[SecurityRatty] tag: unaware

Localizing Cybercrime - Cultural Diversity on Demand Part Two

Tue, 25 Nov 2008 05:55:21 +0000

It's where you advertise your services, and how you position yourself that speak for your intentions, of course, "between the lines". There's a common misunderstanding that in order for a malware campaigner or scammer to launch a localized attack speaking the native language of their potential victims, they need to speak the local language. This misconception is largely based on the fact that a huge number of people remain unaware on how core strategic business practices have been in operation across the cybercrime underground for the last couple of years.

Outsourcing the localization process (translation services for spam/phishing/malware campaigns) has been happening for a while, courtsy of DIY servics ensuring complete anonymity of their customers. Interestingly, the translators may in fact be unaware that the advertising channels the service is using is directly attracting everyone from the bottom to the top of the cybercriminal food chain as a customer. Sometimes, it's services like this that open a new market segment covering an untapped opportunity, with this particular service already pointing out that it's charging cheaper than their competitors.

"We offer our services in translation. We are only competent translators profile higher education. Service is working with all types of texts. Languages available at this time of Russian, English, German. Average translation of the text takes up to 10 hours (usually much faster) through the full automation of the order and payment. Just want to note that we do not keep any logs on IP and does not require registration. In addition you can remove your order from the database after his execution. In addition to running more than 1000 translations already, we can use all the lessons learned to be more effective in our services. Prices vary depending on the complexity of the topic covered.

Prices and deadlines:
* Standard - the deadline is not more than 24 hours. Prices depend on the direction and guidance from the 'Order'.
* Term - work on your translation begins precedence. The price of the 50% more than the standard translation. Prices also depend on the direction and guidance from the 'Order'.

The cost of the transfer depends on the amount of work. The workload is measured in symbols. In calculating the characters are shown letters and numbers. Punctuation do not count. Minimum order 100 characters."

I'm particularly curious how is a contractor(translator) going to react to a situation when a large scale malware campaign speaking several different languages tell a fake story that the contractor might have recently translated for them. With the employer positioning itself as a fully legitimate company, whereas its customers requesting localized version of texts for the spam/phishing/malware campaigns are the "usual suspects", the contractors would continue allowing cybercriminals the opportunity to build more authenticity within their campaigns.

Related posts:
E-crime and Socioeconomic Factors
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit Localized to Chinese
Localizing Open Source Malware
Localized Fake Security Software
A Localized Bankers Malware Campaign
Lonely Polina's Secret (Localized malware campaign)

SDL Announcements at TechEd EMEA

Mon, 10 Nov 2008 19:25:00 +0000

Hello all, Dave here…

I am in Barcelona, Spain with Michael Howard and Adam Shostack at the TechEd EMEA: Developers Conference.

In addition to teaching and attending security sessions, we are in Barcelona to formally announce the launch of the SDL Optimization Model, SDL Pro Network and the Microsoft SDL Threat Modeling Tool Beta! For those of you who are unaware of these initiatives here’s a description of each…

SDL Optimization Model: The SDL Optimization Model was created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. It allows development managers and IT policy-makers to assess the state of the security in development and create a vision and road map for reducing customer risk.

Specific objectives of the model include the following:

· Enable organizations outside of Microsoft to create more secure and privacy-enhanced software by successfully implementing the SDL

· Allow organizations to self-assess current software development security practices and create a strategy for gradual improvement

· Provide SDL Pro Network service providers with a consistent and effective framework for providing SDL services

SDL Pro Network: The SDL Pro Network is a group of security service providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Microsoft SDL. SDL Pro Network service providers will guide and support organizations in implementing the SDL into their environments.

The primary focus area for all members, both now and in the future, will be to deliver on the program’s commitment to make the SDL available outside Microsoft, specifically focusing on these issues:

· Protecting the customer - Helping customers adopt the SDL or general secure coding practices.

· Improving the SDL - Leveraging member knowledge to understand how the SDL is used by customers, what needs to be modified and what customer needs must be met in the future.

SDL Threat Modeling Tool Beta: The Microsoft SDL Threat Modeling Tool Beta allows for structured analysis, proactive mitigation and tracking of potential security and privacy issues in new and existing applications. Microsoft developed the tool and we use it internally on many of our products. This tool offers a threat modeling methodology that any software architect can lead effectively — in contrast with other processes, which are more expert-dependent. A few quick notes about the features:

· Automated guidance and feedback in drawing threat diagrams

· Guided analysis of threats and mitigations based on the STRIDE taxonomy

· Integration with bug-and issue-tracking systems like Visual Studio Team Foundation Server

To learn more about these, visit the SDL portal, http://www.microsoft.com/sdl.

By the way, if you are in Barcelona and want to stop by and chat, the session list is below:

SDL Theater Sessions:

· Getting started with the new SDL Threat Modeling Tool

Adam Shostack, Theater 1, Tuesday, Nov. 11, 15:20 – 15:40

· You could do that but it would be wrong – a discussion of pros/cons of threat mitigations

Michael Howard & Adam Shostack, Theater 1, Thursday, Nov. 13, 10:20 – 10:40

General Sessions:

· DVP308 How I Learned to Stop Worrying and Love Threat Modeling Nov. 12, 10:45 – 12:00

· DVP309 How to Review Your Code and Test for Security Bugs Nov. 13, 3:15 – 4:30

· DVP312 Top Ten Strategies to Security Your Code Nov. 14, 10:45 – 12:00

6 Months And Counting For Microsoft On CVE-2008-1436

Thu, 16 Oct 2008 11:24:58 +0000

In April of this year Microsoft issued what seemed to be a rather serious security advisory: Vulnerability in Windows Could Allow Elevation of Privilege (951306). Microsoft never provides gory details to vulnerabilities even after they've been patched, but by following the CVE entry from it you can get links to sites like IBM's ISS which are willing to say more, or even to get proof-of-concept exploit code from SecurityFocus. The vulnerability allows authenticated attackers potentially to elevate privileges to LocalSystem. Here we are, 6 months later, and Microsoft still has not patched this vulnerability. What's up with that? "Dustin" from the Microsoft Security Response Center recently addressed the question in a blog on Technet, following an update to the advisory to note the availability of the proof-of-concept code. It's worth noting that this vulnerability isn't really near the top of the scare list. Most of those 3rd parties you see linked on the CVE page rank it down a few notches. Even the usually hyperbolic Secunia calls it "Less Critical" (2 out of 5, 1 step up from "Not Critical"). Furthermore, back in April Microsoft provided workarounds which it says are effective against the proof-of-concept, at the cost of some administrative burden. They also say that they are unaware of any real-world attacks on this vector. You can find more details from Microsoft on the bug in Nazim's IIS Security Blog and the Security Vulnerability Research & Defense blog. Still, 6 months! What Dustin said was "...we began our investigation and immediately realized it would not be trivial to address this issue without introducing new risks." They're still testing and developing a fix. 6 months later. It would seem that the obvious fixes all cause some serious problem, perhaps breaking 3rd party code. Is this inherently unreasonable? It's getting there. The list of affected software includes most of the important versions of Windows. It may be that some of the time this has taken has gone to working with my speculative 3rd parties to update their own software, so that the fix won't have the same impact. But let's not forget that this is not an easily exploitable bug. It's not wormable in any way and by the time it's invoked other serious breaches of security have to have happened. So I guess it's worth it for Microsoft to take their time doing it right.

Non-cooperation in the fight against phishing

Thu, 16 Oct 2008 09:32:24 +0000

Tyler Moore and I are presenting another one of our academic phishing papers today at the Anti-Phishing Working Group’s Third eCrime Researchers Summit here in Atlanta, Georgia. The paper “The consequence of non-cooperation in the fight against phishing” (pre-proceedings version here) goes some way to explaining anomalies we found in our previous analysis of phishing website lifetimes. The “take-down” companies reckon to get phishing websites removed within a few hours, whereas our measurements show that the average lifetimes are a few days.

These “take-down” companies are generally specialist offshoots of more general “brand protection” companies, and are hired by banks to handle removal of fake phishing websites.

When we examined our data more carefully we found that we were receiving “feeds” of phishing website URLs from several different sources — and the “take-down” companies that were passing the data to us were not passing the data to each other.

So it often occurs that take-down company A knows about a phishing website targeting a particular bank, but take-down company B is ignorant of its existence. If it is company B that has the contract for removing sites for that bank then, since they don’t know the website exists, they take no action and the site stays up.

Since we were receiving data feeds from both company A and company B, we knew the site existed and we measured its lifetime — which is much extended. In fact, it’s somewhat of a mystery why it is removed at all! Our best guess is that reports made directly to ISPs trigger removal.

The paper contains all the details, and gives all the figures to show that website lifetimes are extended by about 5 days when the take-down company is completely unaware of the site. On other occasions the company learns about the site some time after it is first detected by someone else; and this extends the lifetimes by an average of 2 days.

Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

Not surprisingly, our paper suggests that the take-down companies should be sharing their data, so that when they learn about websites attacking banks they don’t have contracts with, they pass the details on to another company who can start to get the site removed.

We analyse the incentives to make this change (and the incentives the companies have not to do so) and contrast the current arrangements with the anti-virus/malware industry — where sample suspect code has been shared since the early 1990s.

In particular, we note that it is the banks who would benefit most from data sharing — and since they are paying the bills, we think that they may well be in a position to force through changes in policy. To best protect the public, we must hope that this happens soon.

Skype says it was unaware of China message-logging

Wed, 01 Oct 2008 20:00:00 +0000

Skype was unaware of a major privacy problem affecting Skype users in China, the company's president said Thursday.

Zango And The Batman Online Videogame

Wed, 03 Sep 2008 07:00:00 +0000

This is Newsarama, a site (mostly) geared around comics and other related media:

Click to Enlarge

You'll notice Batman, over on the right there. Let's take a closer look:

"Free Online Batman Game"? Well, that's curious because I follow comics pretty closely and I'd be the first to know if an "Online Batman Game" had been in the works (this advert has been doing the rounds on numerous comic-related websites. Visit the URL in the ad - Batmangame.info - and you'll see this...

Click to Enlarge

There it is again - "Online Batman Game". Furthermore, the text goes on to say:

"Batman Online lets you do anything and every little thing you'd like in a Batman game. From leveling up your character to destroying villans, it has it all. Download and play this amazing game now, all for free! I'm sure you'll be playing for hours on end, it's that much fun.

    Level Up Your Character

   Explore a Huge Vast World

   Play Online With Your Friends

   Hundreds of Quests To Finish

   Perfect Battle System

So start your Batman adventure today! Download the full game below and fight them all!"

Note that they specifically call it "Batman Online". It specifically sounds like a text blurb you'd expect to see with a MMORPG. However, something isn't quite right here.

1) The only DC licensed MMORPG anybody knows of is this, and it isn't due out until 2009. It's not Batman-centric, either.

2) The screenshots are lifted from the Batman Begins videogame, which came out in 2005. If you were offering a "Batman Online Game", wouldn't you use screenshots from that instead of an unrelated title?

3) Absolutely no licensing, copyright or legal mumbo-jumbo on the page anywhere. DC and Warner Bros don't roll like that.

4) The website - Batmangame(dot)info - is registered anonymously. Not exactly something you see everyday for websites related to licensed DC franchises such as Batman videogames.

5) "To download and play the Batman Online Game you must download and install Zango as well. It is free, very easy to install and will give you access to the full game."

Shall we continue?

Click to Enlarge

A Zango installer prompt, complete with picture of Batman at the top. If you say "No" to the install, you end up on Google.com. What happens if you click "Start"? Well, you'll get the usual collection of Zango installer screens including one that rather humorously has a guy in a superhero costume.

Once everything is installed, you're taken to another page and from here things just get plain confusing. Remember, up to this point you've been promised an "Online Batman Game", the description of which is clearly intended to evoke images of a MMORPG. However....

Click to Enlarge

All of a sudden, you're being told you're downloading "Batman: Vengeance" on a cheap-looking splash page and shown what looks like an unofficially ripped Batman: Vengeance trailer on Youtube.

In case you're unaware, Batman: Vengeance is a videogame first launched way back in 2001 for consoles (followed shortly after by a PC version). What does this have to do with an "Online Batman Game"? Well, nothing, actually. Aside from the fact you were presented with one thing and are now handed another, things get even stranger when you see the download location:

Click to Enlarge

Have you ever heard of an officially licensed game being offered via Rapidshare downloads? It's possible, I guess, but it seems a little odd. However, the real oddness is reserved for the "Online Batman game" itself.

Remember, we've been promised "Hundreds of quests", "A huge vast world", the ability to "level up your character" and (of course) the "play online with your friends" promise of greatness.

Click to Enlarge

Imagine your dismay, then, when you've installed Zango, downloaded the game from Rapidshare using up around 140MB of bandwidth, installed it and....

Oh dear.

Not only are you given a totally different game than what was advertised, you're given a DEMO VERSION of that game with four short sample levels present, no online functionality and quite a few less quests than the "hundreds" advertised.

Hilariously, you can download a 100% legit copy of this demo here at Fileplanet, sans Adware. Setting aside the issue of whether this file is actually sitting on Rapidshare with either Ubisoft or DC / Warner Bros permission (and if it IS okay to be there, I'm pretty sure it's NOT okay to falsely advertise it as some kind of MMORPG) there are some questions that need to be raised here.

When this guy approached them with his website, did nobody stop to think that this game did not actually match up with the "Online Batman" game it was touted as? Didn't someone at Zango Quality Control actually download the game and see the big "This is a demo" wording as soon as it starts up? Or question why the screenshots on the website don't look like the graphics for Batman: Vengeance in the slightest?

However you look at it, this is a scam, pure and simple. Whoever came up with the idea of an "Online Batman Game" is lying through their teeth. Of course, because their website is registered anonymously we have no idea who the culprit is, unless of course Zango want to deposit them on the steps of Gotham City and let me dispense some Batman-style justice to their posterior.

However, based on the way these things tend to go - God forbid anyone ever offer up the identity of someone happily scamming the public at large, even when that person is dragging the name of the company associated with them through the mud by their antics - I think I might be waiting some time for the Bat Signal...

Are you using the latest web browser?

Wed, 16 Jul 2008 09:24:00 +0000

Written by Thomas Duebendorfer

In view of mass defacements of hundreds of thousand of web pages - with the intent to misuse them to launch drive-by download attacks - security researchers from ETH Zurich, Google, and IBM Internet Security Systems were interested in looking at the other side of the attack: the web browser. By analyzing the web browser versions seen in visits to Google websites, they have shown that more than 600 million Internet users don't use the latest version of their browser.

Slow migration to latest browser version
The researchers' paper, entitled "Understanding the Web Browser Threat", shows that as of June 2008, only 59.1% percent of Internet users worldwide use the latest major version of their preferred web browser. Firefox users are the most attentive: 92.2% of them surfed with Firefox 2, the latest major version before the recently released 3.0. Only 52.5% of Microsoft Internet Explorer users have updated to version 7, which is the most secure according to multiple publicly-cited Microsoft experts (among them Sandi Hardmeier). The study revealed that 637 million Internet users worldwide who use web browsers are either not running the latest version of their preferred browser or have not installed the latest patches. These users are vulnerable to exploitation due to their web browser's "built-in" vulnerabilities and the lack of more recent security mechanisms such as improved phishing protection.

Neglected security patches
Over the past 18 months, the study also shows, a maximum of 83.3% of Firefox users were using the latest major version of the web browser and also had all current patches installed (i.e. latest minor version). Only 56.1% and 47.6% of Opera and Internet Explorer users, respectively, were similarly utilizing fully-patched web browsers. Apple users are no better: since the public release of Safari 3, only 65.3% of users operate the latest Safari version.

Maximum measured share of users surfing the web with the most secure versions of Firefox, Safari, Opera and Internet Explorer in June 2008 as seen on Google websites.

Obsolete browser warning
The study's most important finding is that technical measures now in place do not sufficiently guarantee browser security, and that users' security awareness must be further developed. The problem is that most users are unaware that they are not using their browser's latest version. It must be made clear to web browser users that outdated software is associated with significantly higher risk. The researchers therefore suggest that, as a critical component of web software, a visible warning be instituted that warns the user of missing security patches in a way analogous to the 'best before' date in the perishable food industry. Software updates must also be made easier to find. The resulting transparency would go far in contributing to end user awareness of software weaknesses, and allow users to better evaluate risks.

Example "best before" implementation on a Web browser

As a side effect, having users migrate faster to the latest browser version would not only increase security but also make the lives of webmasters easier, as they would need to test and optimize websites for fewer older versions of web browsers.

Are you using the latest web browser?

Wed, 16 Jul 2008 09:24:00 +0000

Maximum measured share of users surfing the web with the most secure versions of Firefox, Safari, Opera and Internet Explorer in June 2008 as seen on Google websites.

Example "best before" implementation on a Web browser

Sybase aims to be your mobile phone security vendor

Wed, 25 Jun 2008 18:50:46 +0000

In a blast from the past, Sybase is aiming to be your mobile phone security provider. According to this article in Information Week, Sybase iAnywhere division's, Afaria security line already provides device authentication and encryption and now will add anti-virus and firewall capabilities.

I was glad to see the Sybase name in the article. I have fond memories of Sybase on Sun servers from my early web hosting days. It is also good to see a new competitor in the mobile phone business. Lets see if Sybase gives the McAfee's, Symatecs, etc a run for their money. Or who knows maybe another not yet heard from name will come out to dominate the mobile phone market.

What I also was unaware of was that there were over 500 viruses that target mobile phones. With Sybase covering Windows Mobile, Symbian (they just went open source), Blackberry and more, even the Apple iPhone appears to be covered. Though overall I still think this is an immature market, it will be interesting to see who steps up.

Sybase aims to be your mobile phone security vendor

Wed, 25 Jun 2008 17:50:46 +0000