[SecurityRatty] tag: m-tech

An A to Z of confusion

Fri, 29 Aug 2008 01:16:28 +0000

A few days ago I blogged about my paper on email spam volumes — comparing “aardvarks” (email local parts [left of the @] beginning with “A”) with “zebras” (those starting with a “Z”).

I observed that provided one considered “real” aardvarks and zebras — addresses that received good email amongst the spam — then aardvarks got 35% spam and zebras a mere 20%.

This has been widely picked up, first in the Guardian, and later in many other papers as well (even in Danish). However, many of these articles have got hold of the wrong end of the stick. So besides mentioning A and Z, it looks as if I should have published this figure from the paper as well…

… the point being that the effect I am describing has little to do with Z being at the end of the alphabet, and A at the front, but seems to be connected to the relative rarity of zebras.

As you can see from the figure, marmosets and pelicans get around 42% spam (M and P being popular letters for people’s names) and quaggas 21% (there are very few Quentins, just as there are very few Zacks).

There are some outliers in the figure: for example “3″ relates to spammers failing to parse HTML properly and ending up with “3c” (a < character) at the start of names. However, it isn’t immediately apparent why “unicorns” get quite so much spam, it may just be a quirk of the way that I have assessed “realness”. Doubtless some future research will be able to explain this more fully.

The Stigma Enigma, Revisited

Wed, 27 Aug 2008 10:58:56 +0000

Recently my pal Bill Pytlovany (of WinPatrol fame) wrote an article on his blog asking "What's Wrong With Toolbars"?

I wrote something along similar lines way back in 2005, and it's vaguely depressing to see how little has apparently changed. I'm not going to quote myself, but rather compare and contrast Bills experiences (and those of his commentators) with the person who posted a comment to my entry, which I quote below in full:

"Unfortunately, the few 'honest' toolbars have indeed taken the wrath of users as a result of the spyware, parasite, adware and other creepy applications of an otherwise good technology.

What's interesting is that, as far as my own toolbar system goes, I've had offers from clients all over the world to develop different kinds of toolbars -- and without fail -- it is the US-based companies that seem most willing to cross the line and request applications that I simply refuse to develop.

We're talking about features like:

- Forced Install
- Hidden Install
- Report all URLs back
- Report all searches back
- Forcibly and hidden set home page
- Forcibly and hidden set default search engine
- Forcibly generate un-blockable pop-ups
- Install and run hidden executables
- Bypass all security and anti-virus tools
- The list goes on...

What's sad is that I'm able to generate the most powerful and incredibly useful toolbars imaginable. Ones that can save countless hours of time and effort. Ones that can be customized on a per-user basis to make the Internet and use of ones's own computer a pleasure.

However, there will always be people around who's sole motivation is the almighty dollar -- and who will do ANYTHING to get it.

These people don't care about you, your wants, your needs, your security or safety -- as long as they can line their pockets with your money, or by taking advantage of actions you perform (even one lousy click!).

They'll infect your machine, using whatever means necessary, and they won't stop -- EVER."

The "industry" has certainly cleaned up since then, but the insistence on wanting to cram a toolbar on every PC, ever, remains. I must admit to being kind of disturbed that none of these companies seemingly want to take "No" for an answer - instead of leaving alone, they keep coming back every month or so. Of course, given the potential for mass moneymaking that's on offer I can't say I'm entirely surprised...

Holy Media Codecs, Batman!

Wed, 27 Aug 2008 06:10:53 +0000

Batman is still in full swing at the box office - I'm sure me seeing it seven times probably didn't hurt - so with that in mind (and thoughts of the Zango / Dark Knight issue still rattling around my brain) I thought it would be fun to see exactly how quickly it can all go wrong when looking for Dark Knight material online.

The answer is: extremely quickly.

There's a lot of sites out there claiming to carry "full versions" of The Dark Knight, and although they don't offer Zango, they do offer fake media codecs (which usually do all sorts of horrible things to a computer). Let's pull one of these sites apart as an example of how the scam fits together.

Here's a typical site pushing what they claim to be The Dark Knight:

Click to Enlarge

Dijgg(dot)com, an obvious Digg.com knockoff apparently hosting a large streaming window - the movie quality will be awesome, won't it? Well, actually, no it won't.

In the middle of the video window is a popup:

Install the "codec", and this won't end well. The EXE comes from a site called Favoritetube(dot)com:

A quick check for the safety ratings of that website should be enough to tell you this is a scam. Indeed, there isn't even a movie being streamed here (despite it saying "Connecting" at the bottom of the movie player) - because if you right click on the player itself:

You can see the "player" is actually just a static image (because I'm given the option to "Copy Image Location"). The image is hosted at Favoritetube, just like the "codecs":

Click to Enlarge

There are quite a lot of these sites floating around out there at present:

Click to Enlarge

At this point, it's a given that I'm going to show you what happens if you install one of the files typically pushed from the above sites, right? Well, wait no longer - this....

...will deposit a rogue antispyware tool on your desktop (one of more more obnoxious ones that refuses to leave you alone):

Click to Enlarge

Strange and annoying icons will start to creep across your desktop:

....and you'll have more fake system alerts than you can shake a very large stick at:

This concludes my public safety announcement. I'm off to see Dark Knight again...

ASCII Art Spam

Wed, 27 Aug 2008 04:35:14 +0000

I recently had a chat with Stephen Shankland over at CNET regarding the weird and wacky world of ASCII Art Spam. It's been around for some time now, and every now and again there's a little surge (currently most of it seems to be coming out of Korea & China) before dying down again.

Of course, it has an element of visual appeal to it in some cases:

A bowl of spammy noodles, originally uploaded by pragmatic_pete.

They're pretty cool noodles, however you look at it. The biggest problem (for the spammers, anyway) continues to be the fact that, for the most part, the spam is largely unintelligble.

ASCII Art Spam, originally uploaded by schoschie.

.....wha? Sexy....grrmfs? Girls? Gorillas? Who knows. The problem with mangled text also extends (somewhat more crucially) to the URLs they happen to be pimping:

Spam, originally uploaded by cablejimmy.

They're not doing too badly there until they reach the web address, at which point it might as well say

www. absolutelynoideawhatthatsays .com

Of course, the last thing I'm suggesting is that I long for the day when the spammers get it right, but at least they can provide us with some cheap laughs regarding how hopeless their spam is in the meantime.

Doctoring Photographs without Photoshop

Wed, 27 Aug 2008 03:27:27 +0000

It's all about the captions:

...doctored photographs are the least of our worries. If you want to trick someone with a photograph, there are lots of easy ways to do it. You don't need Photoshop. You don't need sophisticated digital photo-manipulation. You don't need a computer. All you need to do is change the caption.
The photographs presented by Colin Powell at the United Nations in 2003 provide several examples. Photographs that were used to justify a war. And yet, the actual photographs are low-res, muddy aerial surveillance photographs of buildings and vehicles on the ground in Iraq. I'm not an aerial intelligence expert. I could be looking at anything. It is the labels, the captions, and the surrounding text that turn the images from one thing into another. Photographs presented by Colin Powell at the United Nations in 2003.

Powell was arguing that the Iraqis were doing something wrong, knew they were doing something wrong, and were trying to cover their tracks. Later, it was revealed that the captions were wrong. There was no evidence of chemical weapons and no evidence of concealment. Morris's mockery of the sweeping interpretations made in Powell's photographs.

There is a larger point. I don't know what these buildings were really used for. I don't know whether they were used for chemical weapons at one time, and then transformed into something relatively innocuous, in order to hide the reality of what was going on from weapons inspectors. But I do know that the yellow captions influence how we see the pictures. "Chemical Munitions Bunker" is different from "Empty Warehouse" which is different from "International House of Pancakes." The image remains the same but we see it differently.

Change the yellow labels, change the caption and you change the meaning of the photographs. You don't need Photoshop. That's the disturbing part. Captions do the heavy lifting as far as deception is concerned. The pictures merely provide the window-dressing. The unending series of errors engendered by falsely captioned photographs are rarely remarked on.

Links for 2008-08-26 [del.icio.us]

Tue, 26 Aug 2008 20:00:00 +0000

Layer 8
The Limits of Running IT Like a Business
If you've tried managing an internal IT department as a bona fide business you already know that you can't take that very far, for the obvious reason that your IT department isn't a business. It is, after all, a part of a business: a significant contributor to a value chain, not a self-contained value chain of its own.
TaoSecurity: The Limits of Running IT Like a Business
The Limits of Running IT Like a Business
What is Risk? « Risktical Ramblings
Networking data visualization not just for pointy-headed bosses
OnSaaS » Blog Archive » Challenges of Enterprise Cloud Computing
Regulatory compliance: Getting customers to look at the big picture — Channel Marker
Andy, ITGuy: I'm not an expert in all things security, but I am a thinker
Anton Chuvakin Blog - "Security Warrior": Anton Security Tip of the Day #16: Virtually There - Journey Into VMWare ESX Log Analysis

Returning from the hiatus...

Tue, 26 Aug 2008 16:15:37 +0000

Blue Box listeners,

Well, it's been a while. A long while. This summer turned out to be a bit crazier than Jonathan or I ever expected. The good news is that the renovation at my home is finally done and I've moved into my home office. The box of podcasting gear has come up from the basement. I'm not traveling for several weeks... so everything looks good to finally get the huge queue of back episodes out the door.

My goal this week is to get some of the older main shows out first followed by some of the excellent Special Editions that our volunteer production team has put together. If things work out the way I hope I should be getting you a show a day for the rest of the week. (We'll see.)

Thanks for your patience and continued interest in the show. We have very definitely not "podfaded"... and we'll be back with more shows and interviews in the weeks and months ahead! Thanks for continuing to listen.

Dan & Jonathan

Thoughts on Token Security

Tue, 26 Aug 2008 12:35:23 +0000

RSnake has a piece up on Token Security which raises some good points, but also misses some perspective. Firstly any article that makes a serious attempt at mitigating FUD is most welcome, especially in a space that is as overloaded as identity. That said, I think RSnake is taking too narrow of a view, specifically B2C, on federation and tokens. It is true that works on the web eventually filters into the enterprise, but it is also true that sometimes that things that start out as enterprise technologies later become cost effective on the web. So I would not assume that the current status quo on the web will hold. I don't think it will, the identity problems are too big and there is too much money at stake.

I encourage you to read his article, here are some of my thoughts

"consumers hate tokens."

Except that people use atm cards every day. Consumers will absolutely be inconvenienced, if there is some value created. The problem today is not the token, its the lack of a value proposition to the person you are inconveniencing.

"Everyone wants to be the single federation platform for everyone else."

This will never work. and that's a good thing. i think most companies already realize this though. I think the walled garden model has gone the way of the dodo.

"Federation will never work. It won’t work because the single most important consumer Web applications in the world are scared of it. Banks hate the concept because it becomes a weakest link in the chain problem."

Federation works quite well. have a look at google for one example. The reason banks hate federation is that their infosec people have a mainframe mindset, they are focused only on resource protection. the problem is they dont run mainframes on closed networks, they went and connected it to the web and so now they need to think about subject and claim security not just resource security. its not hatred its a lack of understanding stemming from a legacy mindset.

Linking up identity providers and relying parties into a federation has been a solved problem for quite some time.

"Tokens don’t actually solve most security problems, like man-in-the-middle, phishing, and keystroke-logging malware."

Rule 1. there are no silver bullets in security

Rule 2. dont forget rule 1

but...

...there is a rule 3

rule 3. just because a security mechanism doesnt solve all of our problems doesnt mean its worthless.

I see this with security consultants all the time, they playa hate on static analysis or some scanning tool where they can find hundreds of things the tool doesn't. Fair point except 99.9999% of IT can't and won't find them. Engineering is about solving one incremental problem at a time.

"Oh yes, and finally, consumers are going to have to carry around 13 of them just to make sure they can log into whatever they need to log into since no one will federate."

This misses the point of federation. i carry around one atm card its up to banks, Visa, Cirrus and so on to make sure i get my cash. the funny thing about banks not understanding federation is that they have the bet example right in front of their noses, the problem is its in a different department so they never see it.

"Global federation is nowhere near a solid concept in the consumer space, despite what the vendors will try to sell you."

rule 4. do your own due diligence

Tokens and federation are important building blocks for our digital future. I will leave you with a story that Robert Morris Sr. told at Defcon several years ago:

"This is a long term problem. If you work on it and make any progress against it, you'll find yourself much smarter at the far end, than you were at the near end.

When I was in Norway about 5 years ago, I was there very close to the summer solstice. I was wandering around town at 2 o'clock in the morning and there was plenty of light out. You come to a sign that says New Minsk about 60 km and it points south.

And I ask the lady "what country is this?"

She scratched her head for a bit, and said "well I think its Norway"

I said "well who plows the roads?"

"well Norway does, but he have to pay them."

There is a triple boundary in this town that I was in between Norway, Finland and Russia.

But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.

Now there are a lot of participants in that transaction. When I put a card into that machine, punch in a pin, and it gurgles for awhile, and finally gives me, a fairly large amount of money. There are a lot of participants in that transaction. The bank that owned the machine that gave me the money, it gave some money away -- that bank wants it back. The pin is necessary to convince my own bank that I'm me. But I don't want my pin to be broadcast all over the world. My bank in the us, it hasn't really given out or taken in any money, really. But there is a lot of credits involved here. Somebody needs to charge somebody else for having more money available. Even though there was actually no cash transfer.

And the problem that I have in mind is
- who are all the participants in an ATM transaction?
- what do those participants need to satisfy their problems?
- how is that in fact done?

In a general way, does the atm system actually work in some reasonable sense? To which the answer is by the way: yes. The atm system damn well works. With extremely high reliability and accuracy. It surprises me. Its quite a bit different than voting machines.

A Diverse Portfolio of Fake Security Software - Part Four

Mon, 25 Aug 2008 01:58:02 +0000

Thanks to the affiliate based business model that's driving the increase of fake security software and rogue codecs serving domains, the very same templates, but with different domain names, continue appearing in blackhat SEO, spam, and malicious doorways redirection campaigns.

Moreover, with the "time-to-market" of a fake security software decreasing due to the efficiency approach introduced in the form of tips for abuse-free hosting services provided by the "known suspects", and the freely available templates, we're slowly starting to see the upcoming peak of this approach.

In a true proactive spirit, the domains parked at 216.195.56.88 are all upcoming fake security software, to be introduced anytime soon.

fast-pc-scanner-online .com - (92.62.101.41; 91.203.92.48; 91.203.92.106; 58.65.238.171)
top-pc-scanner .com
buy-secure-protection .com
security-scan-pc .com
pc-scanner-online .com
viruses-scanonline .com
virus-scanonline .com
antivirus-scanonline .com
topvirusscan .com
virusbestscan .com
best-security-protection .com
infectionscanner .com
virusbestscanner .com
full-protection-now .com

Pwrantivirus .com - 91.208.0.246
vav-x-scanner .com
vav-scanner .com
scanner.vavscan .com
malware-scan .com
Scanner-Pwrantivirus .com
Xpertantivirus .com
Scanner-xpertantivirus .com

spyware-quickscan-2008 .com - (216.195.56.88)
virus-quickscan-2008 .com
spyware-quickscan-2009 .com
virus-quickscan-2009 .com
winmalwarecontrol .com
antispyware-quick-scan .com
virus-quick-scan .com
antivirus-quick-scan .com
winprivacytool .com

topantispyware2008 .com - (216.195.56.86)
cleanermaster .com - (216.195.56.85)
antivirus777 .com - (67.228.120.3)
pcsecuritynotice .com - (67.228.120.3)

Whereas the average Internet users are falling victims into this type of fraud, what I'm more concerned about is the large traffic the malicious domains receive in general due to all the different traffic acquisition tactics the people behind them apply. This anticipated traffic can then be greatly used as valuable metrics for the many other malicious ways in which it can be monetized.

Ironically, the participant in the affiliate program whose original objective was to drive traffic to the fake security software's site, may in fact start receiving so much traffic due to the combination of traffic acquisition tactics, that introducing client-side exploits courtesy of a third-party affiliate network, may in fact prove more profitable then the revenue sharing partnership with the rogue security software's vendor at the first place.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

[OT rant] Are there any home WiFi routers that DON'T SUCK?

Fri, 22 Aug 2008 20:12:38 +0000

Warning: rant ahead, and names named.

When I'm not traveling, I like to work from home some days rather than endure the trek from Seattle to Redmond (although it's much better now that our own employee transit service has expanded into my neighborhood -- the existence of which is sad commentary on the availability and reliability of Seattle's public transit companies).

This means, of course, that I need fast and stable network connections. Comcast with their PowerBoost is working very well for me. But I just can't find a decent wireless router at all. My Lenovo T61p (with Intel 4965abgn adapter) just won't stay connected to my D-Link DIR-628 and IT'S DRIVING ME CRAZY! (Yes, I've tried various driver versions, from both Lenovo and Intel.)

My house is in an area with a lot of wireless activity -- sometimes I can see nine or ten SSIDs. I'm running draft N on 2.4GHz (which occupies two non-adjacent channels, currently 1 and 4), and I suspect the problem is collision interference. I could shift the router to 5.2GHz, which I probably would help, but then the rest of the computers in my house won't connect. Why, you ask? Well get this: the DIR-628 is part of D-Link's RangeBooster N family. So I stayed in the family and got two DWA-542 adapters for the desktop computers. Yet they only do 2.4GHz! Silly me, I assumed that being in the same family means full support of the router's capabilities.

I'm very tempted to replace my router again -- and I'm thinking that the best option is to get one with dual radios. That way I can move my T61p to 5.2GHz and replace the desktop adapters, while still having single-channel 802.11b/g on 2.4GHz for the Wii and my PlayStation Portable.

Now my request: tell me about your experience with home routers. What do you really like, and why? What should I buy?