[SecurityRatty] tag: wi-fi

Wireless as Fashion

Mon, 14 Jul 2008 12:53:19 +0000

As a security guy, I’ve spent a lot of time thinking about the security ramifications of wireless connectivity. Wireless has evolved from a single protocol, 802.11b, to a veritable alphabet soup loosely defined as "Mobility." We now have 11a/b/g and maybe n, Bluetooth, RFID, CDMA, Wi-Max, and a bunch of other stuff that all provides wireless access, often without even a thought of security. As people scramble to have the latest, coolest, most connected devices in the company, they are tossing security right out the window.

I once was working on a project to install a robust wireless network for a company. I asked the guy I was working with why they were doing it. This company had a general attitude of paranoia where security was concerned, so the drive to fast-track an expensive wireless network seemed out of place. It turns out, this company’s president had been playing golf with the president of another company. The president of the other company started bragging about his company’s new wireless network and how he could take his laptop anywhere in the building and get on the network. Embarrassed, the president came back to work and immediately told his IT staff to install a WLAN so that he would never again suffer such indignation. Halfway through the project, cooler heads pointed out to the president that since his company focused on critical infrastructure, the security risks of wireless were too great for them to bear.

This new push for mobility has created a hierarchy within companies. The important people get the coolest phones and PDAs. I once discovered a disturbing trend during a policy review related to mobile devices: when a new phone or PDA came out, a rash of dropped, damaged, and broken phones were turned into the person in charge of handing out mobile devices. Many "accidentally" fell into the toilet. Real money was being lost here, as employees jockeyed for status brought by the flashiest new phones. Yes, this does really happen. I guess I shouldn’t have been shocked by this. The mobile phone folks figured it out long ago…

ICANN Gets Tough With Shady Registrar

Tue, 20 May 2008 02:53:16 +0000

ICANN has put a registrar on notice that they are in violation of the Registrar Accreditation Agreement and subject to termination in 15 days.

The registrar is Red Register, a registrar with a troubled legal history. They are currently being sued by Microsoft for registering 125 names that typosquat Microsoft's trademarks.

According to the letter sent by ICANN to Red Register, the company was informed back in February of a finding in the arbitration case of Cambridge Pavers, Inc. v Versata Software, Inc. c/o Versata Hostmaster heard by the National Arbitration Forum, pursuant to the ICANN UDRP (Uniform Dispute Resolution Policy). The domain at issue was cambridgepavingstone.com. The registrant, Versata software, lost the case, unsurprisingly since they didn't bother to file a response to the UDRP charges. The cambridgepavingstone.com home page is, of course, parked with the usual boring set of ads.

[Full disclosure: My front walk is built with Cambridge Pavers, and it's really nice. We're very happy with our decision.]

Red Register, as the registrar of record on the domain, was ordered to transfer the domain to Cambridge Pavers, and has ignored the orders. To get a sense of what kind of registrar Red Register is, try running whois on their own domain redregister.com: yes, it's a private registration. In fact, just who these people are is a little fuzzy here; the Contact Us page at Red Register lists addresses in Columbus, OH. But the ICANN notice is sent to a Daniel Sundin in Madison, WI. Two college football towns; perhaps Red Register hasn't responded because Mr. Sundin went off to grad school.

This will be fun to follow; it's hard to imagine they won't relinquish the domain in time. Not only have their permission to operate a registrar business been threatened, but it's getting press. But who knows, maybe the company is on autopilot and the snail mail piles up behind the front door.

The United Nations Serving Malware

Wed, 23 Apr 2008 06:13:00 +0000

Yet another massive SQL injection attack is making its rounds online, and this time without the SEO poisoning as an attack tactic, has managed to successfully infect the United Nations events page, which is now also marked as malware infected page, and with a reason since both the malicious URl and the injection are still active. According to WebSense :

"This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing. There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too. "

Let's assess the malicious injection. nihaorr1.com/ 1.js (219.153.46.28) is attempting to load nihaorr1.com/ 1.htm, where several other internal exploit serving URLs and javascript obfuscations load through IFRAMES, such as :

nihaorr1.com/ Real.gif
nihaorr1.com/ Yahoo.php
nihaorr1.com/ cuteqq.htm
nihaorr1.com/ Ms07055.htm
nihaorr1.com/ Ms07033.htm
nihaorr1.com/ Ms07018.htm
nihaorr1.com/ Ms07004.htm
nihaorr1.com/ Ajax.htm
nihaorr1.com/ Ms06014.htm
nihaorr1.com/ Bfyy.htm
nihaorr1.com/ Lz.htm
nihaorr1.com/ Pps.htm
nihaorr1.com/ XunLei.htm

and finally serve the malware, by also taking us out of the point and loading another malicious IFRAME farm at gg.haoliuliang.net/one/ hao8.htm?036 (222.73.44.162) :

Scanners Result: 18/32 (56.25%) :
W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr
File size: 24667 bytes
MD5...: 4b913be127d648373e511974351ff04e
SHA1..: 0ab703c93e3ad7c03d1aae5ea394d7db3b89bfd2

Another internal IFRAME serving exploits is also loading at haoliuliang.net, gg.haoliuliang.net/wmwm/ new.htm where a new piece of malware is served :

Scanners Result: 26/32 (81.25%)
Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN
File size: 7205 bytes
MD5...: af05c777700b338f428463e56f316a05
SHA1..: bd68f621ec6c9796afa8b766c6cf4167afbd4703

As it appears, everyone's a victim of web application vulnerabilities discovered automatically, and either filtered based on high-page rank, or trying to take advantage of the long-tail of SQL injected sites to compensate for the lack of vulnerable high profile sites.

Related posts:
UNICEF Too IFRAME Injected and SEO Poisoned
Embedded Malware at Bloggies Awards Site
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

New Info Sec magazine in blog format

Mon, 10 Mar 2008 04:02:00 +0000

Ken Belva, a blogger in the SBN is starting a new InfoSec magazine in blog format. Below is Ken's post on the new venture. I wish him and the team well and will be reading!

http://www.bloginfosec.com/2008/03/10/announcing-bloginfoseccom-an-information-security-magazine-in-a-blog-format/

Announcing bloginfosec.com, an information security magazine in a blog format. bloginfosec.com is written by professionals for professionals.
Our magazine delivers content for executives and practitioners written by working information security executives and practitioners.

Our columnists are respected information security veterans who hold influential positions at major corporations. bloginfosec.com prides itself on being free from vendor and commercial influence. Our columnists have an amazing flexibility to write their columns as they see fit with minimal editorial constraints.

Spotlight on Our Columnists
This week and next we will be spotlighting our columnists. We have some great column posts scheduled for publication.

      * Monday: C. Warren Axelrod - ROSI: Security Returns?
      * Tuesday: Frank Cassano - The core truth of risk
      * Wednesday: Allan Pomerantz - Our End Users: The Weakest Link
      * Thursday: Micki Krause - Core Program Practices: Assess, Implement and Monitor
      * Friday: Sam Dekay - Information Security: Orphan of the Org Chart?
      * Monday: Russell Handorf - Wi-Fu! Attacking the 802.11 Client
      * Tuesday: Derek Schatz - Are We Less Secure Now Than Before?

iPod Newsletter Raffle
Any corporate (.com, .net, .com.xx, etc.) or educational (.edu) activated email address registered between Monday, March 10th, 2008 and Friday, March 15th, 2008 on bloginfosec.com will have the chance to win a free 8G iPod Touch with video. We will mail the iPod anywhere in the world. Generic email addresses (such as yahoo.com, google.com, aol.com,
etc.) are not eligible to win. All entries are subject to our discretion. We will pick the winner and contact you via email for your physical mailing address.

Blogging from MISTI InfoSec World 2008
Stay tuned for posts, pictures and possibly video of InfoSec World 2008.
Point your feed reader here for all of the RSS action!

Qualified Writer?
Please review the columnist agreement. If qualified, please email us at authors()bloginfosec.com or contact the editors through the contact form.

New Info Sec magazine in blog format

Mon, 10 Mar 2008 03:02:01 +0000

Ken Belva, a blogger in the SBN is starting a new InfoSec magazine in blog format. Below is Ken's post on the new venture. I wish him and the team well and will be reading!

http://www.bloginfosec.com/2008/03/10/announcing-bloginfoseccom-an-information-security-magazine-in-a-blog-format/

Spotlight on Our Columnists
This week and next we will be spotlighting our columnists. We have some great column posts scheduled for publication.

Blogging from MISTI InfoSec World 2008
Stay tuned for posts, pictures and possibly video of InfoSec World 2008.
Point your feed reader here for all of the RSS action!

Qualified Writer?
Please review the columnist agreement. If qualified, please email us at authors()bloginfosec.com or contact the editors through the contact form.

The Continuing .Gov Blackhat SEO Campaign - Part Two

Mon, 25 Feb 2008 05:42:20 +0000

As it's becoming increasing clear that blackhat SEOers are actively experimenting with embedding their content on high pagerank sites, such as .govs, the numerous campaigns, one of which was by the way serving malware, indicate that injection the content through remote file inclussion or remotely exploitable web application vulnerabilities is an emerging trend that deserves to be closely examined. Here are several more currently active blackhat SEO campaigns located at :

- Utah Attorney General’s Office Identity Theft Reporting Information System -
idtheft.utah.gov/pn/modules/pagesetter/pntemplates/plugins - 20, 200 SEO pages

- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 3, 630 pages

- Readyforwinners e-magazine - readyforwinners.hertscc.gov.uk/templates/2 - 890 SEO pages

- National Homecare Council - homecare.gov.uk/nhcc.nsf/discmainview - 220 SEO pages

- Washington Wing Website - wawg.cap.gov/calendar/editor/themes/simple - 93 SEO pages

- Fauquier County - fauquiercounty.gov/government/departments/procurement - 69 SEO pages

- Wisconsin Department of Military Affairs - dma.wi.gov/mediapublicaffairs - over 1,000 pages embedded with "invisible SEO content" meaning the content is also visible to search engines just like the one in a previous assessment

The number of pages currently hosted at these high pagerank domains is indeed disturbing, but here comes the juicy part in the form of yet another "invisible blackhat SEO" campaign, where outgoing links and SEO content is embedded at the host, but is only visible to web crawlers. Take the Wisconsin Department of Military Affairs's site for instance, where a news item that was posted in 2003, yes five years ago, is still embedded with "invisible blackhat SEO content" in between a fancy javascript obfuscation that once deobfuscated tries to connect to a third-party host feeding it with referring keywords, sort of keywords blackhole for optimizing future SEO campaigns based on increasing or decreasing popularity of specific ones.

Sampling the outgoing links also speaks for itself, take canadianmedsworld.com (217.170.77.162) for instance, and the fact that a great deal of outgoing links also respond to nearby IPs within the scammy ecosystem (217.170.77.*) such as :

canadianpharmacyltd.org
ns1.viagrabestprice.info
ns2.viagrabestprice.info
officialmedicines.us
pharm-shop.net
thecanadianpharmacymeds.com
viagrabestprice.info
viagraforlove.com
xdrugpill.com

This is perhaps the perfect moment to clarify that the appropriate people responsible for auditing and securing these hosts, are already doing their forensics job and are coming up with more data, on how it happened, when it happened, and who could be behind it - an example of threat intell sharing a concept that should be getting more attention than it is for the time being. So far, there haven't been repeated incidents like the malware serving ones I assessed in previous posts, but as it's obvious they're automatically capable of embedding and locally hosting any content, it's only a matter of intentions in this case.

BlackEnergy DDoS Bot Web Based C&Cs

Tue, 12 Feb 2008 15:46:35 +0000

Remember the Google Hacking for MPacks, Zunkers and WebAttackers experiment, proving that malicious parties don't even take the basic precautions to camouflage their ongoing migration to the web for the purpose of botnet and malware kits C&Cs? Let's experiment wi the BlackEnergy DDoS bot, and prove it's the same situation. What's the BlackEnergy DDoS bot anyway :

"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcommon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) binary for the Windows platform that uses a simple grammar tocommunicate. Most of the botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP address space and have targeted Russian sites with theirDDoS attacks."

The following are currently live botnet C&Cs administration panels, and with BlackEnergy's only functionality in the form of DDOS attacks, it's a good example of how DDoS on demand or DDoS extortion get orchestrated through such interfaces :

httpdoc.info/black/auth.php (66.29.71.16)
wmstore.info/hello/auth.php (216.241.21.62)
lunaroverlord.awardspace.com/auth.php (82.197.131.52)
333prn.com/xxx/auth.php (64.247.18.208)

It's getting even more interesting to see different campaigns within, that in between serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there's also an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also the fact that all the malware binaries that you see in the attached screenshot use one of these hosts as both the C&C and the main binary update/download location.