[SecurityRatty] tag: pretty

ASCII Art Spam

Wed, 27 Aug 2008 04:35:14 +0000

I recently had a chat with Stephen Shankland over at CNET regarding the weird and wacky world of ASCII Art Spam. It's been around for some time now, and every now and again there's a little surge (currently most of it seems to be coming out of Korea & China) before dying down again.

Of course, it has an element of visual appeal to it in some cases:

A bowl of spammy noodles, originally uploaded by pragmatic_pete.

They're pretty cool noodles, however you look at it. The biggest problem (for the spammers, anyway) continues to be the fact that, for the most part, the spam is largely unintelligble.

ASCII Art Spam, originally uploaded by schoschie.

.....wha? Sexy....grrmfs? Girls? Gorillas? Who knows. The problem with mangled text also extends (somewhat more crucially) to the URLs they happen to be pimping:

Spam, originally uploaded by cablejimmy.

They're not doing too badly there until they reach the web address, at which point it might as well say

www. absolutelynoideawhatthatsays .com

Of course, the last thing I'm suggesting is that I long for the day when the spammers get it right, but at least they can provide us with some cheap laughs regarding how hopeless their spam is in the meantime.

Myspace Cracker Steals Firefox Passwords

Tue, 26 Aug 2008 14:49:03 +0000

A "Myspace Cracking tool" has recently come to light, though if you're considering attempting to crack some Myspace accounts with this:

....then you might want to think again, on account of it not being quite what it seems. This "cracking tool" is only after one persons details: yours. Run it, and you'll see the following (somewhat bizarre) message, which should be your first clue that all is not quite right here:

At this point, your CD tray may well pop open - perhaps in tribute to the Trojans of old that did pretty much the same thing. At any rate, you're certainly not cracking any Myspace accounts, and after a faint grinding from your PC you're left to sit and stare at your desktop, wondering what went wrong. Here's a clue - have a poke around inside the EXE, and some lines of code will likely start to give the game away:

..."Firefox password grabber"? Oh dear.

The observant end-user will notice a .txt file appears on their C Drive, and itcontains all the stored passwords saved via Firefox on their computer:

Click to Enlarge

As you can see, the bad guys here seem to be exploiting a well known password recovery tool for nefarious purposes - in this case, Firepassword. You're probably wondering what happens with the stored login details at this point - well, do some more digging in the code and you'll see this:

Click to Enlarge

The stolen Firefox passwords are sent to an FTP drop set up by the hacker, and every login you had stored in Firefox at that point is immediately at risk. Of course, if you're foolish enough to play around with hacking tools then there's a good chance you're going to get burned sooner or later...

We detect this as FoxPass.

Software Security Market

Mon, 25 Aug 2008 09:18:59 +0000

Information Security budgets are pretty crufty, they are an accumulation of decisions but the analysis that led to these decisions is rarely revisited, it just snowballs. So the normal Information Security budget is just a legacy artifact of when the network was the greatest vulnerability. Gary McGraw took a pass at reviewing the numbers in software security, breaking down software security sectors like tools and services (note to Gary - I think Aspect does more than just training!). This is great work by Gary to get these numbers to see the real changes occuring in software security. Here were his findings on software security tools:

One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).

...

The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.

On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million.

These are very nice growth numbers, what company doesn't want 83% growth? However, the total picture is not so good. Gary's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space?!? Complete UTTER Madness!

This is the stupefying, stultifying effects of budget cruft, where the decisions made in The People's Republic of Information Security have no bearing on reality of threats or even a business case.

Let's look at networks. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.

Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion and you are going to "defend" that with allocating $150 Million worth of software security tools?

	Network	Software
Asset Value	$39.5 billion	$98 billion
Security Investment	$900 Million	$150 Million
Security Investment as a percentage of asset value	2.28%	0.15%

This table greatly disturbs me. From a prioritization standpoint The People's Republic of Information Security is misaligned by orders of magnitude. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball.

Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today!

I see the outcomes of backwards looking, crufty decisions by Information Security every day - one or two software security sherpas heading out to work with thousands of developers, meanwhile the network security people sit around and read the newspaper and go home every day at 5.

The optimistic way of looking at all this data is that there is major room for growth for software security, if you take Checkpoint as a target, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.

Went on Vacation - Missed PCI DSS 1.2 :-)

Thu, 21 Aug 2008 04:52:00 +0000

OMG, I go on vacation for 3 days (pretty much offline) - and I miss pre-release of PCI DSS 1.2.
How unfair is that? :-)

In any case, I am baaaaaack!

Adi Shamir's Cube Attacks

Tue, 19 Aug 2008 09:15:35 +0000

At this moment, Adi Shamir is giving an invited talk at the Crypto 2008 conference about a new type of cryptanalytic attack called "cube attacks." He claims very broad applicability to block ciphers, stream ciphers, hash functions, etc.

My personal joke -- at least I hope it's a joke -- is that he's going to break every NIST hash submission without ever seeing any of them.

More later. (I'm sorry, but I missed the name of his student/co-author for this work.)

EDITED TO ADD (8/19): Okay, he thinks that AES is immune to this attack -- the degree of the algebraic polynomial is too high -- and all the blog ciphers we use have a higher degree. But, in general, anything that can be described with a low-degree polynomial equation is vulnerable: that's pretty much every LFSR scheme.

Wee-Fi: Houston-Fi, ASCII WPA Passphrases, Green Wi-Fi

Tue, 19 Aug 2008 06:26:25 +0000

Houston flips switch on free downtown Wi-Fi: Dwight Silverman of the Houston Chronicle accidentally discovers the soft launch of the network funded by EarthLink's $5m default fee. (The fee was paid when they missed a milestone, and the firm later walked away.) The downtown area now has a limited pilot project that's free; the real effort in Houston is supposed to be at 10 housing projects and in parks where service would be used to bridge the digital divide and improve the quality of life. How, exactly, is part of what's being tested.

That's ASCII, not hex: An article on wardriving raises security hackles by repeating some slightly overheated statements about Wi-Fi security. The article opens with a 63-character ASCII WPA passphrase, which is later described as "hex." (ASCII passphrases in WPA can be up to 63 "printable" characters - ASCII 32 to 127 - while a hex version of a 256-bit TKIP or AES password is 64 hexadecimal digits long.) The article tries to conflate Wi-Fi attacks that led to the largest set of breaches in retail credit-card systems and wardriving, a hobbyist activity that's never been looked on very favorably by law enforcement. The sense of ennui of wardriving pioneers is pretty clear; when Wi-Fi is everywhere and generally secured, it's far less interesting. The wardriver in the article convinced the reporter that a maximum-length WPA passphrase stored on a USB drive for automatic use was the best way to go. But, really, 20 characters containing letters and punctuation and no words found in a dictionary along with changing your network's SSID (network name) provides all the security you'll ever need for a home or small business. (If you need more, deploy WPA/WPA2 Personal.)

Green Wi-Fi's Senegal efforts hit snags: The folks at Green Wi-Fi are well motivated, and they're running up against all forms of security theater and bureaucracy both here and in Senegal, where they have an active project. The San Francisco Chronicle notes the group's effort to build solar-powered, self-sustaining Internet access via mesh networked nodes. Getting devices out of the country, clearing customs in Senegal, and hooking up their solar system all hit problems they're working through. As with the One Laptop Per Child program, I see a "build it and they will come" mentality in Green Wi-Fi's mission statement: the notion that providing computing power and Internet access will result in good things, rather than an effort to figure out what good things need to be achieved, and whether computers and the Internet will assist.

CNN, MSNBC Spammers Downgrading Their EMails

Sun, 17 Aug 2008 12:00:10 +0000

This is pretty interesting. After a week or two of seeing CNN spam, then MSNBC spam (both of which allude to "breaking news stories" in order to get peoples attention), it seems the people behind those attacks are now sending out plain emails (with none of the allusions to being from major news networks) that simply say "BREAKING news" in the title field:

If you visit the link in the email, you'll see this:

Click to Enlarge

I don't believe I've seen the length, rating and viewcount under the video before so that's likely a new tactic they've employed. Looks like they need to hire a spellchecker though...

Lost.....and Found

Fri, 15 Aug 2008 10:20:17 +0000

The practice of affiliates signing up with Zango then hiding pirated movies behind their installer prompt ([1], [2]) takes another twist, as we go hunting for TV episodes instead of movies and find....

Click to Enlarge

......TV shows (apparently ripped and streamed from Chinese Youtube-style websites), hidden behind Zango installer prompts. Obviously, this is something of a mini industry we have here but I'm faintly alarmed that so many of these affiliates are happily churning out these kinds of sites. I'm also pretty sure Zango doesn't want people seeing what effectively says "Free ripped off movies online sponsored by Zango" on their installer prompts, either.

As a side note, it's not just Zango affiliates doing this - here's another example, this time for something called "Cpalead.com" that wants you to fill in a survey in return for seeing "free" episodes of Lost:

Click to Enlarge

In case you were wondering, my monitor isn't broken, they just grey out the page when the popup appears. The Lost episodes appear to be ripped by end-users and uploaded to Megavideo.com.

The sites above are

lost-stream(dot)com
ietv(dot)co.uk/category/watch-lost-online
watchprisonbreakonlinefree(dot)com
watch-lost-online(dot)info
www.heroesstreaming(dot)com

I guess I ended up with a trilogy after all.

UK Police Seize War on Terror Board Game

Fri, 15 Aug 2008 02:50:02 +0000

They said -- and it's almost to stupid to believe -- that:

the balaclava "could be used to conceal someone's identity or could be used in the course of a criminal act".

Don't they realize that balaclavas are for sale everywhere in the UK? Or that scarves, hoods, handkerchiefs, and dark glasses could also be used to conceal someone's identity?

The game sounds like it could be fun, though:

Each player starts as an empire filled with good intentions and a determination to liberate the world from terrorists and from each other.
Then the reality of world politics kicks and terrorist states emerge.

Andrew said: "The terrorists can win and quite often do and it's global anarchy. It sums up the randomness of geo-politics pretty well."

In their cardboard version of realpolitik George Bush's "Axis of Evil" is reduced to a spinner in the middle of the board, which determines which player is designated a terrorist state.

That person then has to wear a balaclava (included in the box set) with the word "Evil" stitched on to it.

Buy yours here; I first blogged about it in 2006.

No Trademark for Cloud Computing

Thu, 14 Aug 2008 16:01:06 +0000

Just a couple of weeks ago, it was reported that Dell was in the final stages of being granted a trademark on “Cloud Computing” – shocking and amusing pretty much everyone except for possibly Dell employees. But apparently the US Patent and Trademark Office paid attention to the flurry of negative responses and has since cancelled their “Notice of Allowance” for the trademark.

I’d like to give everyone the benefit of the doubt here; perhaps Dell was using it in a much narrower sense. Perhaps the term has really only been used more commonly since the time Dell first applied for the trademark back in March 2007 and now. BUT…

- Dell’s definition is quite broad and certainly not Dell-specific. “The design of computer hardware for use in datacenters and mega-scale computing environments for others; customization of computer hardware for use in data centers and mega-scale computing environments for others; design and development of networks for use in data centers and mega-scale computing environments for others.” Strike One.

- And according to the Wall Street Journal’s research, “cloud computing” has been in regular use since 2001. Strike Two.

So now the “case” has been returned to examination and hopefully the PTO will follow up on everyone else’s research on this and decide that yes, cloud computing is one of those broad, ubiquitous terms that should NOT be trademarked by a single company.