[SecurityRatty] tag: pitch

Mercenary Firm Offers to 'Detain Troublemakers' on Election Day

Mon, 03 Nov 2008 12:39:00 +0000

CIA-linked private military contractor Evergreen Defense & Security Services offered to post sentries at Oregon election offices on Tuesday, "detaining troublemakers" and making sure voters "do not get out of control." But rest easy: the company struck out with its sales pitch.

Barak Obama Discusses Security Trade-Offs

Mon, 27 Oct 2008 03:31:12 +0000

I generally avoid commenting on election politics -- that's not what this blog is about -- but this comment by Barak Obama is worth discussing:

[Q] I have been collecting accounts of your meeting with David Petraeus in Baghdad. And you had [inaudible] after he had made a really strong pitch [inaudible] for maximum flexibility. A lot of politicians at that moment would have said [inaudible] but from what I hear, you pushed back.
[BO] I did. I remember the conversation, pretty precisely. He made the case for maximum flexibility and I said you know what if I were in your shoes I would be making the exact same argument because your job right now is to succeed in Iraq on as favorable terms as we can get. My job as a potential commander in chief is to view your counsel and your interests through the prism of our overall national security which includes what is happening in Afghanistan, which includes the costs to our image in the middle east, to the continued occupation, which includes the financial costs of our occupation, which includes what it is doing to our military. So I said look, I described in my mind at list an analogous situation where I am sure he has to deal with situations where the commanding officer in [inaudible] says I need more troops here now because I really think I can make progress doing x y and z. That commanding officer is doing his job in Ramadi, but Petraeus's job is to step back and see how does it impact Iraq as a whole. My argument was I have got to do the same thing here. And based on my strong assessment particularly having just come from Afghanistan were going to have to make a different decision. But the point is that hopefully I communicated to the press my complete respect and gratitude to him and Proder who was in the meeting for their outstanding work. Our differences don't necessarily derive from differences in sort of, or my differences with him don't derive from tactical objections to his approach. But rather from a strategic framework that is trying to take into account the challenges to our national security and the fact that we've got finite resources.

I have made this general point again and again -- about airline security, about terrorism, about a lot of things -- that the person in charge of the security system can't be the person who decides what resources to devote to that security system. The analogy I like to use is a company: the VP of marketing wants all the money for marketing, the VP of engineering wants all the money for engineering, and so on; and the CEO has to balance all of those needs and do what's right for the company. So of course the TSA wants to spend all this money on new airplane security systems; that's their job. Someone above the TSA has to balance the risks to airlines with the other risks our country faces and allocate budget accordingly. Security is a trade-off, and that trade-off has to be made by someone with responsibility over all aspects of that trade-off.

I don't think I've ever heard a politician make this point so explicitly.

Information security in bad economy

Sun, 26 Oct 2008 16:37:40 +0000

Economy looks grim. The headlines are very discouraging. Capitalism does not guarantee wealth and success all the time. The talking heads on TV blame the greed in the stock market. I wish stock market is made of just computers that are not greedy human beings. These are bound to happen when there are human beings that participate! Money flows will eventually correct itself I hope, capitalism will be healthy again. This will take time. I am not an economist, but I do understand that people part with money for a period of time to collect higher return in the horizon based on their aptitude for risk. Simple is it not! But, all these complex financial instruments and its machinations seem to blur the reality and make even the brainiest act dumb - or are they just plain greedy?

Setting the context for this post, it is a tough economic situation all over the world. IT spending has reduced and will reduce significantly. In one of earlier posts, I had referred to information security as an overhead of an overhead (IT). What is a good approach for security practice in this type of economy?

I don't have a magic wand to pull a rabbit out of a hat. I have always been told that: tough economy is the time for real smart people to make money. Coming back to information security topic, with a bit of common sense, it is wise for information security professionals to offer services in those areas that does not involve capital expenditure. As a Security Manager, you may be already aware that your people are willing to go an extra mile in the current economic times.

- No budget or lack of budget, means no new capital expenditure. Spend time wisely in building a future technology strategy and keep it in the back pocket when the economy turns around.

- This is a good time to create roles/responsibilities and ownership for various areas. Create operating procedures. Make your team to automate tasks. This will help your operations become more efficient.

- This is time for security awareness education. Create pamphlets/brochures/presentations for an online or classroom training. Engage your and your team's time to impart training.

- Leverage already invested technology platforms. Leverage utilized features that reduce costs. If you have already invested in technology such as VMware, this is the time to get the best out of it. You can use VMware's toolkit to build your lab and staging environment and optimize on hardware cost.

- Off shoring has been the mantra of senior executives, this is the time to revisit those services and measure their performance closely and assess your satisfaction level. This is a good time to build a case for not off shoring if it makes sense.

- Companies are more vulnerable in bad economic times. You are in a better position to influence senior management about information security risks under these circumstances and drive home the value of protecting your intellectual property under these kinds of circumstances. management will be all ears for such a pitch.

- Time to engage your architect to optimize your security architecture, revisit standards and optimize design for cost efficiency.

- Revisit various controls and see if there are some risks that you could optimize spending on.

- Training budget is an unfortunate victim of this type of economy. Encourage employees to take free webinars offered by various security vendors and encourage them to share the summary across the team. This will put your employees in touch with latest happenings in security at the same time there is some learning that is imparted despite zero training budget.

- Since there are very few projects in action, this is a good time to have conversations with cross functional teams and educate them about your services and solicit feedback on how to do better.

- Revisit your vendor logistics and identify whether you can renegotiate some of your already existing contracts.

The above are some good ways by which you can optimize costs, this will also enhance your team's competence level in the long run. And this approach is better than letting people go, if you can pull this.

Massive SQL Injection Attacks - the Chinese Way

Tue, 21 Oct 2008 12:18:48 +0000

From copycats and "localizers" of Russian web malware exploitation kits, to suppliers of original hacking tools, the Chinese IT underground has been closely following the emerging threats and the obvious insecurities on a large scale, and so is either filling the niches left open by other international communities, or coming up with tools setting new benchmarks for massive SQL injection attacks, like the case with this one :

"A professional web site vulnerability scanning, use of tools, SQL injection is a new generation of tools to help Web developers and site of the station quickly find vulnerabilities in order to be able to effectively prepare Security work. At the same time, the tool to Web developers to demonstrate the ways in which hackers are using these vulnerabilities, hackers, as well as through the loopholes to do things, can effectively raise the safety awareness of relevant personnel."

Nothing's wrong with the marketing pitch at the first place, but going through the features, the "massive SQL injections through search engine reconnaissance" and automatic page rank verification which you can see in the attached screenshots, ruin the "security auditing" marketing pitch. The tool not only allows easy integration of potentially vulnerable sites obtained through search engines reconnaissance, but also, is prioritizing the results based on the probability for successful injection, next to the page rank of the domains in question. A simple demonstration offered by the company is also, directly enticing its users to "localize" the search engine reconnaissance, by filtering the search results for a particupar country, in this case they used French sites for one of the demos. Here are some excerpts from its CHANGE log speaking for themselves :

"2008.7.15 release version 1.3

- New powerful "automatic machine cycle" feature
- Automatic machine cycle is to provide assistance to the advanced user manual into the use of a very
- powerful and flexible module, the main sites used for some special filtering into the hand, is almost a
- universal tool, you can achieve the following:

1. In support of GET / POST / COOKIES in a variety of ways, such as the injection.
2. Scan the key to the page (background, upload, WebShell, databases, backup files, etc.).
3. According to the dictionary to violence landing back-guess solution WebShell password and password (required to verify that the code can not guess solution).
4. Page language does not limit the types and databases (to provide specific statements into the database).
5. At the same time, support for the circulation of the two variables and two dictionaries, fast running and violent content of the database solution to guess a password."

It gets even more interesting in terms of the massive SQL injection attacks mentality which is pretty evident on all fronts :

"- The use of the three search engine sites scans to invade the side to complete
- in scanning probe into the Web site ranking points
- added, "VBS upload to download", "upload directory Web site viewer," "FTP upload to download configuration file" function to make it more convenient for the sa rights to use the site.
- New "sequence document scanners"
- What is the sequence document scanners role? Upload to find loopholes, some of the procedures to upload the file after the upload will be renamed, rename the way the system is usually based on time or incremental increase in the number prefix code for the upload process, if not to return after the file name, Upload files to know the url is usually very difficult to sequence the use of paper scanner can be scanned out

- The best reverse domain name query engine, and quasi-wide
- in scanning the database of basic information, an increase of the database of information related to the process, the link has information on the database server user login (sa need permission)
- control of the interface had a big adjustment, the interface process easier to understand and operate.
- based on a significant site of the wrong mode of access to a comprehensive code optimization and more accurate access to the content, accuracy and access to show progress.
- added, "VBS upload to download", "upload directory Web site viewer," "FTP upload to download configuration file" function to make it more convenient for the sa rights to use the site.

- point into the types of improved detection order to improve the efficiency of detection.
- improved automatic keyword detection, automatic keyword detection more accurate.
- probe into the points the way to improve and increase the use of automatic detection of the keyword detection.
- type of database to improve the detection, the use of the contents of the length of the failure to detect the type of database automatically switch to the probe through the keyword.
- automatically save and load solution has been to guess the tree structure of the database, guess Solutions has been the content and structure of the database will automatically save and open the next time the injection point will be automatically made available, the solutions do not have to guess again, the continuity of work Greatly increased.

- solved from the database to read large amounts of data (on hundreds of thousands or millions of records), the half-way card program will die.
- increased significantly on the wrong model of ASP.NET and SQL Server2005 significant mode of dealing with mistakes, error messages can be extracted from a Web directory!
- significant amendments to the wrong mode, some of the injected one by one point in the field or access to the contents of the issue can not be successful (error code in hand); for increased access to specific points table and into the field.

- amendments to the text of a significant error patterns to detect and correct use of loopholes in the system can be used more to expand. (Text significantly in the wrong mode in version 1.1 already supported, but in the version 1.2 upgrade in the process of scanning to improve the performance of the Gaodiao careless. -_-#)
- on a variety of encoded text can be significantly wrong in the right-compatible, able to correctly handle the ASP.NET page of the text marked wrong. Through custom error keyword, truly compatible with any language, any coding error message.
- crack anti-improvement and enhancement.
- An increase of auto-detection feature keywords.

- Mssql database specifically for significant points into the wrong mode of detection and the use of up and down the hard work, and many other software can not detect the point of injection can also be used.
- Automatic save and load access to the database, to allow manual known to add tables and fields for solutions to guess.
- Can be used to amend the degree of accuracy; optimize the code to reduce memory footprint; enhance the stability of multi-threading.
- Significant amendments to the wrong mode solution guess the contents of the database must be checked first field defects."

The public version of the tool has been in the while for over an year, with a VIP version available to customers only.

Blue Coat, partners pitch less expensive data-leak prevention

Sun, 12 Oct 2008 20:00:00 +0000

Blue Coat Systems says it and five partners can cut the cost of deploying data-leak prevention hardware by requiring fewer DLP devices to protect all sites in a corporate network.

The Buzzword Bandwagon: Lessons learned from a user conference

Mon, 15 Sep 2008 20:00:00 +0000

Last week I was at a conference where security folks get together and vent their spleens about the problems they're facing. On day one, us vendors weren't allowed near the place, but on day two we got to pitch our products to potential buyers, and they got to shoot arrows at us. The highlight of the day for me, though, was the roundtable discussion on log management and SIEM.

Different people in the room talked about some of their experiences with log management and SIEM – some were very positive, others not so much. Either way, though, what struck me was the disparity between what people wanted to do with their SIEM products, and what they were actually managing to do...

Firefox SSL-certificate debate gets gnarly

Wed, 20 Aug 2008 20:00:00 +0000

Debate is reaching a fever pitch over a new security feature in Firefox 3.0 that throws out a warning page to users when a Web site's SSL certificate is expired or has not been issued by a trusted third party.

Military trolling at Black Hat

Tue, 12 Aug 2008 13:35:23 +0000

Forgot to post this yesterday. I was in the military and I came out OK.

clipped from www.internetnews.com

Hackers: Uncle Sam Wants You

UPDATED: At Black Hat, agencies including the FBI, US-CERT, and the military make the pitch for assisting in the U.S.’s fight against cybercrime and cyberwar.

Let's Play Two

Tue, 12 Aug 2008 08:47:51 +0000

Every year my Dad and I go to see a Red Sox series. Last weekend was this year's trip and we went to Chicago to see the World Champion Boston Red Sox (saying that never gets old) play the White Sox. Of course, while you are in Chicago you have to see Wrigley Field, and we really lucked out. This weekend was Red Sox versus the White Sox (the battle of the Soxes they used to call it on Channel 38) on the southside and northside featured Cubs versus Cardinals! The last four World Series winners in town on the same weekend (Red Sox 04, 07, White Sox 05, Cards 06).

We learned several things- first in heaven the Cubs play the Red Sox in the World Series. Those ballparks are true gems. (In hell its probably the Yankees versus Phillies). Also, the people on the southside and northside *really* have a rivalry going. Its basically Boston v NY but they live in the same town! Here is one example from the southside

One of the great things about Wrigley (and there are many despite what southsiders say), is that its in the middle of a real neighborhood

Epicenter of Cub universe

Lots of action before and after game time, lots of people wandering around with gloves catching batting practices homers outside the stadium...err Field. Key point - Wrigley is a field, not a Stadium. Also Fenway is a Park. The Greek root of the word "paradise", means "enclosed green space", not concreteopolis

Wrigley is baseball Mecca

The greatest Cub of all, Ernie Banks, was our touchstone for the day - "Let's Play Two." we started at Wrigley for the day game (Zambrano got shelled) and then got crosstown for the night game.

To pull this off the L is your friend. As several Chicagoans pointed out, they are the only city that can have a true subway series, because the Red Line services both the White Sox and Cubs, whereas Mets-Yankees involves numerous transfers and so on.

We got to US Cellular Field which is fine but a shadow of Wrigley and absolutely nothing good to eat. Luckily we had Daisuke Matsuzaka on the hill

Before every game, Big Papi holds court in center with some players from the other team, he is to be a very popular guy. Ozzie Guillen told him before the series that with Manny gone, he wouldn't see a pitch to hit all weekend (ps. he did and crushed a bases loaded double)

The question we got most was - what about the Manny trade? His replacement strikes out a lot, but is otherwise a promising player

The Red Sox and White Sox share a little history, most especially Pudge Fisk who hit the famous homer in the 75 world series for the Red Sox and then had a great career for the White Sox (actually played more games for Chicago than Boston, but went into Cooperstown with a B on his hat)

Red Sox won, hanging out in Wrigley was an even bigger highlight, and Chicago is a beautiful city to visit, by far the most accessible of the big US cities. Also, lots of good places to eat courtesy of Thomas Ptacek.

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.