So, in conjunction with the BlueHat team, I am pleased to announce that the SDL team will be organizing the sessions for the second day of the fall BlueHat conference. The BlueHat SDL sessions will be laser-focused on not just describing vulnerabilities but also solving them. Every attendee should leave every presentation with a clear idea of exactly what he or she needs to do to protect themselves from the threat that was discussed during the session.

The sessions will begin, appropriately, with the topic of secure design. Danny Dhillon of EMC and the SDL team’s own Adam Shostack will each present their organization’s approach to threat modeling. As a bonus, Adam will also be demonstrating the new SDL Threat Modeling tool that you might have heard about last week.

Next up is Matt Miller, a recent and very welcome addition to the Microsoft Security Science team. Matt has a fantastic presentation on the evolution of buffer overflow attacks and on the corresponding development of overflow mitigations. From there we will switch gears to look at some managed code implementation issues: iSEC Partners’ Scott Stender and Alex Vidergar will demonstrate coding techniques to mitigate elusive concurrency vulnerabilities in web applications.

At this point we will have covered the Design and Implementation phases of the SDL; where better to go from here than Verification? One of the most important activities in the Verification phase is fuzzing, and we have a trio of security experts from the Microsoft Security Science team to talk about it. Jason Shirk, Lars Opstad, and Dave Weinstein will answer three of the most common fuzzing questions: How should I fuzz? When have I fuzzed enough? And what do I do now that I’ve fuzzed?

Finally, we will wrap up the Verification phase talks with a return appearance to BlueHat by Stach & Liu’s Vinnie Liu. Vinnie will compare different approaches to security verification – static code analysis, blackbox analysis, and manual code review – and make recommendations as to when each approach is best used.

Even if you can’t make it in to BlueHat in person, you can still watch the sessions via streaming media on TechNet. Additionally, webcast interviews with the speakers – condensed “Cliff’s Notes” versions of their full presentations – will be posted on Channel 9. And we’ll be continuing the BlueHat tradition of inviting speakers and other industry notables to guest blog about their topics and the latest security trends. More information on all of these resources will be posted here when it becomes available.

Synopsis:  Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Note about the production team – new special editions coming soon.
  • Note about URLs for the media files
• AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
• AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
• Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability
• New version of SIPvicious


• Sipflanker – tool to find SIP devices with web GUIs




• Discussion about VoIP Steganography (pointed to by Craig Bowser)


• Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register


• FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call



• The Register: ‘Untraceable’ phone fraudsters eye your credit card



• SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP



• Secure Computing: Voice tools under enemy fire



• VNUnet: A good VoIP application is worth paying for



• Ofcom confirms VoIP providers must provide access to 999 and 112



• Bogdan Materna’s blog is live
• Realtime Community: The Essentials Series:
  Messaging and Web Security
  Volume III


• Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )


• SearchSecurity: The threats to telcos and how they can repel them


• TMCnet: Balancing Issues in World of Telepresence


• Network World: VoIP Security Buying Guide
• Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )


• Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security


• VIVOphone Deploys Paradial RealTunnel?? to Solve NAT Traversal Challenges for VoIP Services


• Audiocodes joins the ranks of SBC vendors


• SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)


• The Hindu Business News: Serious about Security


• Shows:
  
  
  
  • IP Telephony University – June 23-24, Alexandria, VA
  
  
  • IPTComm 2008 – July 1-2, Heidelberg, Germany
  
  
  • The Last H.O.P.E. – July 18-20, New York
  
  
  • SpeechTek – August 18-20, New York
  
  
  
  
• Call for papers for Hack-in-the-box Malaysia ends June 30th



• SchmooCon 2008 videos available – several dealing with VoIP
• No comments this week.
  
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 47:09 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

]]> Wed, 27 Aug 2008 16:53:17 +0000 voip security voip security news voip voip security tools voip steganography voip services security skype security vulnerabilities voip security podcast Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more... http://securityratty.com/article/48c1a58b9d39348008877ad191ffcfea http://securityratty.com/article/48c1a58b9d39348008877ad191ffcfea

Synopsis:  Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

---

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Note about the production team – new special editions coming soon.
  • Note about URLs for the media files
• AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
• AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
• Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability
• New version of SIPvicious


• Sipflanker – tool to find SIP devices with web GUIs




• Discussion about VoIP Steganography (pointed to by Craig Bowser)


• Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register


• FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call



• The Register: ‘Untraceable’ phone fraudsters eye your credit card



• SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP



• Secure Computing: Voice tools under enemy fire



• VNUnet: A good VoIP application is worth paying for



• Ofcom confirms VoIP providers must provide access to 999 and 112



• Bogdan Materna’s blog is live
• Realtime Community: The Essentials Series:
  Messaging and Web Security
  Volume III


• Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )


• SearchSecurity: The threats to telcos and how they can repel them


• TMCnet: Balancing Issues in World of Telepresence


• Network World: VoIP Security Buying Guide
• Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )


• Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security


• VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services


• Audiocodes joins the ranks of SBC vendors


• SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)


• The Hindu Business News: Serious about Security


• Shows:
  
  
  
  • IP Telephony University – June 23-24, Alexandria, VA
  
  
  • IPTComm 2008 – July 1-2, Heidelberg, Germany
  
  
  • The Last H.O.P.E. – July 18-20, New York
  
  
  • SpeechTek – August 18-20, New York
  
  
  
  
• Call for papers for Hack-in-the-box Malaysia ends June 30th



• SchmooCon 2008 videos available – several dealing with VoIP
• No comments this week.
  
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 47:09 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.




]]> Wed, 27 Aug 2008 15:53:18 +0000 voip security voip security news voip voip security tools voip steganography voip services security skype security vulnerabilities voip security podcast Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more... http://securityratty.com/article/49c86c75eefe5a4e5a516c983562397c http://securityratty.com/article/49c86c75eefe5a4e5a516c983562397c ASCII Art Spam. It's been around for some time now, and every now and again there's a little surge (currently most of it seems to be coming out of Korea & China) before dying down again.

Of course, it has an element of visual appeal to it in some cases:



A bowl of spammy noodles, originally uploaded by pragmatic_pete.

They're pretty cool noodles, however you look at it. The biggest problem (for the spammers, anyway) continues to be the fact that, for the most part, the spam is largely unintelligble.



ASCII Art Spam, originally uploaded by schoschie.

.....wha? Sexy....grrmfs? Girls? Gorillas? Who knows. The problem with mangled text also extends (somewhat more crucially) to the URLs they happen to be pimping:



Spam, originally uploaded by cablejimmy.

They're not doing too badly there until they reach the web address, at which point it might as well say

www. absolutelynoideawhatthatsays .com

Of course, the last thing I'm suggesting is that I long for the day when the spammers get it right, but at least they can provide us with some cheap laughs regarding how hopeless their spam is in the meantime.


]]> Wed, 27 Aug 2008 04:35:14 +0000 ascii art spam spam pretty cool noodles spammy noodles web address visual appeal pragmatic pete cheap laughs spammers ASCII Art Spam http://securityratty.com/article/403816e80242e85ea676f8d2be0684b6 http://securityratty.com/article/403816e80242e85ea676f8d2be0684b6 Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about....  We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah..  the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills..  plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods : 



"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.

]]> Fri, 08 Aug 2008 10:31:54 +0000 crack password crack crack email password email password password original password current password password retrieval email Email Hacking Going Commercial - Part Two http://securityratty.com/article/e452d659bce6955164d7e64080c735b6 http://securityratty.com/article/e452d659bce6955164d7e64080c735b6 Catching up on the blogs, I couldn’t help but comment on, Is CEP Mature? Or a Curious Case of Information Asymmetry by Mark Tsimelzon, President & CTO, Coral8.  Mark says,

“I know for a fact that every major CEP vendor has several dozen paying customers.”

Somehow Mark, I don’t find a dozen paying customers by the top CEP vendors very impressive.

Then, as to somehow justify the lack of public reference clients, Mark takes the position of a Coral8 customer and says,

“We believe that the use of Coral8 gives us a strategic advantage over our competitors. Why would we want to clue them in?”

Naturally, the same thing could have been said about the first desktop computer, or the first back-office banking system, or the first calculator, or the first telephone, frankly speaking.

Of course, when the technology is mature, then it is “Hey we have lots of computers!” “Hey, look at my fully functional sexy iPhone!” “We have the best back office banking systems on the planet by <insert your favorite big vendor here>!”

Well, all this CEP Solution Secrecy (CEPSS) might just be similar to why the government keeps many IT projects a secret;  the main reason is so we don’t know how much taxpayer money they are spending!

So, folks, the debate counterpoint that there is some “Secret Life of CEP” and that the CEP solutions today are somehow changing the way C-Level executives, and corporate America, thinks is just wishful thinking.

Companies don’t need to keep their strong technical solutions a secret. Like, Wow! I am using Coral8 and it is so impressive that I have to keep it TOP SECRET.  (Sorry Mark, nothing personal, you simply gave me a big red target and painted “fire when ready” on it)

Note:  I happen to like Coral8, and Coral8 Studio, as an event stream processing platform.

Back on point, I consider my laptop and cellphone more indispensable than most of the first generation rule-based stream processing engines out there today, and I am sure most CEOs agree.

The Secret Life of CEP….   you just have to just love it

]]> Tue, 05 Aug 2008 14:32:44 +0000 cep secret cep solutions major cep vendor secret life cep solution secrecy cep mature top secret coral8 The Secret Life of CEP http://securityratty.com/article/843a7efa13e68bd1519bfd31c33d9492 http://securityratty.com/article/843a7efa13e68bd1519bfd31c33d9492 Thu, 31 Jul 2008 12:17:57 +0000 distress damsels Sexy Hacking http://securityratty.com/article/5dacf1e5b6c84c1bed4515dca8fc1199 http://securityratty.com/article/5dacf1e5b6c84c1bed4515dca8fc1199 Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999% uptime. In this very latest example of using malicious doorways redirecting to fake porn sites, consisting of over twenty different domains serving the usual Zlob malware variants, we have a decent abuse of a template for a porn site.

The easy of management of such domain farms and the availability of templates for high trafficked topic segments such as celebrities and pornography, continue contributing to the increasing number of Zlob variants served through fake codecs. Moreover, once set up, the malicious infrastructure starts attracting now just generic search traffic, but also traffic coming from affiliates with whom revenue is shared on the basis of the number of people that downloaded the codec.

In this campaign, the malicious doorway that expands the entire ecosystem is located at search-top.com/in.cgi?5&parameter=drs (66.96.85.113). A redirector that appears to have been operating since 2006, according to this forum posting.

What follows on-the-fly, are all the fake porn sites whose legitimately looking videos attempt to download a Zlob malware variant from a single location - vipcodec.net. Here are all the fake porn sites, and the associated campaigns in this redirection :

watchnenjoy .com/index.php?id=1287&style=white
craziestclips .com/index.php?id=1287&q=
immensevids .com
planetfreepornmovies .com/?t=1&id=1219
poweradult .net/edmund/16551689/1/&id=1219
scan-porn .net/rosalyn/1742941675/1/&id=1219
about-adult .net/emiline/108846601/1/&id=1219
service-porn .com/inde/964842117/1/&id=1219
pleasure-porn .com/elnora/648311952/1/&id=1219
porn-the .net/verge/1734135233/1/&id=1219
porn-pleasure .net/dal/1663381205/1/&id=1219
scan-porn .net/gretchen/515268975/1/&id=1219
abc-adult .com/lillah/1467790484/1/&id=1219
about-adult .net/jenne/434165228/1/&id=1219
look-adult .net/ette/681831796/1/&id=1219
about-adult .net/mime/65729013/1/&id=1219
name-adult .net/alfe/550398461/1/&id=1219
group-adult .net/demerias/867452637/1/&id=1219
useporn .net/rhode/167691118/1/&id=1219
porn-look .net/hephsibah/1254235416/1/&id=1219
scan-porn .net/hence/1684651134/1/&id=1219
abc-adult .com/kendra/371598555/1/&id=1219
name-adult .net/link/1334727639/1/&id=1219
porn-the .net/flo/84660854/1/&id=1219
porn-popular .com/assene/875893411/1/&id=1219
about-adult .net/charlotta/972714195/1/&id=1219
porn-comp .com/orlando/761508522/1/&id=1219
useporn .net/jemima/1405735776/1/&id=1219
about-adult .net/obadiah/263904242/1/&id=1219
group-adult .net/douglas/1110779475/1/&id=1219
porn-look .net/lydde/1844064103/1/&id=1219
pleasure-porn .com/marcia/1627490290/1/&id=1219
service-porn .com/cono/295680123/1/&id=1219
group-adult .net/wes/1733468207/1/&id=1219
abc-adult .com/wib/648341815/1/&id=1219
scan-porn .net/greg/2064937302/1/&id=1219
contact-adult .net/maris/33184936/1/&id=1219
look-adult .net/regina/1273816838/1/&id=1219
abc-adult .com/gwendolyn/869744046/1/&id=1219
service-porn .com/carthaette/1021629112/1/&id=1219
scan-porn .net/ninell/1522355420/1/&id=1219
porn-pleasure .net/waldo/755290223/1/&id=1219
porn-the .net/green/669090607/1/&id=1219
try-adult .com/lula/447057398/1/&id=1219
visit-adult .net/jay/1021153563/1/&id=1219
contact-adult .net/rosa/849017739/1/&id=1219
name-adult .net/hannah/2111126283/1/&id=1219
about-adult .net/robin/2114086747/1/&id=1219
scan-porn .net/geraldine/921262381/1/&id=1219
contact-adult .net/christine/1821111087/1/&id=1219
porn-popular .com/frederica/364993202/1/&id=1219
about-adult .net/kerste/735582753/1/&id=1219
porn-the .net/vine/715820953/1/&id=1219
porn-the .net/newt/1835463160/1/&id=1219
try-adult .com/max/602914725/1/&id=1219
porn-pleasure .net/cille/1420660046/1/&id=1219
poweradult .net/phililpa/178057959/1/&id=1219
name-adult .net/lise/1379126759/1/&id=1219
pleasure-porn .com/marianne/1083617952/1/&id=1219
poweradult .net/emile/1173468576/1/&id=1219
useporn .net/patse/155685496/1/&id=1219
helpporn .net/verna/625840253/1/&id=1219
name-adult .net/aubrey/190928373/1/&id=1219
about-adult .net/alphinias/1345158043/1/&id=1219
useporn .net/rosa/223743611/1/&id=1219
pleasure-porn .com/nerva/1509620489/1/&id=1219
helpporn .net/leet/1619667733/1/&id=1219
about-adult .net/roberta/887345003/1/&id=1219
porn-pleasure .net/tore/1032556395/1/&id=1219
useporn .net/bo/1963737386/1/&id=1219
porn-look .net/karon/136085893/1/&id=1219
poweradult .net/tense/1523522750/1/&id=1219
poweradult .net/hopp/1955964399/1/&id=1219
scan-porn .net/vanne/350822489/1/&id=1219
porn-comp .com/deb/1451360694/1/&id=1219
about-adult .net/moll/1511640690/1/&id=1219
porn-popular .com/obediah/562846948/1/&id=1219
helpporn .net/tamarra/776122096/1/&id=1219
pleasure-porn .com/aristotle/1046422029/1/&id=1219
porn-comp .com/titia/158157566/1/&id=1219
group-adult .net/gay/1297835054/1/&id=1219
porn-look .net/katherine/2136357734/1/&id=1219
helpporn .net/azubah/1197502147/1/&id=1219
porn-comp .com/claes/770105101/1/&id=1219

Associated fake porn sites :

pornbrake .com
sexnitro .net
brakesex .net
pornnitro .net
adultbookings .com
qazsex .com
lightporn .net
delfiporn .net
pornqaz .com
megazporn .com
uinsex .com
xerosex .com
serviceporn .com
aboutadultsex .com
superliveporn .com
bestpriceporn .com
contactporn .net
relatedporn .com
landporno .com
adultsper .com
plus-porn .com
adultstarworld .com
cutadult .com
moviexxxhotel .com
porno-go .com
pornxxxfilm .com
porn-sea .com
review-sex .com
sureadult .com
browseadult .com
network-adult .com
timeadult .com
virtual-sexy .net
funxxxporn .com
loweradult .com
adultfilmsite .com
xxxallvideo .com
custom-sex .com
gallerypictures .net
usaadultvideo .com
adultmovieplus .com
porn-cruise .com
clubxxxvideo .com
mitadult .com
galleryalbum .net
xxxteenfilm .com
hardcorevideosite .com
helpadult .com
portaladult .net
service-sex .com
driveadult .com
access-porno .com
time-sex .com
plus-adult .com
worldadultvideo .com
key-adult .com
estatesex .com
superadultfriend .com
superporncity .com
zero-porno .com
scanadult .com
adultsexpro .com
adultzoneworld .com
porntimeguide .com
usbestporn .com
adulttow .com
look-porn .com
galleryclick .net
micro-sex .com
estatesex .com
try-sex .com
0bucksforpornmovie .com
gays-video-xxx .com
hackthegrid .com
savetop .info
vidsplanet .net
freexxxhere .com
gestkoeporno .com
tv-adult .info
gays-adult-video .com
matures-video .com
analcekc .com
tabletskard .in
molodiedevki .com
dom-porno .com
pornoaziatki .com
latinosvideo .com
geiporno .com
sweetfreeporn .com

If exposing a huge domains portfolio of currently active redirectors has the potential to ruin someone's vacation, then consider someone's vacation ruined already.

Related posts:
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

]]> Wed, 25 Jun 2008 08:16:20 +0000 net fake porn sites malware about-adult scan-porn zlob malware variant name-adult useporn porn-the Fake Porn Sites Serving Malware http://securityratty.com/article/55f6fc8e7adf0a9b91953af0b69289cf http://securityratty.com/article/55f6fc8e7adf0a9b91953af0b69289cf Can we have DLP - data leak prevention?

Well, can we have IDS? How about IPS? Can we really "prevent intrusions?" Can we really "control access to our networks?"

The answer to "can we have DLP?" is actually pretty simple: if you think "DLP = box that prevents all data leaks" (and you also think that deploying IPS will "prevent intrusions"), then we can't. Forget it.

But blame the idiots who called it "leak prevention" - if you think that "DLP will prevent all leaks" - sorry, but you are one of them! :-) If you treat "L" not as "leak" but as "loss" and hope that "DLP will prevent all data loss, whether intentional or not," you are an even BIGGER one.

So rambling about "Can DLP Really Stop All Leaks" is pretty silly. No, it can't. Pondering "Is DLP Possible"  is just as silly. No, complete prevention of all leaks is impossible, with OR without DLP technology. Go read Mike R instead :-)

Why seemingly smart people behave in such childish manner? I dunno. Scratch all that. Instead ask:

Is today's cutting-edge DLP technologies USEFUL?

And the answer is "Hell yeah!"

If you see how much "fun" sensitive content goes over email (corp and personal web-based), gets uploaded to forums, channeled over IM file transfers, FTP'ed somewhere, you'd scream for one of these boxes. Accidental leaks, email address typos, non-malicious leaks, blatant disregard of security policy for the sake of "productivity", even phishing, "wholesale data theft" and amateur "employee hackers" probably account for 10x (100x?)  more damage (in direct losses, brand damage, embarrassment and - yes! - non-compliance fines AND loss frequency) than "uber-hackers" (who might indeed go thru your DLP box like hot knife thru butter.) And if an advanced DLP box does one day stop some determined insider theft, that's just icing on the cake.

That is why smart people don't call it "DLP" - they call it "content monitoring and filtering." This sounds much less sexy, but much more useful. The boxes that will show up on your doorstep will still have "DLP" labels, but what they will do for you is really content monitoring and filtering.  And even though it will not stop all data theft, DLP box will likely prove useful more than once...

Finally, all rants about any preventative AND monitoring technologies should really end the same: go refresh your incident response plans.

Possibly related posts:

• "In Passing on DLP"

 

Technorati tags: DLP, security, data loss, data theft, data protection
About me: http://www.chuvakin.org

]]> Fri, 20 Jun 2008 12:59:00 +0000 dlp cutting-edge dlp technologies dlp technology dlp box leak prevention leak non-malicious leaks leaks loss So, CAN We Have DLP? http://securityratty.com/article/dfcdb44220b29ca01f732e838a22dbfe http://securityratty.com/article/dfcdb44220b29ca01f732e838a22dbfe WARNING! "Ph." in "Ph.D." at work (play?) here :-) This is one of them darn philosophical posts...

Now, some people hate logging, because  logs are too hard to deal with (enable, collect, store and especially understand and interpret). However, there is a whole other group of fairly intelligent people who "hate logs:"   the organizers of some well-known technical security conferences. The experience of many of my colleagues (and competitors!) and myself proves that a log-related talk will NOT be accepted to ANY technical security conference nowadays. Now, some were generous enough to explain why. Others were not (screw them and no link :-)).

But let me rant about this one a bit. First, it is always a possibility that they dislike me not logs:-) -  this is easily disproved, however, since some of my colleagues had the same exact experience. Do they dislike vendors talking about logs? Nah, this isn't it either - most of my conference presentations had nothing to do with LogLogic, even though they are about logs. Some of my friends (and this blog readers) tried to suggest that an audience of such events "knows everything there is to know about logs." This is not true since - gasp!- nobody knows everything there is to know about logs: they hide way too many mysteries (with useful answers!) to discount them like that.  Another one I've heard is that "real hackers don't get logged -> logs are useless", which is also silly: this is true only if you take a very narrow view of logs (e.g. NIDS alerts),; clearly, everybody is logged by the firewalls, servers, apps, etc. The challenge is not a lack of data, but too much data and not enough time and tools.

But we are about to "hit paydirt" with this question...

Tool? Did I just mention tools? This opens the last and final, deeply evil reason for such "log-hate":  one of the conference organizers mentioned that, in his opinion, there is nothing new in the field of log analysis since regex-match-based alerting (and regex-based parsing into database tables).

And you know what?

Drum roll....

He was actually somewhat right.

Indexing did come in the world of logging, but, personally, I don't find it to be a huge feat of human ingenuity (even though it is definitely useful). I also think we are not doing enough with index data (and I definitely intend to change that...)

In addition, there was A LOT of academic research on the subject, from the SRI EMERALD in the 80s (and even earlier) to today, but many of the papers I've seen sit on the "hilarious side of useless"...

So, I need a campaign "Making Logs Sexy Again!" (and some impressive research results to boot) - will it work? Let's try and find out!

About me: http://www.chuvakin.org

]]> Thu, 08 May 2008 07:20:00 +0000 logs logs sexy people fairly intelligent people data index data darn philosophical posts experience exact experience Why [Some] Smart People Hate Logs?