[SecurityRatty] tag: pre-screend

PCI V1.2, a good start but still not enough

Wed, 03 Sep 2008 12:56:31 +0000

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that’s due out in October. While many Analysts and Reporters have already written on the topic (I’ll be releasing an extensive update on Burton Group’s PCI coverage around the October release date), they really haven’t commented on what’s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done. I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I’ve yet to see addressed:

Guidelines for selecting a Qualified Security Assessor (QSA) – while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can’t really recommend a particular QSA for an individual organization. This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
The role of the QSA – organizations are also still trying to understand the role of a QSA. Should they get a QSA involved in the gap and remediation process in advance of certification? If so, should it be the same QSA that will do their certification (knowing there’s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
Industry-specific best practices – while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform. So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
Virtualized environments – while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn’t provide guidelines for QSAs to evaluate and certify these environments.
Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security? With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened. So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
PCI as part of an overall security model – what are the best practices around merging PCI security requirements into an enterprise’s overall security model? Should it be maintained separately? Should some components be integrated with similar security mechanisms? Should PCI be at the top of the security model and other configurations be based upon its requirements? There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won’t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group’s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I’d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

HP Hires 140,000 to Get Rid of Your Job

Wed, 27 Aug 2008 09:47:57 +0000

HP completed its $13.25 billion acquisition of EDS today.

Can HP-EDS put its money where its mouth is? EDS profit margin, pre-acquisition, was under 6%. The former EDS CEO, now heading the combined outsourcing unit, expects to leverage HP automation tools to cut costs and improve that margin.

But Rod Bourgeois, an analyst at Sanford Bernstein says, “It’s not like HP has automation tools that weren’t at EDS’s disposal before.”

But this brings up a good point. EDS and 140,000 new bodies notwithstanding, HP seems to be positioning itself to do a big automation push in the marketplace.

Of course this makes sense – we’ve talked before about what a critical role automation is going to have in managing the rapidly evolving “dynamic” data center. Technologies like virtualization and cloud computing needs are pushing out the limits of real-time resources management in the data center; management tools must perform faster, integrate with more solutions across the spectrum of IT infrastructure and be smart enough to do much of this on their own.

Went on Vacation - Missed PCI DSS 1.2 :-)

Thu, 21 Aug 2008 04:52:00 +0000

OMG, I go on vacation for 3 days (pretty much offline) - and I miss pre-release of PCI DSS 1.2.
How unfair is that? :-)

In any case, I am baaaaaack!

EPTS: Proposed Event Processing Definitions, September 20, 2006

Thu, 21 Aug 2008 01:47:11 +0000

For interested readers, here are the event processing definitions we provided to the (future) EPTS working group on September 20, 2006, coordinated (edited) by David Luckham and Roy Schulte;

adaptive process management (n.) an element of resource and business process management, adaptive search and event processing. Sometimes referred to as “Level 4” event processing or process refinement.

application concept (n.) a definition of a set of properties that represent the data fields of an application entity. An application concept can describe relationships among themselves. For example, an order concept might have a parent/child relationship with an item concept. A department concept might be related to a purchase requisition concept based on the shared property, department_id. Application concepts can include an application state model.

application state modeler (n.) a UML-compliant application that allows you to model the life cycle of a concept instance — that is, for each instance of a given concept, you can define which states it will pass through and how it will transition from state to state. States have entry actions, exit actions, and conditions, providing precision control over the behavior of an event processing agent. Transitions between states also may have rules. Multiple types of states and transitions maximize the versatility and power of the application state modeler.

derived event (n.) an event that is created as a result of processing one or more other events.

complex event (n.) an event that is a situation-entity abstraction of two or more simple, derived or other complex events.

complex event processing (n.) CEP is a technology for extracting information from message-based systems. CEP is primarily an event processing concept that deals with the task of processing multiple events from an event cloud with the goal of identifying the meaningful events within the event cloud. CEP employs techniques such as detection of complex patterns of many events, event correlation and abstraction, event hierarchies, and relationships between events such as causality, membership, and timing, and event-driven processes.

event (n.) a instance of an event definition. It is an immutable object that represents a business activity that happened at a single point in time. Just as one cannot change the fact that a given activity occurred, one cannot change an event — events are immutable.

event aggregation (n.) the aggregation of simple, derived or complex events into higher levels of event abstractions.

event definition (n.) a set of properties related to a given activity that represents an important or interesting change of state in a human, system or computational activity. An event definition includes event properties such as event priority, event time to live (TTL), and a description of the payload, which is comprehensive information related to the activity that occurred. Events expire when the TTL has elapsed, unless the event processing agent has instructions to consume them prior to that time.

event channel (n.) a communications channel in which events are transmitted from event source to event receivers, typically received as electronic messages. Each channel can have multiple destination and. events can be configured to transmit to a default destination. JMS is an example of an event channel.

event cloud (n.) a partially ordered set of events (poset), either bounded or unbounded, where the partial orderings are imposed by the causal, timing and other relationships between the events. Typically an event cloud is created by the events produced by one or more distributed systems. An event cloud may contain many event types, event streams and event channels. The difference between a cloud and a stream is that there is no event relationship that totally orders the events in a cloud.

event-driven (n.) the behavior of a human, system or computational entity whose execution or actuation is in response to events, typically received as electronic messages.

event-driven architecture (n.) an architectural style for distributed computing applications in which some of the components are event-driven and communicate by means of events.

event processing (n.) computing that performs operations on events, including modifying, creating and destroying events.

event-object (n.) an software object that represents an event, generally for the purpose of computer processing, that exhibits both encapsulation, inheritance and polymorphism.

event prediction (n.) computational activity where the impact of events, complex events, and situations caused by events identified, including both opportunity or threat. Sometimes referred to as “Level 2” event processing, impact assessment or predictive analytics.

event pre-processing (n.) computational activity where events are cleansed or normalized to produce semantically understandable data. Sometimes referred to as “Level 0” event processing.

event processing (n.) computational activities on events dealing with the association, correlation, and combination of event data and information from single and multiple event sources to achieve refined identity and situation estimates for observed event objects, and to achieve complete and timely assessments of opportunities, threats, and their significance. Event processing is characterized by continuous refinements of event estimates and assessments and by evaluation of the need for additional sources, or modification of the process itself, to achieve improved results.

event processing agent (n.) an EPA is a computational entity that performs event processing.

event processing network (n.) a set of event processing agents and a set of event channels connecting them.

event properties (n.) data representation of an event, typically by name-value pairs of type string, integer, real, boolean or a complex data type.

event refinement (n.) filter, identify and track events & make initial processing decisions based on association, correlation and state estimation. Sometimes referred to as “Level 1” event, or event-object, track and trace.

event stream (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

event stream processing (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

rule (n.) defines what triggers unusual, suspicious, problematic, or advantageous activity within an event processing agent and what the EPA does when it discovers these types of activities. Rules execute actions based on certain conditions on events, instances, or a combination of both. A rule includes a group of condition-rule statements and action-rule statements. The condition statements instruct the EPA what to look for in events, and action statements instruct the EPA how to respond when conditions are met. If all the conditions in a rule are satisfied by events or instances or both, the EPA fires the actions. The action might be to execute tasks, create an event instance, modify property values in an event instance, create and send an event, or something else.

rules engine (n.) a type of event processing agent that uses a declarative programming model to process events. Formally described as “an abstract structure that describes a formal language precisely, i.e., a set of rules that mathematically delineates a (usually infinite) set of finite-length strings over a (usually finite) alphabet“. Informally, it can be any system that uses rules, in any form, that can be applied to data to produce outcomes.

rule language (n.) is an artificial language that is used to control the behavior of an event processing agent. Rules languages, like human languages, have syntactic and semantic rules to define meaning.

situation refinement (n.) identify situations, or complex events, based on event clustering, event-event relationships and relationship analysis and context. Sometimes referred to as “Level 2” event processing.

simple event (n.) an event that is not an abstraction or composition of other events.

virtual event (n.) an event that is imagined, modeled or simulated.

Note: The Emerging Technologies Engineering Team at TIBCO Software significantly contributed to these event processing terms and definitions.

The Secret Sauce is the Situation Models

Sat, 09 Aug 2008 06:23:08 +0000

Alan Lundberg wrote, Intelligent Business Process Platform? in response to Bringing Order to Chaos where someone from PWC linked event processing to business intelligence and business process management. In turn, James Taylor penned Using decision management to deliver intelligent business performance where James rightly said that it does not require “heroic efforts” to integrate event processing, BI, BPM and other decision support tools.

As a reference, you may have seen this briefing, one of many where I show these functional relationships, Mythbusters: Event Stream Processing Versus Complex Event Processing, from DEBS2007. For example slide 23 shows the functional relationship between events, pre-processing, event tracking, situational detection, historical patterns (the output of BI tools, for example), visualization and business process management.

In Faithful Representation, Richard Veryard reminds his readers that the most challenging part is in the situation models (not the system integration). Unfortunately, by accident, Richard incorrectly attributes Opher Etzion’s “first order situation model approximation” to both Opher and I in this quote from Richard’s post, “a simple situation model of complex events, in which events (including derived, composite and complex events) represent the “situation”.

Actually, that simple situation model above is Opher’s, not mine. I have offered a more general and comprehensive (first draft) situation model, in A Simple Situation Model for Complex Events based on a cognitive situation model used by researchers at the University of Notre Dame. I do not believe that complex events and situations can be modelled accurately using Opher’s simple model of derived, composite and complex events. This model is overly simple, in my opinion. to represent the vast majority of CEP classes of problems, perhaps explaining why Opher and I do not agree on the state-of-the-art of CEP. Opher tends to view CEP as mostly an extension of active database technology where I see CEP as a technology that is much more closely aligned with the cognitive models represented in the art-and-science of multi-sensor data fusion (MSDF).

Complex events represent situations, and situations must be accurately modelled if we are going to accurately detect them in real-time. If your business cannot model a complex event (situation) then it does not matter what software you buy, how much money you spend, or what event processing and integration platform you use. The models are hard. The system integration is relatively easy.

The secret sauce is the situation and complex event models.

As mentioned here a few times, it does not matter how fast you process events in real-time, if your model is wrong, you just detect the wrong thing very fast. This is very bad and quite dangerous. You will make bad decisions fast. You will waste time, money and resources.

This is why CEP benchmarks should be based on accuracy in situation detection, not in latency and other low-level performance metrics. First, get the models right; then refine to detect faster, if speed is required. What has happened in CEP to date, is that the models are so simple, they do not really detect complex events, they just process and act on simple events that are easy to model.

Pedal to the metal NAC

Fri, 08 Aug 2008 12:01:03 +0000

OK, I am not really a big car racing fan. I don’t know, Long Island was not a NASCAR hot bed. Of course the Indy 500 was always big news. In any event I have become much more of a race fan since Chip Ganassi racing became a StillSecure customer. They are using a complete NAC solution that performs both pre and post connect testing. Racing today is not about some gearheads putting in spark plugs and changing tires. It is high, hi-tech and their information security needs to protect their IP are high priority.

Rather than the usual case study, our VP of marketing Jayson Ayers actually tried something new. A video case study is what we have done. I think it is pretty cool and in the spirit of the YouTube generation, am embedding it here. You can read more about this on our site here.

Apptis and USNS Mercy Monitoring on the High Seas

Thu, 07 Aug 2008 11:59:40 +0000

Meet Mike Lawson, Pre-Sales Engineer at Apptis, a leading system integrator and ScienceLogic partner that has deployed EM7 to meet the network, systems and application management needs of several customers. We thought Mike would have an interesting perspective to share on EM7, having recently come from the “customer side” and already with a few deployments under his belt.

ScienceLogic: Mike, what’s your background working with network and management system tools?

Mike Lawson: Before joining Apptis, I worked for the Air Force, mainly in satellite communications for almost nine years. I’m probably most familiar with HP OpenView and BMC Remedy. I managed a team that used them but wasn’t involved in tool selection; like many other federal IT workers, we didn’t have a choice of tools because there were existing enterprise licenses and maintenance contracts.

I also saw a large systems integrator do a full Remedy/Crystal Systems/OpenView installation. It took 6 weeks to stand up and customize to meet just the basic monitoring requirements, and it cost something like half a million dollars. At the time, I thought that wasn’t bad and was a pretty typical experience.

ScienceLogic: Coming from where you did, what’s your take on EM7?

Mike Lawson: Honestly, I didn’t believe that EM7 could really do all that it claimed. In many ways, it was the complete opposite of what I had seen first-hand with other monitoring solutions. Could it really cover that much functionality? At relatively much lower cost to the customer and without the licensing nightmare?

That quickly changed when I needed to understand the system enough to run it at a customer’s site. I went back over the training docs I received during my initial training class and jumped in; now, 6 months later, I’m the EM7 expert and can tell you that it delivers on all those promises. (But I still need to show people to get them to believe it too)

I preach the “EM7 gospel” and when anyone wants to talk monitoring, I ask about the universal pain points: cost, maintenance contracts and licensing, and then I explain EM7. The cost difference is real; the solution is based on capacity, so there’s no licensing and it’s easy to use. They are shocked to learn that they can buy multiple EM7 appliances and years of maintenance for what they paid for most other tools.

ScienceLogic: Apptis won the contract for monitoring aboard the USNS Mercy. We love that you’re using EM7 for one of the Navy’s hospital ships. Can you tell us more?

Mike Lawson: The USNS Mercy is a Military Sealift Command hospital ship. Some stats:

849 feet long (nearly the size of a football field)
12 fully-equipped operating rooms, a 1,000 bed hospital facility, digital radiological services, a diagnostic and clinical laboratory, a pharmacy, an optometry lab, a CAT scan and two oxygen producing plants
Crew: 61 civilian mariners, 956 Naval medical staff, and 259 Naval support staff

The USNS recently departed on a five-month humanitarian mission in the Western Pacific and Southeast Asia in support of Pacific Partnership 2008. The partnership provides international medical, dental and engineering teams this summer to provide humanitarian support and conduct joint, combined, and cooperative Civil-Military Operations in order to improve regional stability and build partner capacity to respond to natural disasters and pandemic.

For the most part, the ship’s network is self-contained, but can also use a landline when docked. The network covers 400 devices, including Windows/Exchange servers and VMware for server virtualization. Prior to using EM7, none of the monitoring was integrated; each system was independently monitored through individual vendor-specific consoles.

Out of the box, EM7 provided integrated systems, application and network management for all network gear, applications and virtual machines in one solution. We didn’t have to do a lot of customization – EM7 includes best-practice based thresholds, event and monitoring templates and this covered what USNS Mercy needed to monitor.

ScienceLogic: You’re a systems integrator with a very useful “customer point of view” when it comes to looking at tools. From that perspective, can you share what you think are the biggest benefits that EM7 provides?

Mike Lawson: First of all, EM7 stands up right away. We’re talking days, not weeks. In contrast to the lengthy installation of OpenView and Remedy I witnessed during my military career, I was able to configure, customize, and implement the EM7 solution for the USNS Mercy in three days.

Second, it’s easy to train people on and the support is outstanding. This judgment is from first-hand experience. Right before the USNS Mercy departed on its latest voyage, the system administrator I had trained on EM7 left, so I had all of a day to train some new EM7 admins. I prepared a seven-page “cheat sheet” and over a 3-hour conference call, we walked through the entire EM7 solution; I haven’t gotten a support call since.

And when a problem did crop up with a device being discovered incorrectly, ScienceLogic was very responsive. We contacted ScienceLogic support on a Saturday and they created and emailed us a video to help troubleshoot the same day. Within 30 seconds of watching the video, the problem was resolved.

Finally, EM7 helps us be good stewards of the government’s money. This is very important to me personally and to Apptis as a company. Because EM7 is cheaper and deploys so quickly and easily, you might think that it’s just the opposite of what a system integrator would want to use. But that’s short-term thinking. We believe in deliver the most value for customers every time. It’s what creates trust and long-term relationships with our customers. Instead of that half million spent on standing up the solution and basic setup, I’d much rather (and I know the customer would rather) spend that on fine-tuning or extending the solution to do much, much more.

As a former government employee, I know what it’s like to use a tool that doesn’t fit my needs. EM7 proves that the best solution can totally break the old model of costly, lengthy installations. EM7 has the right model: the right solution and the right price delivered as an appliance that is easy to deploy, train on and use.

ShareThis

As They Say: When in Rome, Do as the Romans.

Thu, 07 Aug 2008 06:19:13 +0000

Recently I had a nice conversation with the head of Asia-Pacific of an international company about how to succeed in Thailand. I explained how businesses in Thailand do not respond well to companies that come to Thailand with no experience, track record or support infrastructure here in the Kingdom. I also explained how Thailand has a strong cultural tradition around “the teacher culture,” where teachers are considered much higher than mere consultants and integrators.

The conversation went well, I thought, until I received a call from another person in the company who proceeded to tell me how to do business in Thailand and how to determine the target market, and how to set up sales. Now mind you, I had already explained that there would be no immediate sales opportunities for a few years, realistically, and that this was a long term initiative, designed around a solid education and training program - build infrastructure first. From a strong education and training program, the market would become clear.

This is such a simple win-win-win situation, but companies do not seem to understand it. They just want to exploit every contact, event situation, for a quarterly sell. Why not take the long view as well, since it does not cost you any money?

The guy on the other end of the phone would have nothing to do with our way of thinking in Thailand. He seemed to be pushing to insure pre-sales contact immediately. Instead of supporting us, he wanted to manage us from overseas!! We asked for support to build their brand, what they seemed to offer was management by proxy!

Folks, this will not work in Thailand (or most Asia countries).

If you want to tap into the fast growing Asia market, leave behind your aggressive New York or Silicon Valley sales guns and forceful presale tactics, where you are content to find an opening, exploit it, make a sale, and report the sale on your quarterly report. You can get aggressive when you have built a sustainable infrastructure. The same is true in Japan, not only Thailand.

In Asia, do as the Asians. In Rome, do as the Romans. In Thailand, do as the Thais. In Japan, do as the Japanese.

It is easy to make money in Thailand (and other Asia countries) if you follow their way of business. Educate, teach, build a workforce, build a sustainable infrastructure on the ground, and then sell, sell, sell.

Granted, many companies do not have resources to do this overseas. In that case, enable your partners to do it and let them build the business; don’t manage them, support them.

Summarizing July's Threatscape

Fri, 01 Aug 2008 12:08:24 +0000

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

Simulating Email in .NET

Fri, 01 Aug 2008 09:59:01 +0000

I use email as a notification mechanism a lot, and often in class I'll demo sending email via a technique that I use frequently when developing code. It allows you to simulate sending an email message.

The trick to doing this is not to hardcode things like host, port, etc. for your SMTP server when you use System.Net.Mail to send mail. Instead, use the default ctor for SmtpClient as I've done in the code below.

static void Main(string[] args)
{
    // note the use of the MailAddress class
    // this allows me to specify display names as well as email addresses
    MailAddress from = new MailAddress("admin@fabrikam.com", "Fabrikam Website");
    MailAddress to = new MailAddress("mari@fabrikam.com", "Mari Joyce");

    MailMessage msg = new MailMessage(from, to);
    msg.Subject  = "Testing 123";
    msg.Body = "This is only a test!";

    // note use of default ctor
    // this looks in config to figure out how to send mail
    new SmtpClient().Send(msg);
}

.csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

What you're telling .NET by using the default ctor for SmtpClient is, "please use my config file to figure out how to send mail". Now you can use the system.net/mailSettings/smtp section in config to specify the details of your mail server, and all of the code in your app that is written to use the default SmtpClient ctor will inherit these settings. Here's an example of what the config on a production server might look like (if you put passwords in your config files, be sure to encrypt those sections):

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="Network">
        <network host="mail.fabrikam.com"
                 port="25"
                 userName="WebsiteMailAccount"
                 password="whatever"/>
      smtp>
    mailSettings>
  system.net>
configuration>

During development, I use different settings because I don't usually want to deal with the hassle of installing an SMTP server on my development box. Instead, I want email messages delivered as individual files in a directory on my hard drive (I always have a c:\mail directory on my development box for just this purpose):

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="SpecifiedPickupDirectory">
        <specifiedPickupDirectory pickupDirectoryLocation="c:\mail"/>
      smtp>
    mailSettings>
  system.net>
configuration>

Now when I run the program above, I get a .EML file in my c:\mail directory:

Outlook Express is normally registered as the viewer for .EML files, so double-click the file to view it:

If you've never seen this method of simulating email before, I hope you find it as useful as I have. Happy coding!