[SecurityRatty] tag: responsibility

Compromised Web Servers Serving Fake Flash Players

Tue, 05 Aug 2008 10:50:04 +0000

The tactic of abusing web servers whose vulnerable web applications allow a malicious attacker to locally host a malicious campaign is nothing new. In fact, malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the web.

This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it. From a strategic perspective, having a legitimate low-profile site -- of course with the obvious exceptions being on purposely registered for malicious purposes within the participating sites -- hosting your malicious campaign is pretty creative in terms of forwarding the responsibility, and the eventual blocking of a legitimate site to the its owner. As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it.

Moreover, Adobe's Product Security Incident Response Team (PSIRT) issued a warning notice about the attack yesterday, which could come handy if the attackers weren't taking advantage of client-side vulnerabilities, putting the unware end user is a situation where he wouldn't even receive a download dialog :

"We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."

The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running :

joseantoniobaltanas .com

automoviliaria .es/hotnews.html
risasnc .it/fresh.html
carpe-diem .com.mx/fresh.html
kotilogullari .com.tr/hotnews.html
ferrariclubpesaro .it/hotnews.html
imobiliariacom .com.br/default.html
misoares .com
osniehus .de/fresh.html
mydirecttube .com/1/5098/
madosma .com/default.html
tutotic .com/checkit.html
veit-team .si/default.html
antigewaltkurse .de/stream.html
kwhgs .ca/topnews.html
vorgo .com/stream.html
ankaraspor .com.tr/default.html
xxxdnn0314 .locaweb.com.br/watchit.html
ossuzio .com/watchit.html
cit-inc .net/default.html
negocioindependiente .biz/default.html
ambermarketing .com/topnews.html
web27 .login-7.loginserver.ch/stream.html
moretewebdesign .br-web.com/stream.html
omdconsulting .es/topnews.html
parapendiolestreghe .it/hotnews.html
campodifiori .it/topnews.html
212.50.55.81 /stream.html
logisigns .net/fresh.html
intimaescorts .com/default.html
ghioautotre .it/live.html
geckert .de/stream.html
yuricardinali .com/watchit.html
retder .com/fresh.html
valdaran .es/default.html
getadultaccess .com/movie/?aff=5274
bauelemente-giering .de/stream.html
newyork-hebergement .com/watchit.html
allevatoritrotto .it/live.html
exoss2 .com/hotnews.html
soundandlightkaraoke .com/stream.html
land-kan .com/stream.html
grimaldi.nexenservices .com/watchit.html
inconstancia .com.br/watchit.html
gretelstudio .com/stream.html
sumacyl .com/watchit.html
mysna .net/fresh.html
gimnasioyx .com.ar/watchit.html
lagalbana .com/watchit.html
bielizna.tgory .pl/topnews.html
bcs92.imingo .net/stream.html
lapiramidecoslada .es/topnews.html
raulortega .com/stream.html
go-art-morelli .de/hotnews.html
wowhard.baewha .ac.kr/watchit.html
dianagraf .es/default.html
komma10-thueringen .de/hotnews.html
miavassilev .com/stream.html
swampgiants .com/watchit.html
compagniedephalsbourg .com/fresh.html
arla-rc .net/hotnews.html
salacopernico .es/watchit.html
drfinster .de/checkit.html
healthylifehypnotherapy .com/stream.html
ecotrike-bg .com/fresh.html
paoepalavra .org/watchit.html
jureplaninc-sp .com/topnews.html
fichte-lintfort .de/default.html
hergert-band .de/checkit.html
izliyorum .org/topnews.html
lideka .com/stream.html
athena-digitaldesign .com.tw/hotnews.html
e-paso .pl/stream.html
colombeblanche .org/stream.html
teatromalasa .es/watchit.html
mesporte.digiweb.com .br/stream.html
bistrodavila.com .br/watchit.html
hausfeld-solar .de/topnews.html
nakedinbed.co .uk/topnews.html
csr.imb .br/stream.html
herion-architekten .de/default.html
jbhumet .com/default.html
gruppouni .com/hotnews.html
francex .net/fresh.html
galvatoledo .com/topnews.html
cmeedilizia .eu/topnews.html
kroenert .name/default.html
textilhogarnovadecor .com/topnews.html
keithcrook .com/stream.html
elpatiodejesusmaria .com/checkit.html
neticon .pl/hotnews.html
malerbetrieb-pelzer .de/hotnews.html
easterstreet .de/fresh.html
piogiovannini .com.ar/watchit.html
ser-all .com/topnews.html
petzold-dieter .de/checkit.html
beatmung-brandenburg .de/checkit.html
ossuzio .com/watchit.html
teatromalasa .es/watchit.html
vuelosultimahora .com/topnews.html
zelenaratolest .cz/pornotube/index1.htm
ambulatoriovirtuale .it/topnews.html
10a3 .ru/index1.php
izliyorum .org/topnews.html
collectedthoughts .co.uk/index12.html
afg .es/topnews.html
albertruiz .net/topnews.html
bielizna.tgory .pl/topnews.html
blueseven.com .br/topnews.html
bollettinogiuridicosanitario .it/topnews.html
caprilchamonix.com .br/topnews.html
carlolongarini .it/topnews.html
champimousse .com/topnews.html
cheviot.org .nz/topnews.html
contrapie .com/topnews.html
gruppouni .com/topnews.html
hausfeld-solar .de/topnews.html
herbatele .com/topnews.html
houseincostaricaforsale .com/topnews.html
alim.co .il/topnews.html
allevatoritrotto .it/topnews.html
amafe .org/topnews.html
ambulatoriovirtuale .it/topnews.html
atelier-de-loulou .fr/topnews.html
automoviliaria .es/topnews.html
autoreserve .fr/topnews.html
izliyorum .org/topnews.html
jureplaninc-sp .com/topnews.html
kwhgs .ca/topnews.html
lapiramidecoslada .es/topnews.html
last-minute-reisen-4u .de/topnews.html
marcadina .fr/topnews.html
maremax .it/topnews.html
corradiproject .info/topnews.html
dantealighieriasturias .es/topnews.html
deliriuslaspalmas .com/topnews.html
ecchoppers .co.za/topnews.html
elianacaminada .net/topnews.html
fonavistas .com/topnews.html
fraemma .com/topnews.html
fundmyira .com/topnews.html
galvatoledo .com/topnews.html
grafisch-ontwerpburo .nl/topnews.html
markmaverick .com/topnews.html
micela .info/topnews.html
motoclubnosvamos .com/topnews.html
nebottorrella .com/topnews.html
negozistore .it/topnews.html
neticon .pl/topnews.html
norbert-leifheit.gmxhome .de/topnews.html
segelclub-honau .de/topnews.html
snmobilya .com/topnews.html
splashcor .com.br/topnews.html
stephanmager .gmxhome.de/topnews.html
svcanvas .com/topnews.html
tautau.web .simplesnet.pt/topnews.html
textilhogarnovadecor .com/topnews.html
theflorist4u .com/topnews.html
thewindsorhotel .it/topnews.html
vuelosultimahora .com/topnews.html
aliarzani .de/topnews.html
ambermarketing .com/topnews.html
arnold82.gmxhome .de/topnews.html
ocoartefatos.com .br/topnews.html
omdconsulting .es/topnews.html
parapendiolestreghe .it/topnews.html
positive-begegnungen .de/topnews.html
projetsoft .net/topnews.html
rbc.gmxhome .de/topnews.html
beatmung-sachsen .eu/topnews.html
campodifiori .it/topnews.html
clickjava .net/topnews.html
cmeedilizia .eu/topnews.html
dammer .info/topnews.html
embedded-silicon .de/topnews.html
ferrariclubpesaro .it/topnews.html
fgwiese .de/topnews.html
fswash.site .br.com/topnews.html
fytema .es/topnews.html
gildas-saliou. com/topnews.html
go-art-morelli .de/topnews.html
go-siegmund .de/topnews.html
guerrero-tuning .com/topnews.html
gut-barbarastein .de/topnews.html
japansec .com/topnews.html
komma10-thueringen .de/topnews.html
koon-design .de/topnews.html
lanz-volldiesel .de/topnews.html
lauscher-staat .de/topnews.html
losnaranjos.com .es/topnews.html
medical-service-krause .de/topnews.html
nakedinbed.co .uk/topnews.html
nepi.si/topnews .html
radieschenhein. de/topnews.html
residenceflora .it/topnews.html
sabuha .de/topnews.html
ser-all .com/topnews.html
siemieniewicz .de/topnews.html
viajesk .es/topnews.html
allevatoritrotto .it/live.html
bollettinogiuridicosanitario .it/live.html
carlolongarini .it/topnews.html
maremax .it/topnews.html
negozistore .it/topnews.html
parapendiolestreghe .it/live.html
www.donlisander .it/stream.html
aerogenesis .net/watchit.html
allevatoritrotto .it/live.html
atelier-de-loulou .fr/topnews.html
bistrodavila.com .br/watchit.html
bollettinogiuridicosanitario .it/live.html
caprilchamonix.com .br/topnews.html
cheviot.org .nz/live.html
condorautocenter .com.br/watchit.html
dantealighieriasturias .es/live.html
ecchoppers .co.za/topnews.html
elianacaminada .net/live.html
fonavistas .com/topnews.html
fundmyira .com/topnews.html
g6esporte .com.br/stream.html
grafisch-ontwerpburo .nl/topnews.html
gretelstudio .com/stream.html
gutierrezymoralo .com/watchit.html
healthylifehypnotherapy .com/stream.html
herbatele .com/live.html
jureplaninc-sp .com/topnews.html
lacomercialsrl .com.ar/stream.html
lagalbana .com/watchit.html
lapuertaestrecha .com.es/watchit.html
marcadina .fr/topnews.html
maremax .it/topnews.html
myadultcube .com/flash//aff=5176
myadultcube .com/flash//aff=5810
myadultcube .com/movie//aff=5155
newyork-hebergement .com/watchit.html
norbert-leifheit.gmxhome .de/topnews.html
omdconsulting .es/topnews.html
oyakatakent46537 .com/stream.html
parapendiolestreghe .it/live.html
regesh. co.il/watchit.html
rikkeroenneberg .dk/watchit.html
s215847279 .onlinehome.fr/stream.html
salacopernico .es/watchit.html
seekzones .com/watchit.html
seicomsl .es/watchit.html
sigma-lux .ro/watchit.html
soundandlightkaraoke .com/stream.html
stephanmager.gmxhome .de/topnews.html
tartuinstituut .ca/watchit.html
teatromalasa .es/watchit.html
vuelosultimahora .com/topnews.html
wowhard.baewha .ac.kr/watchit.html
aliarzani .de/topnews.html
ambermarketing. com/live.html
bilbondo .com/watchit.html
bollettinogiuridicosanitario .it/live.html
colombeblanche .org/stream.html
donlisander .it/stream.html
fgwiese .de/topnews.html
geckert .de/stream.html
helene-taucher .de/watchit.html
lanz-volldiesel .de/topnews.html
mairie-margnylescompiegne .fr/watchit.html
medical-service-krause .de/topnews.html
nakedinbed.co .uk/topnews.html
ossuzio .com/watchit.html
piogiovannini .com.ar/watchit.html
sabuha .de/topnews.html
sumacyl .com/watchit.html
swampgiants .com/watchit.html
xn--glland-3ya .de/stream.html
yuricardinali .com/watchit.html
nepi .si/topnews.html
dammer .info/topnews.html
atelier-de-loulou .fr/topnews.html
galvatoledo .com/topnews.html
allevatoritrotto .it/topnews.html
hausfeld-solar .de/topnews.html
micela .info/topnews.html
bistrodavila .com.br/watchit.html
hausfeld-solar .de/topnews.html
csr.imb .br/stream.html
herion-architekten .de/default.html
gruppouni .com/hotnews.html
galvatoledo .com/topnews.html
kroenert .name/default.html
keithcrook .com/stream.html
elpatiodejesusmaria .com/checkit.html
malerbetrieb-pelzer .de/hotnews.html
dantealighieriasturias .es/topnews.html
oyakatakent46537 .com/stream.html
89.19.29 .13/stream.html
slobodandjakovic .com/fresh.html
cqcs.com .br/stream.html
seekzones .com/watchit.html
pascosa .it/stream.html
caprilchamonix .com.br/topnews.html
positive-begegnungen .de/topnews.html
ferien-urlaub-lastminute .de/default.html
mueggelpark .info/watchit.html
hillner-online .de/fresh.html
guiasaojose .net/default.html
deliriuslaspalmas .com/topnews.html
fraemma .com/topnews.html
morsbaby .net/default.html
vickywhite .com/fresh.html
micela .info/topnews.html
corradiproject .info/topnews.html
liguehavraise .com/live.html
capacitacaoemlideranca .com.br/fresh.html
materialesyacabados .com.mx/stream.html
208.112.7.68 /checkit.html
152.10.1.37 /1.html
carlolongarini .it/topnews.html
splashcor.com .br/topnews.html
lobpreisstrasse .org/1.html
motoclubnosvamos .com/hotnews.html
hk-rc.com /1.html
taaf.re /stream.html
dulceysalao .com/default.html
amafe .org/topnews.html

Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4

The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider (antispyspider.net) :

"AntiSpy Spider is a cutting-edge anti-spyware solution.This revolutionary anti-spyware program was created by the industry's top spyware experts in order to protect your computer and your privacy.html, while ensuring optimal system performance.With the ability to locate, eliminate and prevent the widest range of spyware threats, AntispyStorm is able to offer its users a safe, spyware-free computing experience; and with it's convenient automatic update feature, AntispyStorm ensures continuous up-to-date protection."

Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8

The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

Wee-Fi: Mumbai Blast Leads to Open Network; NullRiver's App Nullified; Copper Substitute

Mon, 04 Aug 2008 05:56:36 +0000

Mumbai man's open wireless network used to send bomb claim: An American expatriate, Kenneth Haywood, left his Wi-Fi network open in Mumbai, and police allege it was used to send email claiming responsibility for a bomb blast that killed 42 people. The Guardian reports that Haywood says his email account was also hacked. Police say that someone would need to be within two floors of the 15th-floor apartment Haywood and others occupy, but they may be disregarding high-gain antennas. Haywood's installer demanded he not change his network password.

iPhone tethering application up, down, up, down: The NetShare connection-sharing application from NullRiver has made a couple of appearances on Apple's App Store, the only authorized place from which owners of iPod touch and iPhone devices can purchase software for uncracked equipment. NetShare appears to violate the terms of service for AT&T, although this wouldn't be the case with all carriers worldwide, by bridging 2.5G and 3G network traffic via the Wi-Fi connection on the iPhone. A laptop or desktop needs special configuration to connect to the iPhone, but various reports show it works fine. AT&T offers tethering with other smartphones - but not the iPhone - for typically about $20 more per month, comparable to a national hotspot aggregated subscription.

Speaking of AT&T, they like WiMax as a wire alternative: AT&T is bullish on WiMax, but the fixed kind used to replace wires in places they have no cable.

Terrorists Using Open Wireless Networks

Fri, 01 Aug 2008 02:46:41 +0000

Remember when I said that I keep my home wireless network open? Here's a reason not to listen to me:

When Indian police investigating bomb blasts which killed 42 people traced an email claiming responsibility to a Mumbai apartment, they ordered an immediate raid.
But at the address, rather than seizing militants from the Islamist group which said it carried out the attack, they found a group of puzzled American expats.

In a cautionary tale for those still lax with their wireless internet security, police believe the email about the explosions on Saturday in the west Indian city of Ahmedabad was sent after someone hijacked the network belonging to one of the Americans, 48-year-old Kenneth Haywood.

Of course, the terrorists could have sent the e-mail from anywhere. But life is easier if the police don't raid your apartment.

EDITED TO ADD (8/1): My wireless network is still open. But, honestly, the terrorists are more likely to use the open network at the coffee shop up the street and around the corner.

Seven steps to managing IT Risk

Mon, 21 Jul 2008 17:34:00 +0000

Came across this overview read from a Gartner research note recently. It lays out seven recommended steps managing risk.

Implement a framework for risk assessment and mapping.
Establish the responsibilities of risk managers with their areas of responsibility.
Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
Determine the threat level, and focus on those risks with the highest impact on performance.
Establish levels of controls for processes commensurate with the perceived threat.
Record and retain risk incident and near-miss information.
Conduct periodic risk assessments to determine changes in the operations risk profile and assess control performance.

Great advice. These seven steps are precisely what IT-GRC solutions should help an Enterprise accomplish. They provide the construct (aka think configuration wizard) for establishing and maintaining a quality risk management program. If you have on your company priority list advancing the the risk mitigation/management capabilities or if you've recently been burned, take the time and check out some of our new product demonstration videos. We strive to be transparent around what we offer with our software. That's why our marketing isn't really "marketing" it's live product in action. Come check it out.

A Culture of Compliance

Fri, 18 Jul 2008 10:12:01 +0000

For those of you that aren’t familiar with it, Ethisphere is generally a great source for interesting news about corporate ethics violations, insider trading, bribery, fraud, and other embarrassing news stories. This recent article has a much more pleasant ending than most, with a former general manager of a waste collection company earning nearly $47 million for obeying the law. After repeatedly refusing to fire three of his employees over the age of 60 despite ongoing pressure from his superiors, he was wrongfully terminated, according to the jury. Partly responsible for the large settlement were actions taken by his employers after he was terminated, including tampering with memos related to his performance review. The good-guy-comes-out-on-top stories are always nice to see. But while it may work for the IRS (which reminds me, I have this colleague...) and the occasional waste collection company, most organizations can’t rely on the promise of riches to entice staff to behave appropriately and report wrongdoing. This quarter I will be writing a report on how compliance professionals work to create a culture of compliance and responsibility in their organizations. I have seen very interesting videos, training programs, and other awareness campaigns to drive the message home, and there are certainly examples of reward and punishment, but I’d like to hear from you as well... any good examples of how your company distributes or enforces policies, or maybe stories of a colleague who was singled out and embarrassed for not following the rules?

Williamson County Schools learns of breach reported nine months ago

Sat, 12 Jul 2008 20:12:01 +0000

Technorati Tag: Security Breach

Date Reported:
7/11/08

Organization:
Williamson County Schools

Contractor/Consultant/Branch:
None

Victims:
Students*

*"3,052 ACT students and 2,117 students who took the second grade test were affected", Source: Student Information News Conference Text 7/11/08

Number Affected:
5,169

Types of Data:
Names, testing scores, and Social Security numbers

Breach Description:
"FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online."

Reference URL:
Williamson County Student Information News Conference
News Channel 5
WREG Channel 3 News
WSMV Channel 4 News

Report Credit:
Liberty Coalition

Response:
From the online sources cited above:

FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online.

Now the county could lose some federal funding because of the mistake.
[Evan] Do you really think that this will happen? If we looked deeper into the way the public school systems handle confidential information, half of the school districts would lose funding. Williamson County is in good company across the country.

The school district had to notify the Department of Education because this was a federal violation.

Director of Schools, Rebecca Sharber is taking on the responsibility of fixing the problem.

"I'm the head of the school system. I'm accountable," said Sharber.
[Evan] What a fantastic statement. Corporate CEOs, non-profit executive directors, etc. ARE ultimately responsible for the protection of information. Ms. Sharber just earned my respect.

"It certainly is distressing to me that information was ever out there," said Sharber.

According to school officials, former assessment specialist, Chris Nugent is responsible for the computer mix-up.

He resigned Friday.

"Mr. Nugent has resigned his position as Assessment Specialist, effective immediately."

It was August last year when Nugent mistakenly loaded the info on a personal web page, but he never alerted the district.

They only found out a couple of weeks ago.

"A principal who had been contacted by a parent brought this to our attention on June 26th."

"The information given to us indicated that our assessment specialist, Chris Nugent, was involved. This was the first we had heard of this situation."

"We began our investigation immediately asking Mr. Nugent to gather all data that could possibly be associated with this situation."

"We thought at that time he would be able to supply the names of students possibly involved in the most timely manner."

"When Mr. Nugent was unable to get that information for us, our attorney Jason Golden contacted the Liberty Coalition, the organization that had posted the Internet report presented to us by the principal."
[Evan] The Liberty Coalition posted the information surrounding the breach in October, 2007, many months before the victims were ever made aware.

"Yesterday afternoon, the Liberty Coalition was able to provide the names of the students affected."

"Our investigation indicates that the student information was posted on a private website created by Mr. Nugent sometime during the month of August, 2007."

"On August 28, 2007, the Liberty Coalition notified Mr. Nugent that private student information was on his web site."

"On August 29, 2007, the web site was shut down."

"Mr. Nugent did not notify school authorities."

"Our investigation has established that Mr. Nugent had confidential student files on the same thumb-drive with his personal files."

"We believe that when Mr. Nugent uploaded his personal files to a web site he created, he inadvertently uploaded our student files."

Sharber said the first step will be to look at revising policies on student information.

They will also pay for fraud alerts for the students.

It could cost the district hundreds of thousands of dollars to pay for those fraud alerts.

"I would say to other school districts they need to really, really check their policies and procedures on how student data is being used," said Sharber.
[Evan] Again, did I mention that I respect Ms. Sharber? This statement is very good advice.

More than 5,000 students had their security information posted.

Most of those are high school students who took the ACT in the 2006-2007 school year, and second graders who took the TCAP the same year.

"We have learned that most students who took the second grade TCAP achievement test and most students who took the ACT test during the 2006-07 school year had social security numbers on a private website during August of 2007."
[Evan] Is there some kind of legal requirement that states that a Social Security number must be tied to test scores, or was this just poor judgment? Are/were Social Security numbers used as student IDs at the district?

"Our review of the records shows that 3,052 ACT students and 2,117 students who took the second grade test were affected."

The information was on the internet for about a month.

"I want to thank the parents of Williamson County Schools for their patience and understanding and the positive suggestions they have shared as we have conducted our investigation and gone public with this information.", said Sharber
[Evan] The Liberty Coalition went public with this breach in October, 2007. I appreciate the motives of the Liberty Coalition, but I am not pleased with the way they report breaches. I'll elaborate below in the commentary section.

"I understand the anxiety that our parents are experiencing.", said Sharber

"On Monday, we will be calling all parents of students whose social security numbers were exposed to let them know their child was affected, and we will follow up that phone call with a letter."

"We are working to locate a security company, and at our expense, we will cover the cost of fraud protection for the students affected."
[Evan] I hope that the school locates a good "security company". Of course FRSecure would be glad to help. I promise to keep the plugs to a minimum .

Commentary:
OK. We all know that a breach affecting kids is especially bad. We all know that we are all human and all humans make mistakes. I presume that there are a number of risky information security behaviors at Williamson County Schools. This risky behavior just so happened to expose personal information online. What other risky behaviors will be addressed at the school district?

Now about the Liberty Coalition's role. I appreciate the motives of Aaron Titus and the Liberty Coalition. He maintains the SSNBreach.org web site where he publicizes information security breaches that his organization finds (or is informed about). My attention was first drawn to Aaron Titus in August 2007, when he reported the Louisiana Board of Regents breach affecting ~200,000 people. What drew my attention to his report was not the breach itself, but the way in which it he proceeded to report it. Lyger at Attrition.org covers it well here.

In this case, the Liberty Coalition publicly posted this breach in October, 2007 which is more than 9 months before the victims were ever made aware! According to the Liberty Coalition press release; "We updated this press release after becoming aware of Mr. Nugent's relationship with the school district. The Liberty Coalition also worked directly with district officials to help them notify the affected individuals." It would have been nice if the victims were notified prior to a public press release. I wonder why Mr. Nugent's relationship with the school district wasn't known earlier. I don't have the details that the Liberty Coalition does surrounding this breach, so I can only speculate.

The fact that some breaches are reported on SSNBreach.org prior to notification (in this case nine months), I chose to generally not report them here at The Breach Blog.

Past Breaches:
Unknown

Work-place violence kills many U.S. workers every year.

Sat, 12 Jul 2008 14:28:00 +0000

Our company is hired regularly to make sure that fired employees do not come back to work and kill a supervisor or fellow colleagues.

When people hear that Corporations hire bodyguards to work in their Corporations pending and following company terminations they are surprised. This surprises me. Every year, workplace violence makes the "top ten" list of serious concerns facing U.S. businesses.

Yesterday, on WTOP radio station I heard the phrase; "Desk Rage" for the first time. Unfortunately it is very appropriate. Some people have very bad tempers and an argument or decision at work can lead to them getting a weapon and committing homicide. This was evidenced a couple of weeks ago in Kentucky when five factory workers were killed by an employee who had been slightly reprimanded.

Employers do have a responsibility to ensure a safe work place environment. That is the reason companies hire us. If we are called in and are onsite when a violent worker returns intent on hurting people, we will be the ones to stop him or her from committing the act.

Fellow workers should report incidents involving any type of inappropriate behavior, especially instances where people are likely to get hurt, or worse. Very rarely does an employee just go ballistic or "postal" for no reason. The most common cause of work place homicides are domestic situations. An employee with a dangerous spouse/significant other who has just been arrested on domestic violence charges or has been served with a protective should be brought to a supervisor's attention immediately.

With so much rage in schools, on the road and in the home, the Police have their hands full just reacting to situations where many times the SWAT team will be called in. Private security companies are a great resource to the business community as Police do not have the resources to sit for days and wait to see if something will happen.

Be part of the solution. Report all potentially dangerous situations in the workplace to a supervisor.

Wee-Fi: Germans Can Leave Networks Open; Belkin Announces Wireless High-Def

Fri, 11 Jul 2008 10:01:39 +0000

A German appeals court says an open Wi-Fi network isn't equivalent to the owner's responsibility for actions over that network: This decisions overturns a lower court's ruling in a peer-to-peer file sharing copyright infringement case that the owner of a Wi-Fi network was de facto culpable for any activity that could be tracked back to the network's IP address. The appeals court said without specific evidence that the person charged had committed the infringement there's no case--and no requirement to lock down the network to avoid such lawsuits. If the decision had been upheld, it would have likely led to more broadside charges worldwide, as well as a vast reduction in open networks.

Belkin gives us plenty of time to get ready for streaming high def: FlyWire uses an adapted form of Wi-Fi in the 5 GHz band to stream HD without having the HD set in close proximity. They're not shipping until October, which could give you some time to get used to the price tag. A $1,000 model is designed to cover a home, and has various infrared and wireless options to control current A/V gear, some of which might be hidden in cabinets away from view. A cheaper $700 option covers just one room, Belkin says, and excludes the IR help. The transmitter has 3 HDMI jacks, including DVI support with audio inputs, along with two component and one composite video and audio input panels. The receiver has a single HDMI output. All HD resolutions are supported. These devices are aimed at people who buy large HDTVs and want to wall mount them.

ISP Clickstream Betrayal Part 2 - The Double-Reverse Masquerade

Thu, 10 Jul 2008 13:36:24 +0000

*** Techno-Geek Warning *** The following lengthy article discusses technical details that may cause your head to explode. I take no responsibility for cleaning the walls after you read this. ************************ As promised, Steve Gibson has published his explanation of what Phorm Inc. is doing to enable “Behavioral Targeting” for its advertising network that leverages equipment it installs [...]

Fake Porn Sites Serving Malware - Part Two

Mon, 07 Jul 2008 23:24:00 +0000

What we've go here is the same malware gang using the very same malicious ISP among the ones you rarely see in any report, continuing to crunch out domain redirectors using the same templates for fake porn sites. And since some of the fake sites are actual redirectors, periodically revisting them leads to more fake codecs and even more actionable intelligence into the nature of their practices, and which are the ISPs proving them with hosting services for several consecutive years.

The main redirector in this campaign popular-adult.com is also responding to :

basic-adult .com
business-adult .com
center-adult .com
comp-adult .com
compadult .com
controladult .com
cruiseporn .com
drive-adult .com
ebony-adult-video .com

ebony-pornmovie .com

ebony-video-xxx .com
engine-adult .com
fat-adult-video .com
fat-pornmovie .com
fat-video-xxx .com
global-adult .com
inc-adult .com
name-adult .com
nameadult .com
other-adult .com
partadult .com
pleasureadult .com
porn-abc .com
porn-contact .com
porn-global .net
porn-go .net
porn-group .net
porn-party .net
porn-play .net
porn-plus .net
porn-power .net
porn-room .net
pornabout .com
porndrive .net
pornhelp .net
pornname .net
pornstar-adult-video .com
pornstar-pornmovie .com
pornstar-video-xxx .com
room-adult .com
scan-adult .com
seek-adult .com
u-adult .com

The secondary redirectors going out of popular-adult.com :

pornname .net/ted/382634557/1/
porn-abc .com/ike/1666520193/1/
pornhelp .net/dense/876421348/1/
porn-play .net/cristina/1970565499/1/
porn-global .net/percival/330780624/1/
porn-contact .com/cisse/854714304/1/
porn-play .net/honora/888715608/1/
pornname .net/deidre/1964468519/1/
pornhelp .net/pip/1977382266/1/
porndrive .net/shelton/767217618/1/
pornhelp .net/mat/354381578/1/
pornabout .com/tobe/1436617289/1/
porn-go .net/samson/7633197/1/
porn-contact .com/teresa/409084583/1/
porn-party .net/basil/1305549820/1/
porn-contact .com/ed/1067772053/1/
porn-contact .com/frish/1287341391/1/
pornname .net/mariah/53967973/1/
pornname .net/jacobus/291129748/1/
porn-plus .net/beverly/2122167311/1/
porn-party .net/lulu/917088357/1/
pornabout .com/boetius/1991451664/1/
cruiseporn .com/padde/1296397392/1/
porn-power .net/arch/334137732/1/
cruiseporn .com/meta/377489795/1/
porn-room .net/lynette/1518855371/1/
porn-play .net/link/1975737157/1/
hporn-global .net/vin/1241430020/1/
porndrive .net/dunk/1245242641/1/
porn-go .net/louisa/1685718172/1/
pornhelp .net/dunk/1859215260/1/
porn-contact .com/celia/1805798677/1/
porn-play .net/anabelle/987641695/1/
porn-room .net/rille/815076192/1/
pornabout.com/hodge/1040019816/1/
porn-abc .com/claes/1130748100/1/
pornabout .com/frederick/1987458246/1/
porn-go .net/fredde/1153431432/1/
porn-party .net/felicity/705720374/1/
porndrive .net/ginne/1183690031/1/
porn-group .net/kimberle/706468800/1/
porn-room .net/helen/565953612/1/
porn-party .net/arche/1387111363/1/
porn-contact .com/kingston/232354071/1/
pornhelp .net/mima/1024064014/1/
porn-power .net/gretchen/152347961/1/
porn-contact .com/ophelia/840853119/1/
porn-play .net/eleanor/88926029/1/
porn-power .net/bella/1712681771/1/
porn-global .net/melchizedek/1823498218/1/
pornabout .com/gabbe/1478560492/1/
porn-party .net/obedience/1540587230/1/
porndrive .net/rod/1177331120/1/
porn-play .net/gee/1314369182/1/
pornname .net/phineas/975226015/1/
porn-global .net/reynold/131075998/1/
porndrive .net/bat/1542809624/1/
porn-global .net/hans/400396810/1/
porn-contact .com/mock/1738069316/1/
porn-plus .net/tryphosia/354085313/1/
porn-room .net/bazaleel/1417267786/1/
porn-contact .com/joyce/353938308/1/
porn-power .net/laine/780004499/1/
pornhelp .net/mille/988856007/1/
cruiseporn .com/dare/258399427/1/
porn-global .net/nat/2039108680/1/
pornname .net/eudora/2132399934/1/
porn-go .net/ana/277211595/1/
pornhelp .net/auge/1990287956/1/
porn-contact .com/danial/1195423348/1/
porn-abc .com/teresa/1787982397/1/
porn-go .net/lawrence/1575543567/1/
porn-go .net/sherre/1066718744/1/
porn-contact .com/jack/657185819/1/
porn-abc .com/manda/216390544/1/
porn-party .net/chuck/1533427157/1/
porndrive .net/lucille/215841052/1/
cruiseporn .com/rodney/1024994863/1/
pornname .net/sheldon/669324635/1/
porn-global .net/janet/1677642355/1/
porn-global .net/basil/635902337/1/
porn-party .net/adela/980553444/1/
cruiseporn .com/charles/2038221862/1/
pornabout .com/sid/644600064/1/
porn-abc .com/eloise/1882289515/1/
porndrive .net/bryant/724023427/1/
porn-party .net/bonne/305120344/1/
porn-play .net/susan/826151266/1/
porn-room .net/sheila/439221958/1/
porn-go .net/valere/1498454342/1/
porn-contact .com/asenath/1036530205/1/
porn-plus .net/marcus/51947065/1/
porn-party .net/bridgit/518065759/1/
porn-plus.net/shawn/1427002427/1/
cruiseporn.com/alicia/1252994155/1/
porn-abc.com/arminda/975985679/1/
porn-party.net/lionel/929052416/1/
porn-contact .com/ande/1755833202/1/
porn-power .net/cyrus/732691977/1/
aboutadultsex .com/heloise/1008109638/1/
adultzoneworld .com/barne/506956701/1/
superporncity .com/roberta/1239682918/1/
pornhelp .net/eurydice/1944564451/1/
theadultpost .com/volodia/543769984/1/
porn-play .net/bird/760635633/1/
coolbestporn .com/bradford/578099145/1/
porn-plus .net/delilah/465854735/1/
porn-power .net/pheney/698426424/1/
porn-party .net/cristina/940229631/1/
porn-party .net/justin/1913395886/1/
porn-contact .com/lotte/1794233444/1/
porn-party .net/nowell/850070721/1/
worldbestadult .com/parthenia/1858633626/1/
funpornsite .com/patience/188018581/1/
adultsexpro .com/isse/1981168802/1/
adultsexpro .com/isabelle/683364151/1/
porndrive .net/erne/906935790/1/
porn-power .net/delpha/178727494/1/
porn-plus .net/chesley/1261676752/1/
porn-plus .net/selina/11889629/1/
porntimeguide .com/arnold/1555784224/1/
aboutadultsex .com/doug/1975246767/1/
porn-global .net/clum/1615653087/1/
funxxxporn .com/kym/739810260/1/
porn-plus .net/roxane/2022633909/1/
worldbestadult .com/vicke/955775101/1/
porn-play .net/jane/1396714471/1/
pornname .net/nicole/1695768032/1/
adultvideodot .com/bela/96070992/1/
porn-room .net/carre/1310194786/1/
adultsexpro .com/azubah/141802741/1/
theadulteye .com/pheney/1077328499/1/
porn-party .net/chick/1522449297/1/
aboutadultsex .com/elbert/1300176621/1/
findadultsex .com/lorre/2057361400/1/
teenporntop .com/aristotle/901956477/1/
coolbestporn .com/bartel/94175118/1/
porn-plus .net/deanne/70540201/1/
coolbestporn .com/appe/1679745028/1/
findadultsex .com/asaph/1439353641/1/
pornxxxfilm .com/tone/904077420/1/
funxxxporn .com/india/476477713/1/
adultvideodot .com/ed/879863981/1/
bestpriceporn .com/babbe/1457040435/1/
superliveporn .com/russell/56570486/1/

More fake porn video sites using similar site templates, and using the same redirection infrastructure :

porntubev20 .com
clearpornurlssite .com
mypornmovies .net
getyourfreemovie .com
tubescollection .com
free-best-porn .com/videos/
pornmovieshare .com
clipslab .com
mybestvideosite .com
avwav .com

The fake codecs download locations in this campaign :

aviutility .com
18x-adult2008 .com
2008x-adult-2008 .com
best-codec .com
hq-codec .net
mpegsystem .com
bestsoft-ware08 .com

The registrant and hosting provider :

Cernel Inc, Legal Department (support@cernel.net)
23404 W. Lyons Ave #223, Santa Clarita, Ca,91321
US, Tel. +1.6613470577

Historically, the same gang has been using the same hosting provider for many other fake codecs, which remain parked on the same netblock in a standby mode :

Fire-ticket .com - 64.28.184.162
Fire-codec .com - 64.28.184.163
Light-ticket .com - 64.28.184.163
Braketicket .com - 64.28.184.164
Mooncodec .net - 64.28.184.164
Light-codec .com - 64.28.184.165
Turbo-ticket .com - 64.28.184.165
Space-codec .com - 64.28.184.166
Ultra-ticket .com - 64.28.184.166
Brakecodec .com - 64.28.184.167
Demo-ticket .com - 64.28.184.167
Demoticket .net - 64.28.184.168
Hq-ticket .com - 64.28.184.168
Turbo-codec .com - 64.28.184.168
Hqticket .com - 64.28.184.169
End-ticket .com - 64.28.184.169
Nitro-codec .com - 64.28.184.169
Hqticket .net - 64.28.184.170
Clean-ticket .com - 64.28.184.170
Red-codec .com - 64.28.184.170
Black-codec .com - 64.28.184.171
Viva-ticket .com - 64.28.184.171
Niceticket .net - 64.28.184.171
Endticket .com - 64.28.184.172
Ultra-codec .com - 64.28.184.172
Wot-ticket .com - 64.28.184.172
Mega-codec .net - 64.28.184.173
Storm-ticket .com - 64.28.184.173
Megaz-ticket .com - 64.28.184.174
Vipcodec .net - 64.28.184.174
Democodec .net - 64.28.184.175
Giga-ticket .com - 64.28.184.175
Demo-codec .net - 64.28.184.176
Uin-ticket .com - 64.28.184.176
Hopeticket .com - 64.28.184.177
Hq-codec .net - 64.28.184.177
Best-codec .com - 64.28.184.178
Hope-ticket .com - 64.28.184.178
Endcodec .net - 64.28.184.179
Zero-ticket .com - 64.28.184.179
End-codec .net - 64.28.184.180
Pop-ticket .com - 64.28.184.180
Cleancodec .net - 64.28.184.181
Yupticket .com - 64.28.184.181

The deeper you go the more interesting it gets, malware command and controls located on the same network, fake banks, money mule recruitment sites, pharmaceutical scams and spam hosting - they or their customers if they are to forward the responsibility are definitely multitasking.

Related posts:
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs