[SecurityRatty] tag: urban

Is Spam Porn for the Security Industry?

Thu, 16 Oct 2008 10:39:00 +0000

We have all heard stories (urban myths?) about how the porn industry has driven technology from early DVD’s to streaming distribution on the grid. Could “spam” be a new driver helping artificial intelligence get smarter to solve complex low level security problems? Technology (an MIT Review site) has just published a story about how spam [...]

Wee-Fi: Routing Out an Address; Badger-Fi

Fri, 12 Sep 2008 07:34:26 +0000

Slashdot breathlessly posts an item by coderrr that Skyhook Wireless is exposing people's addresses: Yeah, whatever. Skyhook has accidentally offered an API that lets you query their Wi-Fi positioning system for latitude and longitude using a MAC address. Skyhook constantly drives major cities around the world and integrates scans created by users of their systems as well. The poster defines a non-existent problem: first, a scammer needs to get someone's MAC address; then you need to pair a rough lat/long with their street address; then, coderrr says, you'd get a phishing email with your home address. Whatever. If my machine is compromised enough that you can obtain my MAC address and then launch a phishing attack, I have worse problems already than my street address being in the email--which is unlikely given that most Wi-Fi scans will be in urban areas. It's likely Skyhook will modify their systems to prevent submission of such queries, or perhaps open their API further.

Madison Wi-Fi network sold to Atlanta firm: Xiocom purchases Mad City Broadband, a firm that has suffered significant criticism over the performance of its Wi-Fi network in Madison, Wisc. The press release from Xiocom (some quoted in the Badger Herald article) are a bit over the top about a network that reportedly has few users, inconsistent performance, and covers only a fraction of the city.

The Fallacy of Self-Fulfilling CEP Use Case Studies

Wed, 06 Aug 2008 11:30:13 +0000

I am back at the glaring computer screen after a day in Lamphun, Northern Thailand, hanging out will my friends who are preparing for a Bonsai tree competition. I spent the day eating Thai and Chinese food and relaxing in a lounge chair under imported blue palm trees with the sound of exotic birds making background music to keep me entertained.

Back to CEP and EPTS, there are folks who appear to believe they may define “CEP” by the current use cases from self-described CEP vendors. Frankly speaking, I am puzzled by the bottom-up approach.

The bottom-up approach is a bit like saying “We have a lot of prototype rockets being built, so let’s define the future of space travel based on the prototypes!”

It really makes little sense, at least to me, to attempt to define CEP based on what the current generation products (self-described CEP products) are capable of doing.

From my persective, it would be more beneficial to customers to define the types of complex events (and situations) businesses need to detect in real-time and match the technologies and solution architectures to detect those events, in real-time, with high confidence.

A lot of this “top down thinking” has been already done.

IT businesses need to detect operational threats and problems, and be able to pinpoint, with very high accuracy, where the problem is in a complex network, for example. This problem remains mostly unsolved with a very low signal-to-noise ratio.

Also, most businesses would like to detect fraud and other criminal activity on their network before the activities adversely impacts their business. This problem remains unsolved for most companies.

Scientific researchers seek models of weather, epidemiology, and so much more; and they need event processing solutions to obtain situational knowledge into current events and predict future ones. We know how difficult predicting the weather can be!

Folks on the ground need to model urban traffic as events and design better event-driven traffic models and solutions.

The list of important event processing challenges we face go on and on.

While I see some merit in the bottom-up approach, it is better for users to define what are practical “complex event” related problems and then look for the solutions, vs. define the solution and then look for the problem.

From a strategic perspective, self-fulfilling CEP use case studies are interesting, but they hould not limit the vision, definition, and future of processing complex events; and be careful of use case fallacies.

Summarizing July's Threatscape

Fri, 01 Aug 2008 12:08:24 +0000

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

Gmail, Yahoo and Hotmails CAPTCHA Broken

Thu, 03 Jul 2008 04:36:21 +0000

It's one thing to start efficiently registering thousands of email accounts at reputable email providers by automatically breaking their CAPTCHA authentication, and entirely another to build a business model on the top of it next to the opportunity to abuse if for your own malicious purposes. Which is exactly what we have here, an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second.

Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers :

"Breaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services."

Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers.

Related posts:
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

FISMA Report Card News, Formulas, and 3 Myths

Tue, 27 May 2008 12:36:28 +0000

Ever watch a marathon on TV? There’s the usual formula for how we lay out the day:

History of the marathon and Pheidippides
Discussion of the race length and how it was changes so that the Queen could watch the finish
World records and what our chances are for making one today
Graphics of the race course showing the key hills and the “sprint to the finish”
Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
Description of energy depletion and “The Wall”
Stats as the leaders hit the finsh line
Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

Paragraph about how agencies are failing to secure their data, the report card says so
History and trending of the report card
Discussion on changing FISMA
Quote from Karen Evans
Quote from Alan Paller about how FISMA is a failure and checklist-driven security
Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card. Pretty typical writing formula that you’ll see from journalists. I won’t even comment on the “FISMA compliance” title. Oh wait, I just did. =)

Some myths about FISMA in particular that I need to dispell right now:

FISMA is a report card: It’s a law, the grades are just an awareness campaign. In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all. Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing. It just goes back to the adage that nobody really knows what FISMA is.
FISMA needs to be changed: As a law, FISMA is exactly where it needs to be. Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
There is a viable alternative framework: Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA. Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner. This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them. Every couple of months I go back and review it to see if it’s still relevant. And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions . According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it: it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it. The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

Bookmark to:

E-Discovery's Great 'Urban Myth' - And Why You Shouldn't Believe It

Thu, 01 May 2008 13:59:45 +0000

I'm in the process of reviewing the first 150 court cases using the revised Federal Rules of Civil Procedure (FRCP) for electronic discovery (e-discovery), which went into effect on 1 December 2006. Now, I know what you're thinking - but it's not nearly as glamorous as it sounds. The decisions average 40 single-spaced pages in length, they're painfully detailed, and the writing is as dense as only a lawyer can make it. It takes several cups of strong black coffee just to get through one case, and believe me, it's not something you want to try doing late in the afternoon.

Some of these cases are making serious progress toward closing the gap between the requirements of public policy mandates and the market-driven power of technology. But far too many of them are tangled up in two fundamentally opposed, but equally dangerous, fallacies: 1) the "urban myth" that it's impossible to erase an e-mail or other piece of digital information; and 2) the idea that the only smart practice is to keep nothing.

Where e-discovery and especially e-mail are concerned, most enterprises find themselves at a critical juncture at which public policy is failing to keep pace with the evolution of technology. I call this situation "Star Wars technology with Gutenberg laws." Just how bad is the business/technology/policy disconnect? Well, when I graduated from college in 1975, I got a job with United Press International (UPI), which had just implemented a rudimentary form of computer-based "e-mail" to replace the telex (TWIX) messaging system. The messages we sent were available on the computer for 24 hours, not a second more. If we needed a copy of one, we had no choice but to print it out. That's the way e-mail was originally conceived - as the technological equivalent of a Kleenex tissue - to be used once and thrown away. But that's not the way most enterprises are using e-mail now.

The fact is, for many enterprises, e-mail is now the primary workflow tool, the primary collaboration tool, the personal archive and, in some cases, the institutional archive. If there's any e-mail product that was designed with those uses in mind - and with the robust features and functionality to support them - I'm not aware of it. And that's where the business/technology/policy gap comes from. We have tools deployed that were originally designed for ephemeral communications, which are now expected to be eternal repositories of the truth. And, of course, to compound that problem, the world is full of litigators who are happy to win cases on mechanics, rather than merits - all because somebody didn't get e-discovery exactly right.

The bottom line: Don't accept the urban myth that you'll never be able to erase an e-mail, and don't believe that the only smart practice is to keep nothing at all. The trick is to understand what you need to keep, to know where it is, and to make sure that you can get at it when you need it. It's not simple, and it's not easy, but it is absolutely critical.

NYC Is Getting a New High-Tech Defense Perimeter. Let's Hope It Works

Wed, 23 Apr 2008 20:00:00 +0000

Wired.com's Noah Shachtman explains New York's security plans for lower Manhattan: A plan so sophisticated, it trumps the armor of any major urban area in the world.

BART Wi-Fi Access Moves Closer in Bay Area

Wed, 09 Apr 2008 02:39:32 +0000

WiFi Rail may sign contract with Bay Area Rapid Transit soon: That's typical marketing fare from many companies, to pre-announce deals, but a BART official confirmed the state of negotiations in this Sacramento Bee article. I had a long talk with the WiFi Rail folks a few months ago, and they sent me some fascinating video of a live four-way video chat with three participants communicating from moving trains.

Their technical description of what they're doing makes a lot of sense, and if they can pull off their trial work in a production environment, they will have a set of patents and products that will likely be the model for deploying subway and train Wi-Fi in urban areas around the world. Yes, that's a big claim; but they have a unique and interesting solution.

The company told the Bee that they would start on heavily traveled underground routes first, with service available within 4 months of a contract. WiFi Rail relies on leaky coax, which is wiring that runs in the tunnel already, and they've overlaid Wi-Fi signals on in a way that simulates a very long antenna.

The Bee reports that they've raised $1.5m in financing so far with another round of $15m to $20m to close later this year. With a BART contract in hand, I can't imagine they'll have any difficulty getting funds. Captive audiences are worth the big bucks.

Mobile Post: Speeds Thrills in Minnesota

Thu, 03 Apr 2008 10:53:14 +0000

In Minnesota, St. Paul and Minneapolis may stand as poster children for two trends in broadband: On your left, Comcast offers 50 Mbps/5 Mbps in the home; on your right, a working urban Wi-Fi network.