[SecurityRatty] tag: passive

Wee-Fi: iPhone Penetration, Hotspots Undercounted, Warballoon, Cincy Bus-Fi

Mon, 11 Aug 2008 05:49:01 +0000

iPhone sleeper cell: Security researchers demonstrated the use of an iPhone with an external battery pack as a method of sniffing networks from a mailroom, to find information that a business might not feel that it has to secure in the heart of its operations. Errata Security performed distant penetration testing for a client in this way, and found most of their wireless networks unprotected. This is sort of absurd, and I'll be curious what Errata posts on their own site about this project--the scope sounds wrong in the reporting on their talk--because every firm of any scale has some kind of encryption on their internal networks. If they don't, you have concerns at a much higher level than penetration testing.

Four chains, four Wi-Fi pay policies: CIO magazine looks at Borders, McDonald's, Panera, and Starbucks, and how they're offering Wi-Fi. I'd like to suggest you read this article, but the author writes, "Right now, according to Hotspot Locations, there are more than 33,000 WLAN hotspots worldwide, and more than 10,000 in the United States alone." I don't know who "Hotspot Locations" is, and I need to disclose that I have a financial interest in what must be their competitor, JiWire, but any hotspot finder that calls them "WLAN Hotspots" and reports 11,712 in the U.S. and 33,106 worldwide just isn't working very hard. JiWire lists over 230,000 hotspots worldwide, and notes over 60,000 in the U.S., while Boingo and iPass each resell access to over 100,000 hotspots worldwide.

Up, up, and away in my beautiful, my beautiful warballoon: Defcon hackers deployed a balloon with Wi-Fi receivers on it 150 feet in the air to scan for network vulnerabilities in Las Vegas last week. They found 1/3rd of networks had no encryption--although I always wonder if they're using passive scanning where 802.1X allows a limited connection for authentication and appears "open" in some ways, or if they were actively scanning, in which case 802.1X networks would be unavailable.

Cincinnati Metro service has Wi-Fi on 20 buses: The free service supplied by AT&T in an ads-for-access deal with the authority was placed after a couple years of testing on a relatively long commuter run. The authority spends $15,000 per bus to setup a connection, which seems rather pricey. Other authorities are paying in the low thousands, from what I've seen, so I'm not sure what their particular case is.

Reporters Tossed Out of BlackHat for Hacking Other Press Reps

Fri, 08 Aug 2008 09:02:31 +0000

Security folks seem to enjoy their jobs — making a game of penetration tests, hacking, and in good natured fun, reminding each other when they’re vulnerable online. So at the Black Hat conference this week, wireless network users were warned that if they didn’t use an encrypted connection, their data, credentials and passwords would be projected on a wall for all to see.

The baaad folks who were listed up on this “Wall of Sheep” consisted largely of security professionals who should know better, though many of them were using iPhones or other types of mobile devices instead of traditional laptops. Apparently, users were warned ahead of time that this could happen, and this type of passive hacking was done good naturedly, as a lesson and a point of humor.

But the event turned a bit sour when some reporters set out to actively hack credentials and passwords from other well known press representatives (like eWeek and CNET), in order to post them on the Wall of Sheep, too. It’s a credit to the Black Hat organizers that they showed their commitment to security and confidentiality, and threw the reporter-hackers out of the conference for their “active” hack:

With thousands of hackers milling around the Black Hat convention here, and widespread snooping on the public WiFi network, one place was supposed to be off limits: the press room.

But in a case of reporters spying on other reporters, three journalists working for the French publication Global Security Magazine were booted Thursday from the hackers’ conference after they were allegedly caught hacking into the private computer network set up for the media.

Read the full article here.

Coding Spyware and Malware for Hire

Mon, 21 Jul 2008 23:52:14 +0000

What type of antivirus evasion do you want today? For the past several years, we have been witnessing the emerging customerization applied in malware and spyware for hire services. What used to be a situation where the malware authors would code and then start promoting a piece of malware including features that he thinks his potential customers would want by generalizing a cybercriminal's needs, is today's "listening to the customer" win-win situation that they've reached already.

The whole maturity from a product concept to customerization is in fact so prevalent these days, that malware authors wanting to preserve their intellectual property are forbidding their customers from reverse engineering their malware modules, presumably fearing that remotely exploitable flaws like this one in one of the most popular Ebanker malwares for the last two yers Zeus, could be discovered due to the malware author's insecure coding practices. Moreover, limiting the distribution of a single license they are given to more than three people will result in the malware author ignoring any future business relationships with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, something that's been happening and will continue happening with web malware exploitation kits.

What would be the price of a custom malware module coded on demand? How much does it cost to have a built in email harvester that would sniff all the incoming and outgoing email addresses from the infected host to later on include them in upcoming spam and malware campaigns? Would the malware author also provide a managed hosting service for the command and control and the actual binaries on a revenue sharing

Here's an automatically translated, and fairly easy to understand random proposition for coding spyware and malware for hire, aiming to answer many of these questions, clearly demonstrating that today's malware is coded in exactly the same way the customer wants it to :

"As you can see in the history of its development turned directly into the combine, while almost no raspuh in weight, full-size pack аж 18 kb and minialno 5 kb, for all nampomnyu again, all descriptions below can be done as otdelnym bot, and any combination of cross except for a few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, you can choose from:

Actually loader - is able to load a file from adminki, by country and other characteristics, such as the number of animals on board with a specific bot, a country group of countries, the availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the speed of shipping limits for each file, can load 1 as well as how files simultaneously
300 €

FTP and not only Graber
Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka (even those to which the password is not saved), you can also grab other in a way not only acclamation acclamation and other tasty things more)
150 €

Assembler spam bases
Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps records unikallnosti locally on each boat to reduce the burden on the server as well as globally on a server has 2 mode of operation - ie passive with only collects user to please and active - the very beginning to download the entire inet) in search of soap
220 €

Socks 4 / 5
Normal soks with competently implemented multithreading, is activated only if the user real Ip, otherwise not. And also optional, depending on the connection type and speed ineta.
70 €

Indicates
The primitive method, contamination fleshek avtoranom gives 2-3% increase in the first week and up to 7% in the next, a pleasant trifle)
35 €

Scripts
Loader supports internal scripting language - jscript, to carry out arbitrary actions on the victim machine, whether recording data in the register, setting authentic hon-Pago, opening URL in your browser (it was done so to please with 90% punching)), apload arbitrary files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to write the script zaebetes, vobschem lyuboye actions soul who wish)
70 € basic functionality

Assembler passwords
Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of other sources of passwords
70 €

Mini-AV
When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the majority of shit from all avtoranov, render most keylogerov until all) forward proposals to improve
70 €

File-default
In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for example, in its entire botnet that does not paired with challenges in adminke, the module operates in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza this exe bot continues to normal activities.
35 €

Form Graber
While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like logs agent. It consists of:

Graber certificats
On the idea is part formgrabera but could work and of itself, actually there is nothing to describe)

Injections
Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve three) and immediately supported injection yavaskript code, which allows avtozalivy and DC inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce the necessary number of Britain, after which inzhekt ceases to operate. Вобщем mdelat can be anything and in any form) rather than the meager request field pin) And also inzhektov subspecies - a substitute for the issuance of search enginee.

Graber balances
Makes loot aka balances at the entrance to the user acclamation, detail added to the logs.

Screen
Universal method to grab information from absolutely any species and varieties klaiviatur screens, in particular html, flash, in one picture, with a drop-down fields after choosing your encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any information which is visible a user but not seen in the logs. Screen settings of adminki, set URL where do screen as well as the type of screen: for virtual keyboard (done several small images of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the withdrawal screen recorded in the log entry with the name of the file to the screen this position.

Antiabuznost for botneta
Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoychivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, if you do not understand the theory that nenado ask "and how does it work?" imagine that it works and point and neubivaemo in pritsnipe.
600 € +

All prices are in euros, the calculation is made at the rate of CB on the day of purchase. ps I will not disappear as most authors after months of sales, I DONT how to please you get to the assembly ftp, I DONT how many soap collects soap-graber, I DONT what otstuk from loadera, I DONT soksov how many will be from 1 to downloads, and how best To work load a file is not dead quickly, if you are confused my ignorance - that my loader so you do not need more tries)

Rules / Licence
-- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me
-- Customer does not have the right to make any decompile, research, malicious modification of any three parts
-- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries.
-- For violating the rules - without any license denial manibekov and further conversations"

This malware coder seems to be participating in an affiliate program with a malicious ISP that is offering hosting services for the entire campaign, not just the malware binaries, so you have a rather good example that incentives and revenue-sharing models result in value-added services, a all-in-one shop for a customer to take advantage of without bothering to approach a third-party.

Cybercrime is getting even more easier to outsource these days, and with the malicious parties improving their communication and incentives model, the resulting transparency in the underground market

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

Introducing Microsoft Code Name Zermatt

Wed, 09 Jul 2008 16:27:00 +0000

For a couple of years now, I've been giving talks about "claims-based identity", and "claims-aware applications". The most concrete example of a claims-based identity architecture that I've been able to show so far is Active Directory Federation Services v1 (ADFS) and Windows CardSpace. And the claims programming model I've been using is the one that shipped with WCF in the System.IdentityModel assembly.

But today I'm happy to announce that there's a new path forward in the claims world. Zermatt is the "identity framework" that I've been itching to talk about, but until today, hasn't been announced publicly.

Well, Vittorio just made the announcement just a moment ago, and now you can get your hands on this new framework. With it, you can build web applications and services that rely on claims to discover identity details about users. And you can easily build a security token service (STS) that supplies those claims. Zermatt makes this possible by supplying all of the plumbing that implements WS-Trust (for web services) and WS-Federation (for browser-based web applications). All you have to do is figure out what claims you want to issue based on what you know about the user and what you know about the application (aka relying party).

I was fortunate to be asked by the team to write the white paper introducing Zermatt to developers. You can download it here. The paper introduces the ideas behind claims-based identity, and talks about how you can use Zermatt to centralize authentication (and to some degree, authorization) in an STS, thus making it easy to achieve single sign on in your applications, and even be ready to federate with other organizations or platforms should that need arise.

Here are some highlights of what you'll find in Zermatt:

Zermatt includes a new claims programming model, with IClaimsPrincipal and IClaimsIdentity, two new interfaces that extend the existing IPrincipal and IIdentity that you already know and love from the .NET Framework. IClaimsIdentity adds a collection of claims. Zermatt's claims programming model is in many ways simpler than that in WCF - the Claim class exposes the value of claims as strings (always) and calls the value of a claim "Value", instead of "Resource" as WCF did. But the model is also more sophisticated - multi-hop delegation is supported, so one user can "Act As" another user, and the relying party will see the entire chain of delegation as a linked list of IClaimsIdentity objects.

Zermatt includes an HttpModule that you can wire into your ASP.NET application that will implement WS-Federation for you. This module (called the FAM) is a lot like the "Web Agent" from ADFS, and it makes it quite easy to build a web application that relies on claims.

Zermatt includes plumbing that sits on top of WCF and simplifies building claims-based web services and clients.

Zermatt also includes a couple of ASP.NET controls for adding SignIn functionality to websites. The first is a passive sign-in control which simply redirects the browser to an STS to get claims. The second is the highly anticipated InformationCard control that pops the user's identity selector and lets her choose which identity she wants to use.

Zermatt comes with a bunch of sample code to help you get started.

All you need to test-drive Zermatt is Visual Studio 2008 and your curiosity. Download the beta now, read the whitepaper, experiment with the samples, and see what claims-based identity is all about!

For more on Zermatt, you'll want to watch Vittorio's blog. I'll also be talking more about it in the future!

Google Open Sources Web Assessment Tool

Wed, 02 Jul 2008 08:51:09 +0000

The folks at Google have released their own proprietary web application assessment proxy. The tool is called ratproxy and was authored by Michal Zalewski.

From Google Code:

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

This tool falls into the same family as Burp and Paros, as examples. It will apparently run on Linux, FreeBSD, Mac OS X and Windows if you have Cygwin loaded. Check it out.

Article Link

Meet ratproxy, our passive web security assessment tool

Tue, 01 Jul 2008 12:49:00 +0000

Posted by Michal Zalewski

We're happy to announce that we've just open-sourced ratproxy, a passive web application security assessment tool that we've been using internally at Google. This utility, developed by our information security engineering team, is designed to transparently analyze legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more. (A more-detailed discussion of these features and information on securing vulnerable applications is provided here.) Compared with more-traditional active crawlers, or with fully manual request inspection and modification frameworks, this approach offers several significant advantages in terms of minimized overhead; marginalized risk of site disruptions; high coverage of complex, client-driven application states in web 2.0 solutions; and insight into dynamic cross-domain trust models.

We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary web technologies. We believe that responsible security research brings a net overall benefit to the safety of the Web as a whole, and have released this tool explicitly to support that kind of research.

To download the proxy, please visit this page. Also, please keep in mind that the proxy is designed solely to highlight interesting patterns in web applications, and a further analysis by a security professional is often required to interpret the results and their significance for the tested platform.

Can you hear me now?

Fri, 27 Jun 2008 06:56:10 +0000

Verizon released a very interesting Data Breach report that analyzes over 500 forensic reports on their system over a number of years. It is great work by Verizon to gather this data and to publish it. Of course a consultant I go into lots of companies where they could learn a lot just by being more open and talking through issues with peers in other companies. Would be great to see other companies follow Verizon's lead.

I suggest you read their report, and I would like to add a little color to their findings from the perspective of the swamp I spend most of my time in - Web services security. Granted it is just one report, but the data run counter to a lot of conventional security "wisdom":

Who is behind data breaches?

73% resulted from external sources
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

The internal/external divide is pretty silly these days, as is companies' recanting "inside the firewall and outside the firewall", I spend most of time hooking things up together precisely _so_ they intereoperate remotely. The firewall is a speed bump at best. At any rate external sources is a primary concern in Web services security, because - hey look our Web service front end just made your Mainframe/As400/Unix DB/ CICS/whatever accessible remotely. This is great from a functionality standpoint, but the issue is that these back end systems were never designed with anything remotely resembling an Internet threat model. Additionally, the Verizon team's findings around business parties and multiple parties strikes at the heart of a number of popular misconceptions in Web services security - "well its just B2B and its behind a firewall."

How do breaches occur?

62% were attributed to a significant error

59% resulted from hacking and intrusions

31% incorporated malicious code

22% exploited a vulnerability
15% were due to physical threats

A couple of things to note here - malicious code in my opinion is likely to be the biggest problem in Web services security going forward. There is a large gap waiting to be exploited here. You have no control over the other end of the pipe plus a massive attack surface, the only thing lacking is the attacker's ability to find and exploit which I strongly suspect is just a matter of time. Wrt hacking an intrusions we have the remote, passive nature of web security to blame here in Web services world. Paraphrasing Jeff Williams, the problem is that an attacker can just try an attack if it doesn't work, try again, again, and so on. This partially because of the loosely coupled nature of the systems, but it is also because commonly used information security protocols have diverged from reality are modeled using an object-centric mentality, where you "own" the object you are protecting and can afford to put passive controls around.

What commonalities exist?

66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls

Many of the attacks against Web Services are not difficult, in my training class, we'll typically execute 8-10 different attacks in a two day period. But the big one from this list is the first one - the amazing amount of attack surface offered up by Web services. Brad Hill has done a good job articulating these issues in SOAP/XML/WS-*, but at an enterprise its even bigger than those standards - the thing is we use Web services to make stuff interoperate, to make stuff reusable, and to virtualize endpoints. Great stuff if what you want to do is decentralize your business, but this creates oceans of space for attackers to roam. When you look beyond the Visio and the IDE view of web services, and get to the runtime there is an amazing amount of detritus left behind by all these layers.

Mashup of the Titans

Wed, 25 Jun 2008 13:29:25 +0000

Information Security - an Oxymoron for the information age

“Always the beautiful answer who asks a more beautiful question.” e. e. cummings

...or why i am with Gelernter

This is a mashup of Saltzer & Schroeder's famous information security principles with David Gelernter's Manifesto.

The premise of this mashup is to examine the paper by Saltzer and Schroeder which was written in 1975 and serves as the basis for most information security programs against the Gelernter's manifesto as to where computing is actually going. Each of the eight principles in Saltzer and Schroeder's paper is listed in order, and followed by select excerpts of Gelernter's manifesto. This comparison is to examine theoretical information security principles vis a vis the actual utility of modern information systems. I will not make an attempt to reconcile theory and practice, but will point out where the two schools of thought agree. In fairness, Saltzer and Schroeder's paper was written 25 years before Gelernter's, however Saltzer and Schroeder's principles dominate the thinking about information security to this day and so its important to view them side by side with Gelernter's thinking on the direction of computing.

Saltzer and Schroeder:

"a) Economy of mechanism: Keep the design as simple and small as possible. This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential."

Gelernter:

"9. The computing future is based on "cyberbodies" — self-contained, neatly-ordered, beautifully-laid-out collections of information, like immaculate giant gardens."

Conclusion(gp): So far, so good

Saltzer and Schroeder:

"b) Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965,8 means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. In a large system some objects will be inadequately considered, so a default of lack of permission is safer. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation."

Conclusion(gp): A conservative design principle that puts the object's owner in control of permissions. This makes a lot of sense from the object point of view, but does little to address the use case in which it executes.

Saltzer and Schroeder:

"c) Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated."

Gelernter:

"8. The software systems we depend on most today are operating systems (Unix, the Macintosh OS, Windows et. al.) and browsers (Internet Explorer, Netscape Communicator...). Operating systems are connectors that fasten users to computers; they attach to the computer at one end, the user at the other. Browsers fasten users to remote computers, to "servers" on the internet.

Today's operating systems and browsers are obsolete because people no longer want to be connected to computers — near ones OR remote ones. (They probably never did). They want to be connected to information. In the future, people are connected to cyberbodies; cyberbodies drift in the computational cosmos — also known as the Swarm, the Cybersphere.

13. Any well-designed next-generation electronic gadget will come with a ``Disable Omniscience'' button.

17. A cyberbody can be replicated or distributed over many computers; can inhabit many computers at the same time. If the Cybersphere's computers are tiles in a paved courtyard, a cyberbody is a cloud's drifting shadow covering many tiles simultaneously.

20. If a million people use a Web site simultaneously, doesn't that mean that we must have a heavy-duty remote server to keep them all happy? No; we could move the site onto a million desktops and use the internet for coordination. The "site" is like a military unit in the field, the general moving with his troops (or like a hockey team in constant swarming motion). (We used essentially this technique to build the first tuple space implementations. They seemed to depend on a shared server, but the server was an illusion; there was no server, just a swarm of clients.) Could Amazon.com be an itinerant horde instead of a fixed Central Command Post? Yes."

Conclusion(gp): Complete mediation provides the underpinning for Saltzer and Schroeder's system, but does not appear to scale to the desired itinerant horde at least in common interpretation.

Saltzer and Schroeder:

"d) Open design: The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. This decoupling of protection mechanisms from protection keys permits the mechanisms to be examined by many reviewers without concern that the review may itself compromise the safeguards. In addition, any skeptical user may be allowed to convince himself that the system he is about to use is adequate for his purpose. Finally, it is simply not realistic to attempt to maintain secrecy for any system which receives wide distribution."

Conclusion(gp): both seem to agree, hard to get the itinerant horde moving in a swarm without open standards.

Saltzer and Schroeder:

"e) Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. The relevance of this observation to computer systems was pointed out by R. Needham in 1973. The reason is that, once the mechanism is locked, the two keys can be physically separated and distinct programs, organizations, or individuals made responsible for them. From then on, no single accident, deception, or breach of trust is sufficient to compromise the protected information. This principle is often used in bank safe-deposit boxes. It is also at work in the defense system that fires a nuclear weapon only if two different people both give the correct command. In a computer system, separated keys apply to any situation in which two or more conditions must be met before access should be permitted. For example, systems providing user-extendible protected data types usually depend on separation of privilege for their implementation."

Gelernter:

"37. Elements stored in a mind do not have names and are not organized into folders; are retrieved not by name or folder but by contents. (Hear a voice, think of a face: you've retrieved a memory that contains the voice as one component.) You can see everything in your memory from the standpoint of past, present and future. Using a file cabinet, you classify information when you put it in; minds classify information when it is taken out. (Yesterday afternoon at four you stood with Natasha on Fifth Avenue in the rain — as you might recall when you are thinking about "Fifth Avenue," "rain," "Natasha" or many other things. But you attached no such labels to the memory when you acquired it. The classification happened retrospectively.)"

Conclusion(gp): Information Security models tend to look at things statically through information classification lenses, but its how information is used that makes it valuable. In practice this is how information security theory breaks down in the face of reality - what does an access control matrix look like for a mashup? What does it look like for a data mining app?

Saltzer and Schroeder:

"f) Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide "firewalls," the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of "need-to-know" is an example of this principle."

Gelernter:

"28. Metaphors have a profound effect on computing: the file-cabinet metaphor traps us in a "passive" instead of "active" view of information management that is fundamentally wrong for computers.

29. The rigid file and directory system you are stuck with on your Mac or PC was designed by programmers for programmers — and is still a good system for programmers. It is no good for non-programmers. It never was, and was never intended to be.

30. If you have three pet dogs, give them names. If you have 10,000 head of cattle, don't bother. Nowadays the idea of giving a name to every file on your computer is ridiculous."

Conclusion(gp): Least Privilege is the point where the practical matter of applying Saltzer and Schroeder's principles breaks down in modern systems. Its a deployment issue, and a matter of insufficient models and modes.

Saltzer and Schroeder:

"g) Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information path between users and must be designed with great care to be sure it does not unintentionally compromise security. Further, any mechanism serving all users must be certified to the satisfaction of every user, a job presumably harder than satisfying only one or a few users. For example, given the choice of implementing a new function as a supervisor procedure shared by all users or as a library procedure that can be handled as though it were the user's own, choose the latter course. Then, if one or a few users are not satisfied with the level of certification of the function, they can provide a substitute or not use it at all. Either way, they can avoid being harmed by a mistake in it."

Gelernter:

"6. Miniaturization was the big theme in the first age of computers: rising power, falling prices, computers for everybody. Theme of the Second Age now approaching: computing transcends computers. Information travels through a sea of anonymous, interchangeable computers like a breeze through tall grass. A dekstop computer is a scooped-out hole in the beach where information from the Cybersphere wells up like seawater.

16. The future is dense with computers. They will hang around everywhere in lush growths like Spanish moss. They will swarm like locusts. But a swarm is not merely a big crowd. The individuals in the swarm lose their identities. The computers that make up this global swarm will blend together into the seamless substance of the Cybersphere. Within the swarm, individual computers will be as anonymous as molecules of air.

55. Software can solve hard problems in two ways: by algorithm or by making connections — by delivering the problem to exactly the right human problem-solver. The second technique is just as powerful as the first, but so far we have ignored it.

56. Lifestreams and microcosms are the two most important cyberbody types; they relate to each other as a single musical line relates to a single chord. The stream is a "moment in space," the microcosm a moment in time."

Saltzer and Schroeder:

"h) Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors."

Gelernter:

"7. "The network is the computer" — yes; but we're less interested in computers all the time. The real topic in astronomy is the cosmos, not telescopes. The real topic in computing is the Cybersphere and the cyberstructures in it, not the computers we use as telescopes and tuners.

27. Modern computing is based on an analogy between computers and file cabinets that is fundamentally wrong and affects nearly every move we make. (We store "files" on disks, write "records," organize files into "folders" — file-cabinet language.) Computers are fundamentally unlike file cabinets because they can take action.

31. Our standard policy on file names has far-reaching consequences: doesn't merely force us to make up names where no name is called for; also imposes strong limits on our handling of an important class of documents — ones that arrive from the outside world. A newly-arrived email message (for example) can't stand on its own as a separate document — can't show up alongside other files in searches, sit by itself on the desktop, be opened or printed independently; it has no name, so it must be buried on arrival inside some existing file (the mail file) that does have a name. The same holds for incoming photos and faxes, Web bookmarks, scanned images...

32. You shouldn't have to put files in directories. The directories should reach out and take them. If a file belongs in six directories, all six should reach out and grab it automatically, simultaneously.

33. A file should be allowed to have no name, one name or many names. Many files should be allowed to share one name. A file should be allowed to be in no directory, one directory, or many directories. Many files should be allowed to share one directory. Of these eight possibilities, only three are legal and the other five are banned — for no good reason.

53. Your car, your school, your company and yourself are all one-track vehicles moving forward through time, and they will each leave a stream-shaped cyberbody (like an aircraft's contrail) behind them as they go. These vapor-trails of crystallized experience will represent our first concrete answer to a hard question: what is a company, a university, any sort of ongoing organization or institution, if its staff and customers and owners can all change, its buildings be bulldozed, its site relocated — what's left? What is it? The answer: a lifestream in cyberspace."

Conclusion(gp):

The Saltzer and Schroeder principles of Open Design and Economy of Mechanism hold up well in the face of modern computing realities, and to a certain extent Fail Safe Defaults does as well; however if we information security people are to be effective we need to re-think the other principles.

Last word: Gelernter:

We'll know the system is working when a butterfly wanders into the in-box and (a few wingbeats later) flutters out — and in that brief interval the system has transcribed the creature's appearance and analyzed its way of moving, and the real butterfly leaves a shadow-butterfly behind. Some time soon afterward you'll be examining some tedious electronic document and a cyber-butterfly will appear at the bottom left corner of your screen (maybe a Hamearis lucina) and pause there, briefly hiding the text (and showing its neatly-folded rusty-chocolate wings like Victorian paisley, with orange eyespots) — and moments later will have crossed the screen and be gone.

Blackhat SEO Redirects to Malware and Rogue Software

Thu, 05 Jun 2008 03:59:47 +0000

A black SEO farm with built-in redirection to a multitude of sites serving rogue codecs (Zlob malware variants) and fake security software phoning back to UkrTeleGroup Ltd's network - could it get even more interesting? Of course, as the current state of Zlob malware serving tactics can be seperated in two distinct groups, those abusing the "sort of" zero day Flash exploit, as the currently active SQL injection attacks are all taking advantage of it, and those still relying on plain simple redirect to multimedia sites requiring you to install the fake codec.

While tracking down the massive blackhat SEO poisoning campaigns that took place in March, 2008, as well as the countless number of embedded/injected malware campaigns targeting high profile sites that we've been seeing recently, it's becoming increasingly common to come across a repeating malicious pattern. Basically, a domain portfolio of typosquatted domains looking like legitimate codec sites is created, several bogus video, mostly p0rn related sites with no content start acting as a frontend to the codecs, where traffic is driven through blackhat SEO doorways. Moreover, rogue codec sites are increasing because the templates for the p0rn and codec sites are turning into a commodity, just like phishing pages and DIY phishing page generators lowering down the entry barriers into these practices.

Let's assess a sample redirection doorway, a visualization and sample traffic of which you can see in the attached screenshots. At porntubedirect.info we have a fake counter porntubedirect.info/stat/count.php loading the redirection script from 216.240.139.234/sutra/in.cgi?3 which is a javascript serving a different site on-the-fly, courtesy of a well known blackhat SEO campaign tool. The output of this redirection is a new domain serving Zlob variants in the form of fake codecs hosted under the following domains :

antivirus-scanonline.com

indafuckfuck.com

newcontents2008.com

avwav.com

anykindclips.com

dirtyxxxvids.com

clipsmachines.com

thesoft-portal-08.com

Sample detecton rates for the codecs obtained :

Scanners Result: 8/32 (25%)

W32/PolyZlob!tr.dldr; Trojan:Win32/Tibs.gen!lds

File size: 119296 bytes

MD5...: dc5538af557cb4c311cb86d6574400ba

SHA1..: 5cf1602db8c4fdd3c5ac5101e5a6c5daa77f5ff1

Scanners Result: 6/32 (18.75%)

Trojan-Downloader.Win32.FraudLoad.axa; Trojan.Dldr.FraudLoad.axa

File size: 60416 bytes

MD5...: 14938bfe35128687e05f7f8ccbd29c7d

SHA1..: cf651e959fff945c9659321e79ba2788062b721d

Scanners Result: 14/32 (43.75%)

Trojan-Downloader.Win32.Zlob.lps; TrojanDownloader:Win32/Zlob.IB

File size: 18432 bytes

MD5...: 9b3bbcd4549970a92eb1b11c46a451bb

SHA1..: 679508aba4e547935d5e4104a735c754b40de49e

Scanners Result: 18/32 (56.25%)

Trojan-Downloader.Win32.Delf.ilx; TrojanDownloader:Win32/Chengtot.A

File size: 91683 bytes

MD5...: 727e3f353281229128fdb1728d6ef345

SHA1..: 3f9c9000b273e8bf75db322382fbaabf333faf26

Once we've managed to obtain several of the fake codec domains, passive DNS monitoring and using third-party tools helps us expose a huge portfolio of rogue domains such as :

funfuckporn.com
musicportalfree.com
online-dvdrip.com
widget-porn.com
gt-funny.com
gt-movies.com
gt-stars.com
hot-sextube.com
hot-pornotube-2008.com
hot-pornotube08.com
hotpornotube08.com
porn-youtube-08.org
uriy.org
sextube20008.com
streamxxxvideo.com
xxxgirlsgirls.com
porno-tube20008.com
2008adultstreamportal2008.com
2008adults2008.com
adult18tube2008.com
sextube18adult.com
all-videos-home.com
adultstreamportal2008.com
onlinestreamvide.com
adultvideos4all.com
sex18tube2008.com
adultxx-18.com
mymediasex.com
ladyxxxworld.com
adultstreamportal.com
young-girls-board.com
porn-youtube08.net
adultfreemarket.info
adult-codec08.com
adult-tubecodec08.com
adult-tubecodec2008.com
adulthot-codec08.com
adulttubecodec2008.com
hot-tubecodec20.com
media-tubecodec2008.com
porn-tubecodec20.com
hot-sextubecodec.com
sexporntubecodec14.com
sexporntubecodec32.com
sexporntubecodec77.com
sexporntubecodec98.com
adult-codec08.com
adult-codec2008.com
adult-tubecodec08.com
adult-tubecodec2008.com
adulthot-codec08.com
adulthot-codec20008.com
adulthot-codec2008.com
adulthotcodec032008.com
adulthotcodec072008.com
adulthotcodec092008.com
adulthotcodec29018.com
adulthotcodec29098.com
adulttubecodec2008.com
media-tubecodec2008.com
sexhotcodec09.com
sexhotcodec1.com
sexhotcodec11.com
sexhotcodec12.com
sexhotcodec90.com
thehotcodec21.com
thehotcodecgt.com
thehotcodechq.com
thehotcodeclk.com
thehotcodecrt.com
thehotcodecxx.com
thehotcodeczz.com

What you see is not always what you get online, however, the infrastructure providers in the majority of malware campaigns tend to remain the same.

Security - Passive versus active response

Tue, 03 Jun 2008 13:51:52 +0000

Here at the well-heeled Gartner IT Security Conference at the brand new, spectacular Gaylord National hotel. The hotel is only 2 months old or so, but it is supposedly the largest on the East coast and really first rate. Also, the Gartner folks put on a first rate show, though it is on the pricey side for everyone from exhibitors to attendees. Vendors who really want to have a big presence are in for big bucks reaching a relatively small number of customers. It was good to run into a number of StillSecure customers here at the show. Even though we did not exhibit our presence was felt in several of the tracks discussing security solution areas that we offer products in.

While at the show I had a chance to catch up with several other security vendors. One fellow I spoke to was Phil Neray of Guardium. Guardium is best known for providing database security to many of the largest financial institutions and other large companies. They recently announced a major new release of their flagship product with something they call "S-GATE". I won't bore you with all of the details but the gist of it is that for the first time database security can move from passively reporting or alerting of data access violations to actively blocking such violations.

For me the active versus passive mode of security is one that transcends different layers of security. Whether we are talking about IDS passive response versus IPS active response, vulnerability scanning passively assessing and reporting to NAC testing and blocking access, to now database access, ultimately security follows a similar route. First comes the ability to actually detect. Often times the ability to detect is a major step up from what was available before. The next evolutionary phase is to be able to prevent or block the dangerous or malicious event from taking place.

This active blocking mode though is often not as readily accepted at first by the market. Everyone is always afraid of blocking the wrong user, the wrong email message or other request. I think it is part of human nature that we inherently distrust our technology to block, always thinking it will block legitimate traffic. This has been true in every security technology I have seen. Eventually active response does win out, but it takes time and there are always doubters. It will be interesting if what Guardium has done here is viewed with the same suspicions at first and than catches on or not. We will have to watch.