[SecurityRatty] tag: thankful

This Fourth of July I will be a patriot because to be anything else is unthinkable.

Fri, 04 Jul 2008 12:56:11 +0000

Well said!
There is much wrong in this country, however, we have much to be thankful for because of those who wanted to make this country great and were willing to give their lives to make it so.
Thanks to all of you who make this country worth loving.

clipped from www.cnn.com

What’s patriotism? Definitions differ

Patriotism is loving your country. Patriotism is standing when the national anthem plays. Patriotism is putting your hand on your heart to recite the Pledge of Allegiance.

Some say it is unpatriotic to oppose the war, but hear me out: Say if your kid brings home a bad report card. Are you proud of him? Probably not. But do you still love him? Yes.

Its Mothers Day, be thankful you have a mom to call - so do it.

Sun, 11 May 2008 10:47:04 +0000

Mothers Day is always a tough one for me. My mom passed away 25 years ago and though time has passed to cover up a never healed wound, every Mothers Day the scab is torn off a bit and the regret and pain ooze through. Having our kids celebrate Mothers Day with my wife has made it better, but nothing takes the place of your own Mom. Fred Wilson reminded me of that today with this post about a Tom Friedman piece in the NY Times today.

Tom just lost his mom last year after a long bout with dementia it seems. She was 89. Tom reflects on her remarkable life and how she influenced him to be what he is. Can any of us say any differently? Weren't all of our Moms special to each of us. Isn't so much of the people we are today directly related to that woman who raised and nourished us? Of course. So on this day honoring Mothers everywhere, if you are lucky enough to have your Mom available to thank, do so and don't miss the chance because you never know when you might not be able to.

Happy Mothers Day Bonnie and to all of you mothers everywhere!

Phishing Emails Generating Botnet Scaling

Fri, 18 Apr 2008 10:57:30 +0000

A bigger and much more detailed picture is starting to emerge, with yet another spammed malware campaign courtesy of the botnet that is so far responsible for a massive flood of fake Windows updates, phishing emails targeting the usual diverse set of brands, fake yahoo greeting cards, and most recently delivering "executable news items", through Backdoor.Agent.AJU malware infected hosts.

Within the first five minutes, thirty three (33) phishing emails attempted to be delivered out of a sample infected host, all of them targeting NatWest or The National Westminster Bank Plc. Here are some samples, that of course never made it out to their recipient :

- Sender Address: "NatWest Internet Banking '2008"

to Recipient: <@fs1.ge.man.ac.uk>Subject: Natwest Bank Bankline: Confirm Your Login Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D19ecygtKZDzrozrznhOzn These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "NatWest Bank On-line Banking'2008"

to Recipient: <@bbc.co.uk> Subject: Natwest OnLine Banking Important Notice From Technical Department Id: 9044 Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D15urOBFDffkOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "Natwest Bank Internet Banking Support"

to Recipient: <@yahoo.co.uk> Subject: NatWest Private and Corporate: Confirm Your Login Password Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D24ecyuczfscwzbDtcwhhOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved.

- Sender Address: "Natwest Private and Corporate Support"

to Recipient: <@yahoo.co.uk> Subject: Natwest Bankline Internet Banking Important: Submit Your Records id: 1191 Email Content: //pool32-nwolb20.com/customerupdate?cid=3D27kwszewcenzdFECKDtcwhhOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@56bridgwater.fsnet.co.uk> Subject: Natwest Internet Banking: Please Update Your Internet Banking Details Email Content: //pool32-nwolb20.com/customerupdate?cid=3D37kwszewcnnhrrDRCfszlaucndsOoerdnOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

What is making an impression besides the malicious economies of scale achieved on behalf of the malware infected hosts used for sending, and as we've already seen, hosting and phishing pages and the malware itslef? It's the campaing's targeted nature in respect to the segmented emails database used for achieving a better response rate. The National Westminster Bank Plcis a U.K bank, and 10 out of 15 email recepient are of U.K citizens, the rest are targeting Italian users. Malware variants signal their presence to 66.199.241.98/forum.php and try to obtain campaigns to participate in, this is a sample detection rate for the latest fake news items one, and more details on the domains and nameservers used in the latest campaign :

news_report-pdf_content.exe

Scanners result : 14/31 (45.17%)

Backdoor.Win32.Agent.gvk; Backdoor:Win32/Agent.ACG

File size: 45056 bytes

MD5...: c4849207a94d1db4a0211f88e84b0b59

SHA1..: 32ef2a074d563370f46738565ecf9bb53c75909c

SHA256: 12a124cc2352f3ef68ddf06e0ed111c617d95cffd807dc502ae474960a60411c

An internal nameservers ecosystem within the botnet, active and resolving :

ns1.ns4.ns2.ns3.id759.com

ns3.ns1.id759.com

ns1.ns2.ns1.ns4.ns2.ns3.id759.com

ns1.ns2.ns3.id759.com

ns1.ns2.ns4.id759.com

ns1.ns4.ns4.ns2.ns3.id759.com

ns2.id759.com

ns2.ns1.ns2.ns3.id759.com

ns2.ns1.ns2.ns4.id759.com

ns3.ns2.ns1.ns2.ns3.id759.com

ns4.ns1.ns1.ns2.ns3.id759.com

Yet another internal nameservers ecosystem within the botnet :

ns1.serial43.in

ns2.serial43.in

ns3.serial43.in

ns4.serial43.in

ns1.ns1.ns1.serial43.in

ns1.ns2.ns1.ns1.serial43.in

ns1.ns2.ns2.serial43.in

ns1.ns4.ns1.ns1.serial43.in

ns2.ns1.ns2.serial43.in

ns2.ns1.ns4.ns1.ns1.serial43.in

ns2.ns2.ns1.ns1.serial43.in

To sum up - these are all of the domains currently active and used for the malware/spam/phishing campaigns on behalf of this botnet :

server52.org

set45.net

site83.net

sid95.com

shell54.com

siteid64.com

setup36.com

share73.com

service28.biz

There are several scenarious related to this particular botnet. Despite that it's the same piece of malware that's successfully adding new zombies to the infected population, the diversity of the campaigns, as well as the fact that for instance share73.com is registered by casta4000 @ mail.ru and is into the "reklama uslug" business which translates to advertising services, in this case spam and phishing emails sending on demand, access to the botnet could be either offered on demand, or the service itself performed in a typical managed spamming appliance outsourced business model. Are they also vertically integrating in respect to the fast-fluxing? Yes they are, since they're achieving it without the need to hire a managed fast-flux provider, which isn't excluding the possibility that they aren't in fact one themselves, as it's evident they've got the capability to become one.

Great Service from Network World

Fri, 28 Mar 2008 00:36:23 +0000

I was so impressed by the personal attention and quick response from Network World’s customer service department, I feel compelled to acknowledge it publicly and send a ‘thank you’ to their team.

Monday morning, just one business day after my pining post last Thursday night (remember Friday was a holiday), I received a call from an extremely helpful and courteous lady in the customer service department. Evidently someone does actually read my blog and had forwarded the post to NWW.

Not only did she help me get fixed up with my regular delivery, she placed the current week’s edition in the mail for me- special delivery!

And I’m greatly thankful, since this week’s cover is sporting the 10Gig Shootout, which highlights the HP ProCurve 3500 stackables. Although, I have to note, on the print cover, the photos aren’t next to the vendor descriptions. Just in case you were wondering, the ProCurve switch came in a very strong second, .03 of a point off I believe, and about half the price (and lifetime warranty). Sorry had to slip that in there too. Check out the scorecard at NWW.

So, thanks to whomever forwarded the post to NWW, and a special thanks for the quick help from their customer support!

# # #

Would armed security officers in Omaha have saved lives?

Mon, 10 Dec 2007 21:17:00 +0000

Last week seemed to be a bad week for Malls and Churches. In Nebraska and Colorado, gunmen killed innocent people who were merely going about their daily lives. The situation could have been much worse in Colorado Springs but for the quick repsonse and bravery of a female security officer. The Pastor, Brady Boyd, rightfully cited the security officer for her brave actions and said; "she probably saved 100 lives".

That is why it is difficult to understand the comments made to CNN from certain security sources. Don Greene, a retired FBI agent said that it would be difficult for anyone to have predicted the actions of the killer at the Westroads Mall in Omaha. Fair enough. However, the Omaha Chief of Police reported that mall security officers actually noticed the young gunman when he entered the mall.

Being unarmed, that is all they could do - observe. That is what they would have had to do in Colorado Springs if none of the security officers had been armed. According to the Pastor there, more than 100 people may have been murdered by the high-powered rifle wielding killer. However, one officer was armed and the news is now hailing this officer as a heroine.

Back to Mr. Greene. Mr. Greene was asked, in his expert opinion (one presumes as a retired FBI agent), if he believed that mall security officers should be armed. "Absolutely not", shot back Greene. He further added that had security been armed it could have resulted in a "gunfight at the OK Corral" scenario. For some inexplicable reason, he added; "then we might have had 23 dead instead of 8".

I wish I knew how to contact Mr.Greene today. I would love to ask him if he wished to stand behind his original comment. When I was at it, I can assure you that I would ask him to explain how he arrived at his calculations.

Lou Palumbo is another security source that I would like to interview. Mr. Palumbo told CNN that Malls should have Law Enforcement personnel watching people as they enter the Mall. I would tell him; "Mr. Palumbo, please do some research. The Council of International Shopping Centers tells us that there are 1,200 enclosed shopping malls and 50,000 shopping centers in this country. If you assign a Police Officer to watch every entrance, you would need more than 250,000 Police Officers to report for duty on the first day".

That does not even take into account the number that would be needed to relieve officers on sick leave, admin leave, vacation, promotion, etc. Does anybody really think that we will have a 400,000 strong Federal Mall Police Department any day soon? Be thankful for private security.

It makes one wonder where CNN finds their security sources.