[SecurityRatty] tag: panic

Seven classic PC symptoms

Mon, 24 Nov 2008 21:00:00 +0000

As a small-business person, you might bemoan the fact you don't have 24/7 IT support like your larger-scale competitors. Don't panic. You can solve many of the most common computer problems yourself. Here are some snafus you can tackle on your own, thanks to the advice of the support staff at several major hardware and software vendors:

Aspidistra

Mon, 10 Nov 2008 04:07:51 +0000

Aspidistra was a World War II man-in-the-middle attack. The vulnerability that made it possible was that German broadcast stations were mostly broadcasting the same content from a central source; but during air raids, transmitters in the target area were switched off to prevent them being used for radio direction-finding of the target.

The exploit involved the very powerful (500KW) Aspidistra transmitter, coupled to a directional antenna farm. With that power, they could make it sound like a local station in the target area.

With a staff of fake announcers, a fake German band, and recordings of recent speeches from high-ranking Nazis, they would smoothly switch from merely relaying the German network to emulating it with their own staff. They could then make modifications to news broadcasts, occasionally creating panic and confusion.

German transmitters were switched off during air raids, to prevent them from being used as navigational aids for bombers. But many were connected into a network and broadcast the same content. When a targeted transmitter switched off, Aspidistra began transmitting on their original frequency, initially retransmitting the German network broadcast as received from a still-active station. As a deception, false content and pro-Allied propaganda would be inserted into the broadcast. The first such "intrusion" was carried out on March 25, 1945, as shown in the operations order at the right.
On March 30, 1945, "Aspidistra" intruded into the Berlin and Hamburg frequencies warning that the Allies were trying to spread confusion by sending false telephone messages from occupied towns to unoccupied towns. On April 8, 1945, "Aspidistra" intruded into the Hamburg and Leipzig channels to warn of forged banknotes in circulation. On April 9, 1945, there were announcements encouraging people to evacuate to seven bomb-free zones in central and southern Germany. All these announcements were false.

The German radio network tried announcing "The enemy is broadcasting counterfeit instructions on our frequencies. Do not be misled by them. Here is an official announcement of the Reich authority." The Aspidistra station made similar announcements, to cause confusion and make the official messages ineffective.

Modelling The Global Financial Meltdown

Thu, 02 Oct 2008 02:33:20 +0000

Yesterday I received a call from Penny Grosman, Senior Editor, Wall Street & Technology. Penny was interested in my opinion, “Will risk management applications be the next killer app for CEP” on Wall Street. I enjoyed talking with Penny. She caught up with me leaving a tailor’s shop in Chiang Mai, so I hope she did not mind hearing my stories of buying unique Northern Thai cotton fabric and designing my own casual shirts in the economic turndown.

We read many stories on the net where folks claim that the current financial crisis could have been avoided with more or better use of technology. This is expected, as software companies and IT professionals will often try to piggy-backtheir business development strategy on the “crisis of the day” to sell more goods and services. Honestly, in this current situation, the main technology that we needed was simple, accurate financial models.

For example, in the chart above, the US economy was doing quite well with US federal funds rates low. Housing prices in the US were skyrocketing and there was a concern about inflation. There was an understandable concern the sustainability of that economy.

So, in perhaps one the most ill-advised Federal Reserve actions of many decades, the folks at the helm of the Fed decided to raise their lending rates around 500 percent over a two year period.

As we all know, primarily because of the action by the Fed, the world faces perhaps the worst economic disaster in modern times, while the US Executive Branch and the Congress fight over how to spend $700 Billion taxpayer dollars to inject liquidity into the markets to try to head off a global financial disaster.

It is amazing to me that the US Federal Government, or their advisors, does not have simple financial models with cause-and-effect analysis such as:

Homeowners with adjustable rate mortuages will not be able to make payments;and
Housing prices will fall dramatically; then
Homeowners will default on loans where the collateral is much less than the asset value, and
Banks will suffer great losses, and
Lending will come to a halt, then
Banks will collapse, then
Wall Street will exit the markets in panic
… and more trouble….. !!

There are and continue to be a lot of discussion and opinions about how risk management needs improvement. and I agree. We will also read folks talk about how technology can be used to help solve this problem, including CEP/EP and related software (see also Capital Market CEP Fantasy Land). However, as much I would be pleased to see more CEP/EP applications and use cases, I do not believe that event processing technology is really very useful to solve the core problem of the current financial crisis.

The core problem is, seemingly, that our “financial experts” do not even have simple models that will illustrate what will or could happen when you raise the fed lending rates 500 percent in two years in an economy pregnant with adjustable rate mortgages.

To me, this does not appear to be rocket science. The negligence by the US Federal Reserve and their advisors is astonishing.

Don't Panic

Fri, 29 Aug 2008 13:03:16 +0000

Sometimes it's easy to believe that every last thing online is going to eat into your PC, burn your house down, kill your cat and so on. The last few days I'd been hearing rumblings about some "Youtube rap video" and a file that would start hijacking your PC - well, thanks to a tipoff from a forum-goer at Spywarewarrior, I can hopefully put this one to rest.

In short, a video promoting a rap mix-tape supposedly took you to a file that "hijacked your PC with Spywarestop". In actual fact, there's no file to hijack you. Let's take a look - here's the Youtube page in question:

Click to Enlarge

As you can see, there's the mix-tape being advertised and a link to Mediafire, where the mix-tape is hosted. Click the Mediafire link, and all that happens is you'll see an advert for various antispyware tools - some of them on the Rogue Antispyware list, some of them not on the list but known to be of little worth to the end-user.

Click to Enlarge

In this particular case, it's an advert for Adware Alert. It's not hijacking you, or breaking things or making your browser fly around the screen, nor is it a "virus". It's just an (admittedly loud) advert. If you're running a browser compatible with Adblock Plus, all you'll see beneath the Mediafire logo is a blank space. Even if you're vaguely alarmed by the advert, all you have to do is click the "Continue to Mediafire.com" message at the top right of the screen (missing from the above screenshot as I cropped the image too small - whoops) and you'll be taken to the file you requested.

Like the title says - don't panic. This really isn't something to worry about too much. Even the most obnoxious rogue antispyware advert (the ones that do resize your browser, throw up endless popups and make annoying "Woop woop" noises) can usually be escaped by simply hitting CTRL+ALT+DEL and using Task Manage to close your browser session.

Myspace Drive By

Wed, 30 Jul 2008 14:58:50 +0000

Spotted in the wild (like they're spotted anywhere else!)

Apparently the following happened while someone tried to view a blog post:

Click to Enlarge

A fake "your system may be infected" popup. Note the site it launches from is one of the more aggressive types (it shrinks your browser down into the bottom corner, and won't let you do anything other than cycle in an endless loop of popups until you agree to download the file being pushed).

These kind of attacks occur because of rogue adverts being pushed into advertising space, which is likely what happened here. If you are unfortunate enough to be trapped by an attack like this, don't panic - just do a CTRL+ALT+DEL and close the browser window...

China Quake Hacker Caught

Thu, 19 Jun 2008 06:59:41 +0000

How stoopid did this guy have to be to think, “gee, I should put a fake earthquake warning up” and then follow through on it? How did he think it would be funny?

From Network World:

A 19-year old Chinese man is in police custody after allegedly hacking into a provincial seismological bureau’s Web site to place a false earthquake warning, Chinese state media reported Monday.

The teenager, identified only by his surname Chen, altered the Web site of the Guangxi Seismological Bureau to warn residents in southwestern China to prepare for an impending earthquake expected to measure 9.0 on the Richter scale, according to a report on China Central Television’s Web site.

Such a posting could have caused a panic. On May 12 an earthquake measuring 7.8 struck China’s Sichuan province, killing over 70,000 people and leaving millions homeless. Following the quake, many people have fallen prey to rumors that earthquakes can now be predicted in a manner similar to weather forecasts, although there was no warning of the Sichuan quake.

I mean seriously. 70,000 people perished in the actual earthquake a month ago.

What a dumbass.

Article Link

Cisco IPS Jumbo Frame DoS

Wed, 18 Jun 2008 17:22:45 +0000

For a networking company, that’s gotta hurt.

From Cisco:

Cisco Intrusion Prevention System (IPS) platforms that have gigabit network interfaces installed and are deployed in inline mode contain a denial of service vulnerability in the handling of jumbo Ethernet frames. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable.

Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.

Update or workaround? Which is it then? At the very least get your patch on.

Article Link

China quake fake in police custody

Tue, 17 Jun 2008 05:24:56 +0000

A 19-year-old computer intruder who broke into a provincial seismological bureau's Web site to place a false earthquake warning could have caused widespread panic in the rattled Sichuan region.

Pocono Mountain School District "irregularities"

Mon, 02 Jun 2008 08:36:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
Pocono Mountain School District

Contractor/Consultant/Branch:
None

Victims:
Students and parents

Number Affected:
Unknown*

*"SCHOOL DISTRICT ENROLLMENT (2007-2008) 11,500 students K-12 (Current as of Oct. 17, 2007)"

Types of Data:
"Student ID, network password, SSN if provided, ethnicity, gender, birthdate, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code (if absent today), dietary allergies (for food services), bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers"

Breach Description:
"An apparent cyber break-in of Pocono Mountain School District's computer system has put at potential risk personal information about students and parents, the district announced Friday.

District Superintendent Dwight Pfennig sent home letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening, according to Wendy Frable, director of public information."

Reference URL:
Pocono Mountain School District "Letter to Parents"
Pocono Record
The Morning Call

Report Credit:
Pocono Mountain School District

Response:
From the online sources cited above:

A hacker apparently broke into the computers at Pocono Mountain School District and may have tapped into confidential information concerning students and their parents, the district's superintendent said Friday.
[Evan] This statement is provided by Joe McDonald of The Morning Call. It is unclear if a "hacker" breached the system or if there was another cause for the "irregularities" reported at the school.

District Superintendent Dwight Pfennig sent home letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening, according to Wendy Frable, director of public information.
[Evan] This is a quick notification. I think it is possible to be too quick in notifying victims, almost like The Boy Who Cried Wolf. It seems as though the school has not gathered the facts required to make a proper notification. Judge for yourself.

Frable said the district's technical staff had noted some irregularities during a routine security check Thursday night. "They detected some activity that seemed a little unusual," she said.

The technical staff is checking to see to what extent any personal information — and to whom it may belong — had been compromised.

The district referred the matter to Pennsylvania State Police at Swiftwater for further investigation, Frable said.

The information that may have been compromised includes the following: Student ID, network password, SSN if provided, ethnicity, gender, birthdate, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code (if absent today), dietary allergies (for food services), bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers.

"We don't know if anything was accessed," she said, adding that the district will contact anyone whose data had been found to be compromised. Frable also said that very few records include children's Social Security numbers.
[Evan] A breach involving children's personal information is especially bothersome.

We have conducted an internal investigation and suggest you take the following preventative measures now to help prevent and detect any misuse of your or your child’s information.

"As a first step to protect yourself from the possibility of identity theft, we recommend you closely monitor any accounts that may contain any or some of this information," Pfennig wrote in his letter to parents.

If you see any unauthorized activity, promptly contact your service provider and or office of the Executive Director of Technology at (570) 873-7121 Ext. 10151.

"We're just trying to do what's right by everyone," Frable said. "There's no reason to panic anyone, but people should just be cautious."
[Evan] Understandable, but some people will panic anyway. This is why it’s a good idea to gather facts before notification.

Parents got the letters when their children returned at the end of the school day, and at least one parent felt the school was being rather nonchalant.

''It sounds to me like they're trying to downplay it,'' said Ralph Ortega, who lives in Jackson Township. ''It's incredibly vague.''
[Evan] I agree. I question whether this is because there aren't enough facts available yet, or whether the school is not being square with the victims.

Commentary:
This breach leaves us with more questions than answers. People will speculate where there is a lack of clarity. I hope students and parents get the answers to the questions that they should demand answers too.

Past Breaches:
Unknown

Oklahoma State University Parking Services server is compromised

Thu, 15 May 2008 11:08:54 +0000

Technorati Tag: Security Breach

Date Reported:
5/14/08

Organization:
Oklahoma State University ("OSU")

Contractor/Consultant/Branch:
OSU Parking & Transit Services

Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008

Number Affected:
as many as 70,000

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."

Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman

Report Credit:
Oklahoma State University

Response:
From the online sources cited above:

STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.

Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for? Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.

The confidential information has been removed from the database.

The illegal access was limited to the parking and transit server.

As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right. Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol? That's not cool. A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs. All this for parking? Ugh.

OSU contacted and worked with federal law enforcement authorities.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.

We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.

OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah! Review your bills (pay them occasionally) and financial transactions carefully. But wait, you do this already? Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.

OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story! What do you suppose his stance was prior to being notified of the breach?

In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management. You have the organizations that just don't get it and don't really care or know that they don't get it. These organizations lose information over and over and dangerously continue to operate in a business as usual manner.

Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^! They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either).

Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem. These companies may seek guidance and consultation in the effort to build a comprehensive information security program. These programs should be built around business objectives and sound risk management.

Lastly, there are the companies that were proactive and built a sound information security program because it was good business. These organizations didn't need an adverse event or breach before taking action. These organizations don't panic when an adverse event occurs. They know that eventually an adverse event will occur and they will be prepared when it does.

The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow. The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?! That is way, way, way too long for a compromised server to go unnoticed. We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required. It's too bad that it took a breach for this to happen. Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack. Maybe the IT Data Center has better firewalls or something . I like the "full review". This should be done no less than annually.

The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.

Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim. I'm not saying whether this is likely, or not.

Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question! Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?

Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above. I made plenty.

Past Breaches:
Unknown