens? Despite that the common wisdom in terms of botnets used speaks for itself, this is China hacktivism and therefore common wisdom does not apply in an unrestricted warfare situation, and best of all data speaks for itself.

- Through the use of DIY DDoS Tools

Besides anticnn.exe which I assessed in a previous post, there's also the Supper DDoS tool that as it appears was also getting actively recommended for participating in the attack, courtsy of a Chinese script kiddies group. Some basic info :

Scanners Result: 3/32 (9.38%)
DDoS.Win32.Sdattack.A; DDoS.Trojan
File size: 1510643 bytes
MD5...: ed25e7188e5aa17f6b35496a267be557
SHA1..: 71138f0c0556dde789854398c3c7cde29352662b

For instance, Estonia's DDoS attacks were a combination of botnets and DIY attack tools released in the wild, whereas the attacks on CNN.com were primarily the effect of people's information warfare, a situation where people would on purposely infect themselves with malware released on behalf of Chinese hacktivists to automatically utilize their Internet bandwidth for the purpose of a coordinated attack against a particular site.

- Collectively building bandwidth capacity and mobilizing novice cyber warriors

What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com. All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. If it were a botnet used, the diversity of the infected hosts would have required more efforts into dealing with the attack, then again from another perspective regular web traffic compared to network flood is sometimes harder to detect as a DDoS attack.

hackerhf.com/cnn.html
80aft.com/cnn.htm
tom765.cn/cnn.html
ah930.com/cnn.htm
0851qiche.cn/cnn.html
xdadmin.com/cnn.html
ah930.com/cnn.html
s234sdf3.cn.webz.datasir.com/cnn.asp
bbscar.com.cn/cnn
120abc.cn/cnn.html
hospltal.cn/cnn.html
bbs.cityzx.cn/cnn.htm
bestmf.cn/cnn.html
anlycloud.com/cnn/cnn
qibubbs.net/ddoscnn.htm
maje.cn/cnn.html
edu.sina.googlepages.com/FuckCNN.htm
urlonline.com.cn/kaocnn.html
lmpx.net/cnn.htm
ily88.com/cnn.html
zjipc.net/cnn
axlovechina.cn/
idernice.com/cnn.asp
conncn.com/cnn.html
xuanxuanmu.000webhost.com/cnn.html
jianw1.cn/cnn.htm
bjzs114.com/cnn.htm
0851qiche.cn/cnn.html
yaanren.net/cnn.html
todayol.cn/cnn.html
17bnb.com/cnn.htm
hackerhf.com/cnn.html
hnjdbbs.com/cnn.html
sql8.net/cnn
bh125.cn/cnn.html
razorcn.cn/cnn.html
93HR.com/cnn.html
tke08.com/cnn.htm
vipeee.com/cnn.htm

This is also the statement made for the recruiting purpose across the forums, including remarks against France's policy against China :

Anti-CNN Plans v4.19

"Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows: We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland.

We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. France on bad faith.

Recently, the United States "cnn" Since, as we said a number of Chinese people can not accept things, is that we are willing to endure, willing to yield? We plan on taking the lead in the 2008.4.19 "cnn" Web site attacks, as a Chinese, please support us.

Plot:
1, first of all, all the conditions for full, I expect four days later, in the - on April 19, 2008, 8:00 p.m., at www.cnn.com against a DDOS attack! More than three hours on the CNN Web site with the assistance of attacks, How DOS attack CNN website? If you are patriotic, please forward!

iframe Id="cnn" width="100%" height="100">
script>
Var e = document.getElementById ( 'cnn');
SetInterval ( "e.src = 'http://www.cnn.com'", 3000);
/ / 1000 said that 1,000 ms, you can modify and transmit

You can also directly open qibubbs.net/ddoscnn.htm open on the trip, you do not affect anything. I have to, I have friends in all of it again, the strong support of friends, and their repercussions great, and to many people, have been transmitted in other friend, a classmate now has begun to link their Web sites the I believe that compatriots in China, in collaboration with CNN article seconds click rate in the second can at least 50 million times, if the 200 million Internet users click on, I believe CNN, will be suspended instantaneous, as our fellow countrymen will be more hackers the chance to win big, exciting good mood now, and looks forward to 8:00 after we are all fellow hackers smoothly, we will sincerely pray that China win. The great motherland is not to take advantage of the separatist elements, all anti-China reunification of the sophistry of speech are all in vain Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows:

We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland. We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. "

This particular DDoS people's information warfare attack against CNN.com is also a great example of a psychological operations (PSYOPS) chain-letter. Given China's 3.0 state of social networking, messages forwarding people to sites that would automatically refresh their browsers with CNN.com were distributed at over 5000 web forums, with a bit of propanga taste enticing everyone to forward the message by telling them "If you're a patriot forward this attack link", so if you don't, it means you're not a patriot, another indication of China's understanding of the effectiveness of psychological operations (PSYOPS) online.

Chinese Hacktivists Waging People's Information Warfare Against CNN

Mon, 21 Apr 2008 22:25:00 +0000

Empowering and coordinating script kiddies by releasing DIY DDoS tools (backdoored as well) during the DDoS attacks against Estonia for instance, is exactly what is happening in the time of blogging with a massive forum and IM coordination between Chinese netizens enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coordinated incidents greatly illustrate what people's information warfare, and the malicious culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a central coordination point for recruiting DDoS participants on a nationalism level. Some info on hackcnn.com, the malware, internal commentary on behalf of the hacktivists, and who's behind it :

hackcnn.com (58.49.59.253)
58.48.0.0-58.55.255.255 CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000
china@hackcnn.com

Upon execution of the tool, 18 TCP Connection Attempts to cnn.com (64.236.91.24:80) start, trying to access the following file at CNN.com :

- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"

antiCnn.exe
Scanner results : 3% Scanner(1/36) found malware!
TROJAN.DOWNLOADER.GEN
File size: 174592 bytes
MD5...: c03abd4d871cd83fe00df38536f26422
SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691
Released by : Red Flag Cyber Operations nixrumor@gmail.com

From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :

Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers

Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :

"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."

"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."

DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.

According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list.

Securing Virtual Environments Through Partnerships

Sun, 13 Apr 2008 12:06:19 +0000

I’m back from the RSA 2008 Security Show in San Francisco and it was another great year of business development activity for security vendors. It felt like there was a decent amount of end user customers at the show but a lot more vendors touting their wares and looking to do work with each other. I sat and listened to many vendors complain about this however and listened to them complain about how they spend money year after year for these shows and rarely get to talk to customers. It felt to them that they hear more from other vendors that come up to their booth asking about partnering or OEM’ing there technology. Well, this does get old pretty fast when you are looking to sell product to justify your existence but for me it was refreshing to talk with other companies about partnering. I had the opportunity to talk to customers also but it was really exciting for me to have partnership discussions.

Why? Well over at Montego Networks where we are focusing on securing a new type of network (one that’s virtual) we believe in security through partnerships. Securing virtual environments is like exploring new frontier or a planned venture to Mars. Research scientists, chemists, doctors, collective minds and in this case a unity of security vendors we feel is the best approach to getting ready for this venture to the new Virtual World.

Virtual Environments need to be studied jointly in order to understand the new security risks, performance impacts and how to effectively secure it. Montego Networks plans to do that and has announced its HyperVSecurity Alliance at RSA and has joined forces with Cyberoam, Lancope StillSecure and Plixer International in an effort to provide Anti-Malware, Network Access Control, Intrusion Prevention, Behavioral Analysis and Network Monitoring for the virtual environment.

See:

http://www.montegonetworks.com/node/54

http://www.eweek.com/c/a/Security/Partnerships-are-Key-in-Virtualization-Security/

By establishing this type of alliance research engineers and vendors will be able to journey to the new Virtual Datacenter with all of the needed components and insight on securing networks. At the epicenter of this alliance is a security frame work designed by Montego Networks that allows various technologies to plug in to the center of the virtual environment which is the switching infrastructure.

Through Montego Networks HyperSwitch, which has the ability see virtual network communication between systems (virtual desktops & servers), a frame work is created that allows for user defined policy that can send traffic off to various places. An example of this is via the HyperSwitches Policy Based Switching engine which allows a user to create a policy that dictates that all email traffic will be directed to an Anti-Virus Gateway or its NetFlow capability which exports flow information to a Behavioral Analysis Engine.

After these various systems do what they do with the data, they are also able to respond back to the frame work via an API called NSCP (Network Security Control Protocol) to instruct it to tack appropriate action. This could be an IDS system invoking a firewall policy or a Behavioral Analysis system telling the frame work to throttle back (slow down) a users traffic flow. The possibilities are limitless!

So, much like the frontier to the USA from England where we needed Doctors, Lawyers, Law Enforcement, Builders and Farmers, virtualization needs a coalition of security forces that can provide Anti-Virus, IPS, Firewall, Network Monitoring, Behavioral Analysis, etc. etc.

The goal is to all co-exist in the virtual environment vs. fight for the same piece of land. I think this makes sense because all is needed in the virtual world!

Stay tuned, as the alliance will get bigger and stronger and give customers choice and independence as they look to secure the virtual datacenter. Learn your ABC’s! Anything But Cisco, Let Freedom Ring!

Securing Virtual Environments Through Partnerships

Sun, 13 Apr 2008 12:06:19 +0000

I???m back from the RSA 2008 Security Show in San Francisco and it was another great year of business development activity for security vendors. It felt like there was a decent amount of end user customers at the show but a lot more vendors touting their wares and looking to do work with each other. I sat and listened to many vendors complain about this and listened to them complain about how they spend money year after year for these shows and rarely get to talk to customers. It felt to them that they hear more from other vendors that come up to their booth asking about partnering or OEM???ing their technology. Well, this does get old pretty fast when you are looking to sell product to justify your existence but for me it was refreshing to talk with other companies about partnering. I had the opportunity to talk to customers also but it was really exciting for me to have partnership discussions.

Why? Well over at Montego Networks where we are focusing on securing a new type of network (one that???s virtual) we believe in security through partnerships. Securing virtual environments is like exploring new frontier or a planned venture to Mars. Research scientists, chemists, doctors, collective minds and in this case a unity of security vendors we feel is the best approach to getting ready for this venture to the new Virtual World.

See:

http://www.montegonetworks.com/node/54

http://www.eweek.com/c/a/Security/Partnerships-are-Key-in-Virtualization-Security/

The goal is to all co-exist in the virtual environment vs. fight for the same piece of land. I think this makes sense because all is needed in the virtual world!

Stay tuned, as the alliance will get bigger and stronger and give customers choice and independence as they look to secure the virtual datacenter. Learn your ABC???s! Anything But 100% Cisco, Let Freedom Ring!