[SecurityRatty] tag: plain

Opinion: Obama's Blackberry Is No Security Threat

Thu, 20 Nov 2008 02:00:00 +0000

A lot of the stories about President-Elect Barack Obama possibly having to relinquish his BlackBerry when he takes office Jan. 20 are, for a variety of reasons, just plain dumb.

Presented By:

Expedition Week Continues Tonight

Seven nights of one great discovery after another continues tonight at 9P e/p only on National Geographic Channel. From the ancient pyramids to the ocean depths, from lost cities to outer space, travel with the latest generation of intrepid explorers as they make one great discovery after another. Expedition Week, only on National Geographic Channel.
www.natgeotv.com/expedition

Ads by Pheedo

Microsoft Begins the MS08-067 Post-Mortem

Mon, 03 Nov 2008 10:41:51 +0000

It's finger-pointing time. Who let the infamous MS08-067 RPC bug through? Did the vaunted Microsoft Security Development Lifecycle fail? Did people approve the code when they shouldn't have? Microsoft has already begun examining these questions in an entry on the SDL blog. The problem, the blog seems to conclude, is the complexity of the code. It's just really hard to find bugs of this nature. To have found it would have been lucky. Michael Howard, the SDL guru and blogger, isn't really pointing fingers, although commenters on the blog are. It's a prime example of what I wrote about not long ago when I said buffer overflows would never go away. The examples we all see of what overflows are and how to stop them are fairly simple things: Allocate a buffer of size b, read 2*b bytes into it. In this case, there were two problems making the problem significantly more complex: The overflow happens inside a loop, during which pointer arithmetic is done. This alone makes it harder to identify for humans to identify the bug and perhaps impossible for tools to identify it without incurring a large incidence of false positives. Stack-checking also failed in this instance. Howard called the code in question "reasonably complex" and said at a later date he would publish source code from the function. He said Microsoft's automated tools wouldn't find this bug in this type of code. Some comments on the blog asked him whether this complexity is, in and of itself, a problem. Perhaps manual code reviews should have rejected it. Howard didn't go this far, but I sense, in between the lines, that maybe he feels the same. As a programmer I've seen this sort of code plenty of times and written it myself. The code may have seemed particularly efficient or just plain cool to the programmer, but complex loops with pointer arithmetic sound inherently like asking for trouble. I've written before that Microsoft has a long-term way of writing for the next generation of hardware, and CPU processing power is becoming absurdly cheap. Perhaps an implementation that is slower than necessary, but clear in its operation, is the better choice. Then leave the optimizing to compilers. It's actually an old argument. Another thing Howard remarks on is the failure of Microsoft's fuzzing tools in this instance. All he says is they didn't find it and they'll work on that, and they are always working on their fuzzing tools. Fuzzing is cool and this episode shows how there's always more work to do in it. Aviram on the SecuriTeam blog relates how over two years ago famous researcher Dave Aitel said his fuzzer found no more bugs in the MS RPC code, so there must not be any. This was probably tongue-in-cheek, but even so, Aitel's probably biting his tongue now. Even though many levels of tools and procedures put in place to prevent such vulnerabilities failed to do so, it would be a mistake to say the system failed altogether. This vulnerability, just about the worst class of bug we ever get, comes with significant mitigating factors, and is probably, as a practical matter, not exploitable on Windows Vista and Server 2008. Not everything failed.

NBA Preview and Flashback

Tue, 28 Oct 2008 20:42:50 +0000

NBA starts today, it is always good to have something to look forward to once the weather gets cold in Minnie. I follow two teams. The Celtics who have a decent chance at repeating as champs. KG and Pierce should be back in full force, hopefully Ray Allen holds up. Perkins and Rondo may get a little better with experience. Biggest loss is Posey and we will miss him a lot more than people think. A real glue guy, defense, passing, rebounding, makes the smart plays and as a middleware guy myself I can relate. He will make CP3 even more dangerous.

The other team I follow is the Timberwolves. I think they will be pretty good this year. Al Jefferson is a beast down low. Only four players averaged 20 and 10 last year and he is one. He is the best big man in the post after Duncan. Getting Love and Miller for OJ Mayo was a smart deal by McHale. I think McCants can be a decent instant offense 6th man. Would be good to see Foye step up this year. Weakness looks to be defense

*Flashback*

I am biased but I think the 1980s was the most fun time to watch NBA. Everyone talks about Bird and Magic, but there were a lot of great players back then. Here is my all underrated 1980s team (no Celtics included due to conflict of interest and unobjectivity)

C: Moses Malone - beast of a big man, immovable force under the hoop with fantastic foot work for a big man. It is too bad he was traded by Portland because he and Bill Walton would have been the best big man combo of all time.

PF: Bobby Jones - great defender, good rebounder, good passer for a big man. Typical Tar Heel -fundamentally sound. He would be the James Posey of this team. (Runner up: Calvin Natt)

SF: Bernard King - what a renaissance. Watch his moves on youtube, he was not that tall like say Alex English but he could go in the lane and score on anybody. Jordan of course is an all around better player but I think King was a better scorer and that is saying something. The playoffs when he was putting up 50 and 60 a night he was a terrifying force.

SG: Andrew Toney - they called him the Boston strangler and as Celtics fan there was no one I was more afraid of. Its a real shame his career got cut short. (Runner up: George Gervin)

PG: Tiny Archibald - Ok, one Celtic, but he is seriously underrated - would go flying into the lane, disappear in the trees, Tiny would fly out the bottom of the pile, and the ball would pop out the top and drop in. Probably the last great player to come out of NYC. (Runner up: Mo Cheeks)

Sixth Man - World B. Free - no doubt about this one, he was great as a sixth man. And this guy was plain fun to watch. He would bomb it from 30 feet, when he was on he was a force. He would kick his leg into the defender when he was shooting a j to draw the foul. (Runner up: Michael Cooper)

Information security in bad economy

Sun, 26 Oct 2008 16:37:40 +0000

Economy looks grim. The headlines are very discouraging. Capitalism does not guarantee wealth and success all the time. The talking heads on TV blame the greed in the stock market. I wish stock market is made of just computers that are not greedy human beings. These are bound to happen when there are human beings that participate! Money flows will eventually correct itself I hope, capitalism will be healthy again. This will take time. I am not an economist, but I do understand that people part with money for a period of time to collect higher return in the horizon based on their aptitude for risk. Simple is it not! But, all these complex financial instruments and its machinations seem to blur the reality and make even the brainiest act dumb - or are they just plain greedy?

Setting the context for this post, it is a tough economic situation all over the world. IT spending has reduced and will reduce significantly. In one of earlier posts, I had referred to information security as an overhead of an overhead (IT). What is a good approach for security practice in this type of economy?

I don't have a magic wand to pull a rabbit out of a hat. I have always been told that: tough economy is the time for real smart people to make money. Coming back to information security topic, with a bit of common sense, it is wise for information security professionals to offer services in those areas that does not involve capital expenditure. As a Security Manager, you may be already aware that your people are willing to go an extra mile in the current economic times.

- No budget or lack of budget, means no new capital expenditure. Spend time wisely in building a future technology strategy and keep it in the back pocket when the economy turns around.

- This is a good time to create roles/responsibilities and ownership for various areas. Create operating procedures. Make your team to automate tasks. This will help your operations become more efficient.

- This is time for security awareness education. Create pamphlets/brochures/presentations for an online or classroom training. Engage your and your team's time to impart training.

- Leverage already invested technology platforms. Leverage utilized features that reduce costs. If you have already invested in technology such as VMware, this is the time to get the best out of it. You can use VMware's toolkit to build your lab and staging environment and optimize on hardware cost.

- Off shoring has been the mantra of senior executives, this is the time to revisit those services and measure their performance closely and assess your satisfaction level. This is a good time to build a case for not off shoring if it makes sense.

- Companies are more vulnerable in bad economic times. You are in a better position to influence senior management about information security risks under these circumstances and drive home the value of protecting your intellectual property under these kinds of circumstances. management will be all ears for such a pitch.

- Time to engage your architect to optimize your security architecture, revisit standards and optimize design for cost efficiency.

- Revisit various controls and see if there are some risks that you could optimize spending on.

- Training budget is an unfortunate victim of this type of economy. Encourage employees to take free webinars offered by various security vendors and encourage them to share the summary across the team. This will put your employees in touch with latest happenings in security at the same time there is some learning that is imparted despite zero training budget.

- Since there are very few projects in action, this is a good time to have conversations with cross functional teams and educate them about your services and solicit feedback on how to do better.

- Revisit your vendor logistics and identify whether you can renegotiate some of your already existing contracts.

The above are some good ways by which you can optimize costs, this will also enhance your team's competence level in the long run. And this approach is better than letting people go, if you can pull this.

Compromised Portfolios of Legitimate Domains for Sale

Fri, 24 Oct 2008 06:24:33 +0000

Is the demand for access to compromised legitimate portfolios of domains -- where the price is based on the pagerank and is shaped by the number of domains in question -- the main growth factor for the increasing supply of such stolen accounting data, or is it the result of cybercriminals data mining their botnets for accounting data that would provide them with access to such portfolios of high trafficked domains with clean reputation? Moreover, would such a data mining approach made easily possible due to the availability of botnet parsing services and stolen accounting data dumps streaming directly from a botnet, would in fact be the more efficient approach in injecting their malicious presence on as many hosts as possible, next to the plain simple massive SQL injection approach?

As always, it's a matter of who you're dealing with, and their understanding of the exclusiveness of a particular underground item at a given period of time. This exclusiveness is inevitably going to increase due to the fact that they're several "vendors" that are already purchasing access to such portfolios, as well as compromised Cpanel accounts as a core business, the access to which they would later on either resell at a higher price enjoying the underground market's lack of transparency, or directly monetize and break-even immediatelly. As for this particular proposition for an account with 404 domains in it, it's interesting to monitor how the seller is soliciting bids from multiple sources by leaving the price an open topic, clearly indicating his low profile into the underground ecosystem. How come? An experienced seller or buyer would be offering or requesting page rank verification respectively.

With nearly each and every aspect of cybercrime already available as a service, or literally outsourced as a process to those supposidely excelling into a particular practice, building capabilities for data mining botnets is no longer a requirement, with the people behind the botnets monetizing all the data coming from it by soliciting deals of accounting data dumps based on a particular country only.

Are Business Risk and Technical Security Part of a Natural Fourier Series?

Wed, 08 Oct 2008 06:25:03 +0000

Decade after decade politics moves from regulated economies to de-regulated economies. Changes are usually are triggered by “unpredictable events” (in political speak). We are almost certainly about to go onto a period of heavy government regulation of the financial services industry where “unpredictable events” or “failure” in plain English is blamed on inadequate of regulation. [...]

Web Based Malware Emphasizes on Anti-Debugging Features

Mon, 06 Oct 2008 22:42:00 +0000

Following the ongoing development of a particular web based malware, always comes handy in terms of assessing the commoditization of anti-debugging features within modern malware. With plain simple, "managed binary crypting and firewall bypassing verification" on demand in February, to August's overall anti antivirus software mentality as a key differentiation factor of the malware.

So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer protection, as well as anti heuristic scanning with a simple junk data adding feature in order to maintain a smaller binary size.

Here's a translated description :

"- The binary works under admin and under normal user
- The binary is always run as the "current user"
- An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
- binary file size is 25k, the size can be reduced once it's crypted

- Doesn't take advantage of BITS protocol
- Doesn't allow an infected host to be infected twice
- Bypassing NAT and supporting "always-on" connections
- A simple, easy to configure web based admin panel"

What if the buyer doesn't care about the quality assurance practices applied? Managed lower AV detection and firewall bypassing service comes into play.

Clickjacking

Mon, 06 Oct 2008 09:45:02 +0000

Good Q&A on clickjacking:

In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car.

"Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread.

Managed Fast Flux Provider - Part Two

Thu, 02 Oct 2008 08:39:01 +0000

We're slowly entering into a stage where RBN bullet proof hosting franchises are vertically integrating, and due to the requests from their customers are starting to offer that they refer to as "mirrored hosting" which in practice is plain simple fast flux network consisting of RBN-alike purchased netblocks, and naturally, botnet infected hosts.

Managed fast-fluxing is only starting to go mainstream, for instance, in July I found evidence that money mule recruiters were using ASProx's infected hosts as hosting infrastructure, and in November, 2007, an infamous spamming software vendor was also found to have been offering fast-flux services in the past.

In this most recent fast-flux service, we have a known spammer and botnet master that in between self-serving himself on is way to ensure his portfolio of scammy domains remains online for a "little longer", is commercializing fast-fluxing and is offered a DIY service :

"Finally after hardwork and great appreciation from our normal bullet proof hosting/server clients we are able to launch Mirrored hosting. What is Mirrored hosting ?

================
Mirrored hosting is a powerful mirrored web hosting management, uses multiple Virtual servers to host website with 100% uptime. Mirrored hosting is a combination of two things, which are:

1. Specially Designed Virtual Servers
2. Powerful Automated Control Panel

How does it work ?
===============

Mirrored hosting uses specially configured Virtual Servers making them link with the Mirrored hosting Control Panel which is then controlled by our own control panel allowing us to provide smooth streamline hosting with no downtime. No one is able to trace original IP of the server or the place where the files are hosted so the websites/domains hosted have a 100% Uptime. This is achieved by unique customisation of our Virtual Servers.

Actually, it takes ips around the world and our powerful control panel just rotates the ips every 15 minutes. though all these ips you will see will be fake no one can trace the orignal ip where files are hosted. Sometimes the ip is from China, Korea, USA, UK, Japan, Lithuania etc."

The concept has always been there for cybercriminals to take advantage of, but once it matures into a managed service it would undoubtedly lower down the entry barriers allowing yesterday's average phishers to take advantage of what only the "pros" were used to.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

A Diverse Portfolio of Fake Security Software - Part Seven

Tue, 30 Sep 2008 12:35:15 +0000

In case you haven't heard - Microsoft and the Washington state are suing a U.S based -- naturally -- "scareware" vendor Branch Software :

"We won't tolerate the use of alarmist warnings or deceptive 'free scans' to trick consumers into buying software to fix a problem that doesn't even exist," Washington Attorney General Rob McKenna said. "We've repeatedly proven that Internet companies that prey on consumers' anxieties are within our reach."

Sadly, Branch Software is the tip of the iceberg on the top of the affiliates participating in different affiliation based programs, which similar to IBSOFTWARE CYPRUS and Interactivebrands, which I've been tracking down for a while, are the aggregators of scareware that popped up on the radars due to their extensive portfolios. These three companies offering software bundles or plain simple fake software, are somewhere in between the food chain of this ecosystem, with the real vendors paying out the commissions on a per installation basis slowly starting to issue invitation codes that they've distributed only across invite-only forums/sections of particular forums.

Behind these brands is everyone that is participating in the franchise and is putting personal efforts into monetizing the high payout rates that the fake security software vendor is paying for successful installation. These high payout rates -- with the financing naturally coming straight from other criminal activities online -- are in fact so high, that I can easily say that the last two quarters we've witnesses the largest increase of such domains ever, and they're only heating up since the typosquatting possibilities are countless and they seem to know that as well.

It's important to point out that their business model of acquiring traffic is outsourced to all the affiliates that do the blackhat SEO, SQL injections, web sessions hijacking of malware infected hosts in order to monetize, so basically, you have an affiliates network whose actions are directly driving the growth into all these areas. Throwing money into the underground marketplace as a "financial injection", is proving itself as a growth factor, and incentive for innovation on behalf of all the participants.

Here are some of the most recent fake security software domains, a "deja vu" moment with a known RBN domain from a "previous life" that is also parked at one of the servers, and evidence that typosquatting for fraudulent purposes is still pretty active with a dozen of Norton Antivirus related domains, some of which have already started issuing "fake security notices" by brandjacking the vendor for traffic acquisition purposes.

Antivirus-Alert .com (203.117.111.47) where pepato .org a domain that was used in the Wired.com and History.com IFRAME injections, which back in March was also hosted at Hostfresh (58.65.238.59).

softload2008name .com (78.157.143.250)
softload2008nm .com
softload2008n .com
softload2008jq .com

microantivir-2009 .com (91.208.0.223)
scanner.microantivir-2009 .com
microantivir2009 .com
microantivirus-2009 .com
microantivirus2009 .com

ms-scan .com (91.208.0.228)
msscanner .com
ms-scanner .com

Personalantispy .com (93.190.139.197)
freepcsecure .com
quickinstallpack .com
quickdownloadpro .com
advancedcleaner .com
performanceoptimizer .com
internetanonymizer .com

ieprogramming .com (92.62.101.83)
uptodatepage .com
fileliveupdate .com
qwertypages .com
sharedupdates .com
ierenewals .com

norton-antivirus-alert .com
norton-anti-virus-2007 .com
norton-antivirus-2007 .com
norton-antivirus2007 .com
nortonantivirus2007 .com
norton-antivirus-2008 .com
nortonantivirus2008 .com
nortonantivirus2008freedownload .com
norton-antivirus-2009 .com
nortonantivirus2009 .com
norton-antivirus-2010 .com
nortonantivirus2010 .com
nortonantivirus360 .com
nortonantivirus8 .com
nortonantivirusa .com
nortonantivirusactivation .com
norton-antivirus-alert .com
nortonantivirusalerts .com
norton--anti-virus .com
norton-anti-virus .com
norton-antivirus .com
nortonanti-virus .com
nortonantivirus.com
nortonantiviruscom .com
nortonantiviruscorporate .com
nortonantiviruscorporateedition .com
nortonantiviruscoupon .com
nortonantivirusdefinition .com
nortonantivirusdefinitions .com
nortonantivirusdirect .com

Fake Antivirus Inc. is not going away as long as the affiliate based model remains active. If the real vendors were greedy enough not to share the revenues with others, they would have been the one popping up on the radar, compared to the situation where it's the affiliate network's participations greed that's increasing their visibility online.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Cybersquatting Symantec's Norton AntiVirus
Cybersquatting Security Vendors for Fraudulent Purposes
Fake Porn Sites Serving Malware - Part Three
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
EstDomains and Intercage VS Cybercrime
Fake Security Software Domains Serving Exploits
Localized Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report