Spliced feed for Security Bloggers Network

Infectee or Infector? [Didier Stevens] [Belgian Security Blognetwork]

Posted: 12 Jul 2008 05:32 AM CDT

My first and second little poll lead up to this post.

I’ve been quite surprised that the most downloaded file from my site is SafeBoot.zip. Since I published it more than a year ago, there have been 20,000+ downloads. And I’m also under the impression that the number of downloads per day is steadily increasing. One would be tempted to conclude from this that the number of malware infections that disable Safe Mode is on the rise, but this is indirect evidence.

First of all, I believe the increase is due to search engines. As more and more sites link to the Safeboot blogpost, the page will rise in the ranking of search results. One can argue that visiting the Safeboot blogpost and downloading the SafeBoot.zip file are two different things: you can land on the page just out of curiosity, but if you download the registry fix file, then you’re surely infected with a Safe Mode disabling virus.

Well, not necessarily. From my interactions with people using my registry fix, I’ve observed that some of them apply this fix even if their Safe Mode keys are intact. They just have another PC problem (for example the CD drive doesn’t work anymore), and they hope that my fix will fix this too.

So I’m not sure that Safe Mode disabling malware is on the rise, but I do know that it’s becoming more sophisticated. As the first virus I analyzed would only delete the Safe Mode keys once, now there are viruses that delete the Safe Mode keys and monitor them, deleting them again if they are restored.

Ironically, another large group of people that visit my site are not in search of a solution to a malware infection, but are looking for malware! Here are some of the most popular search terms that lead to my blog:

download virus
virus download
download a virus
how to get a virus
get a virus
give me a virus

The reason that search engines direct users to my site when they search for a virus, is an unfortunate side-effect of my Google Adwords post. This is my most popular blogpost by far, and has been linked to by countless sites. Although I have offer no malware to download, this Adwords blogpost contains the words of the search terms and is highly referred to, so it ranks high in search engine results.

So if you’re landing on my blog via a search engine, it’s very likely you’re an infectee or an infector.

The Absurdity of Physical Security Screening [The Falcon's View]

Posted: 11 Jul 2008 09:30 PM CDT

As already mentioned, I had the opportunity to attend an Obama rally this week. Perhaps the single most intriguing thing to jump out at me from a security perspective was the security screening process. In addition to requiring everybody to...

Google AdWords [securosis.com]

Posted: 11 Jul 2008 05:36 PM CDT

This is not a ’security’ post.

Has anyone had a problem with Google AdWords continuing to bill their credit cards after their account is terminated? Within the last two months, four people have complained to me that their credit cards continued to be changed even though they cancelled their accounts. In fact, the charges were slightly higher than normal. In a couple of cases they had to cancel their credit cards in order to get the charges to stop, resulting in letters from 'The Google AdWords Team' threatening to pursue with the issuing bank … and, no, I am not talking about the current spam floating around out there but a legitimate email. All this despite having the email acknowledgement that the AdWords account had been cancelled.

I did a quick web search (without Google) and I only found a few old complaints on line about this, but in my small circle of friends, this is a pretty high number of complaints considering how few use Google for their small businesses.

I was wondering if anyone else out there has experienced this issue?

Okay- maybe it is a security post after all…

-Adrian

NIST releases three new security guidelines [Security Karma]

Posted: 11 Jul 2008 04:52 PM CDT

Government Computer News (GCN) reported that the National Institute of Standards and Technology (NIST) recently released three draft guides for public comment before their official publication. From the article:

SP 800-107, titled "Recommendation for Applications Using Approved Hash Algorithms," is in its second draft release. It provides guidelines for achieving the appropriate level of security when using approved hash functions.

Draft SP 800-121, titled "Guide to Bluetooth Security," describes the security capabilities of Bluetooth technologies and gives recommendations on securing them effectively.

Draft SP 800-41 Revision 1, titled "Guidelines on Firewalls and Firewall Policy," updates the original publication released in 2002. It provides recommendations on developing firewall policies and selecting, configuring, testing, deploying and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based and personal firewalls.

I have begun reading and intend on commenting on the Firewall draft. From my first peek inside it seems very thorough and covers not only firewall policies and requirements but also architecture, rule selection, and life-cycle management.

Hiding behind the Blue Screen of Death, and Homer Simpson gets his own Botnet [Vitalsecurity.org - A Revolution is the Solution]

Posted: 11 Jul 2008 02:26 PM CDT

Blah blah, slight lack of posts here, etc etc.

However, I come bearing gifts of weirdness. So that's cool, right?

First up, scumbags install a legit screensaver and use it to hide a malware install. Sneaky.

Second - as the title says, Homer gets his very own Turkish Botnet. Anyone with Chunkylover53 on their AIM buddylist will have noticed a steady stream of infection links being pushed via "Away" status messages the last couple of days. The links claim to be for "new, web only episodes of the Simpsons". In reality, you'll get a Rootkit, some malware related to Chinese hijacks and be plonked into a Botnet.

What significance does "Chunkylover53" hold for Simpsons fans, you ask? Well, "Chunkylover53@aol.com" was revealed to be Homers email address in an old episode. A lot of people ran off and added "Chunkylover53" to their AIM buddy list, and now here's Homer, poppin dem' hijack links. What's interesting is that the Username doesn't necessarily have any relation to the email address (in fact, add the EMail address and you don't see ANY infection links - you only see them if you add the Username minus the "@aol.com" part).

However, people added the Username, and infection links are now the order of the day.

Doh.

Some interesting documents security, privacy, food crisis, terrorism [belsec] [Belgian Security Blognetwork]

Posted: 11 Jul 2008 09:10 AM CDT

economic crisis

"The nation is in the throes of a housing downturn that is shaping up to be the worst in a generation, finds The State of the Nation’s Housing 2008 Report issued today by the Joint Center for Housing Studies of Harvard University. While the falloff in housing starts, new home sales, and existing home sales already rivals the worst downturns in the post World War II era, home price declines and mortgage defaults are the worst on records that date back to the 1960s and 1970s."

Policing

U.S. Department of Justice, Office of Community Oriented Policing Services (COPS): Police Enforcement Strategies to Prevent Crime in Hot Spot Areas (NCJ 223196) is the second report in the Crime Prevention Research Review series. Using advances in mapping technology, it investigates whether focused police efforts in targeted areas help to control crime or merely relocate it. This report summarizes the findings from all rigorous academic studies evaluating police enforcement strategies in hot spot areas. It finds that focusing efforts on places with high crime and calls for service can effectively be used to prevent crime in those locations.

terrorism

Al Qaida and the security of the oil infrastructure and read also this about the militarisation of energy policy and a whole series of other studies about these and other military-strategic subjects can be found here

Iran's Political, Demographic, and Economic Vulnerabilities, by Keith Crane, Rollie Lal, Jeffrey Martini, July 2008. 158p

Consumerism

* The US do not call registry report for 2007

* The Senate Committee on the Judiciary has scheduled a hearing on “Passport Files: Privacy Protection Needed For All Americans

Security guides

Draft Guide to Bluetooth Security, July 9, 2008, SP 800-121.

Draft SP 800-124, Guidelines on Cell Phone and PDA Security, July 2008.

report about electronic records and the problems (US)

Obama on His FISA Vote [The Falcon's View]

Posted: 11 Jul 2008 08:57 AM CDT

I had the opportunity to attend an Obama Town Hall rally this week. Given the town hall style of meeting, he took questions from the crowd. One of the inevitable questions, poorly phrased by an attorney for whistleblowers, was about...

Friday News and Notes [Digital Bond]

Posted: 11 Jul 2008 08:45 AM CDT

The Wired Science blog listed “five nodes in the energy distribution network” that would have a huge impact if disrupted. For example, the Enridge pipeline provides 20% of the oil for the US. Also listed are Abqaiq processing facility, Ras Tanura offshore oil terminal and the Straits of Hormuz and Malacca.
The Microsoft Patch Tuesday bulletins showed no difference between Server 2008 and Server Core. We continue to track the potential reduced patching benefits of Server Core on a SCADApedia page.
Marketing run amok. From the Industrial Defender Newsletter [requires registration] “With the acquisition of Teltone Corporation and its Gauntlet secure substation communications solution, we've made it possible to . . . as well as fully comply with mandatory NERC CIP critical infrastructure cyber security requirements.” Or even worse “The Server offers powerful reporting features, including 'one-click' AutoAudit™ reports which contain all NERC CIP required documentation“. I’m sure the products will help meet some CIP requirements, but the electric sector has matured a lot in the last two years and will scoff at such claims. Tell us what specific CIP requirements will be met and what audit evidence is provided. The Industrial Defender consulting team [a competitor] is first rate; we have clients very satisfied with their products; - - but they need to get a grip on the marketing team.

stopping child porn, the showbusiness of ITsecurity [belsec] [Belgian Security Blognetwork]

Posted: 11 Jul 2008 08:18 AM CDT

There is no showbusiness like ITsecurity business

we have the big declarations about everything that will be done to protect the children (even EID protected chatrooms :)) and we pump and dump money in all kinds of initiatives and websites to learn and protect the children and teens on the web (and are alarmed if newspaper republish over and over again the story about some incident somewhere with porn and kids and internet or technology). It gives us a feel-good factor, that while everything else if failing we are at least investing money in safing the kids (we think and hope). As ITsecurity activists who are a bit tired of fighting without advancing over the years are looking for some quick-wins they jump on the TGV train in the hope of arriving at a safe internet after all, even if they abuse the children cause for that.

I am not saying that children shouldn't be protected and educated, I am just saying that if the internet in general would become safer, it would also be better for the kids.

We had big declarations in the past and some loose initiatives here and there based upon international blacklists or seperate initiatives. The method of blacklisting is than replicated to hate sites and other kinds of sites all over again while nobody asks the questions if that is workable in the end or just a whole lot of money and time and effort lost that could have been used for more strategic and longlasting initiatives.

We have today the declarations coming out from the US where the public prosecutor of New York has forced the biggest ISP to block a certain number of gateways that are used by some kiddieporn distributors. Big title. When you read the fineprint it is about blocking usenet groups that have the name alt.binaries in them or just blocking usenet altogether (also the Google proxy and the other commercial services ?). But who uses usenet ? Take P2P. You are going to block all the P2P traffic ? Take online file hosting. You are going to block all online file hosting ? Take online porn galleries with free posting ? You are going to block all those also ? What is next ?

Well not much in reality as in Holland the policeservices said that it makes no use trying to force an ISP to take down a site because you need so many proofs before they act because they are so afraid to be prosecuted whenever the owner of the site goes to court and wins in damages.

And if you read the reports about the arrests of kiddieporn rings than it is always the same story. Pics on isolated protected relatively unknown servers that are exchanged with others. Nothing to do with the public internet. The hardest cases you have to hunt down on the undernet, not the usenet.

DNS servers should also support dns-txt [belsec] [Belgian Security Blognetwork]

Posted: 11 Jul 2008 04:06 AM CDT

Supporting dns-txt makes it easy to add emailauthentification (spf, Sender ID,....) to emailserver so it would be simpler for email- and antispamprovider to refuse phishing, spam and botnetmail because it is not coming from authentificated servers. Even if we have for the moment in Belgium not really a local phishing scene, nothing says that we can't have that in the future (surely as twofactor authentification is showing cracks, our now extra-ordinary security :) will just be levelled down to any other). It is better to secure and prepare than to say afterwards 'maybe we should do this or have done that'. In Belgium there are few banks and institutions that use SPF or Sender-ID, let alone fgov, vlaanderen.be and others.

More information

DNS TXT Support - Compliance with email authentication standards requires the ability to create and publish DNS TXT records. Many businesses get their DNS hosting services from a domain registrar or other third party provider. If your DNS provider does not support TXT records, you will not be able to comply with email authentication standards. We recommend contacting your DNS service provider or your domain registrar to ask if they offer support for email authentication standards, specifically including publishing DNS TXT records.
View the list of providers that do support TXT records Add your domain registrar to the list.

Not much success for European spotspam project [belsec] [Belgian Security Blognetwork]

Posted: 11 Jul 2008 01:48 AM CDT

The aim of SPOTSPAM is to facilitate legal action against spammers at the international level. While most spam cases have an international dimension, legal action against spammers is impaired by a lack of border-crossing exchange of knowledge or the fact that lawsuits for damages are regarded pointless by individuals.

Therefore spam complaints can be submitted to the SPOTSPAM database via national Spamboxes. The information stored in the database shall enable appropriate authorities to take action against spammers. Additonally, law suits can be more successful when they can be based on multiple end-user complaints in various countries.

With the support of the European Commission's Safer Internet Programme, appropriate agreements shall be drafted to enable gathering and sharing of information stored in the database in a legal manner and to develop a the technical requirements for the database.

SPOTSPAM shall help to make successful:

Cease and desist orders
Limitation of Damages
Administrative fines
Criminal prosecution

Further, more information is needed in order to be able to develop appropriate responses to new threats. SpotSpam is a valuable tool to gather relevant information at the international level.

So the idea is fine, but their are only 2 partners ( a german and a polish ISP) and the European money was only there for 2 years and the website hasn't been updated since the end of 2006 so is this another example of the European Commission throwing blindly money at projects and research about Esecurity without having a clear view of what is willing to achieve with all those building blocks ?

It is naturally easy to go before the press and to assure us the public and the enterprises that we are doing all that we can because we are throwing millions and milllions of euro's at itsecurity (an enormous wide field) and producing tons of paper work echoing and restudying the things we all allready know while underinvesting in those projects that really could make a difference in the day-to-day operations of the networkdefenders and securitypeople.

But there is no showbusiness like it-business......

http://www.spotspam.net/eu_project.html

Encryption Conundrum: Which Key? Which Lock? [IceLock Blog]

Posted: 11 Jul 2008 01:18 AM CDT

I was recently asked how IceLock could delete keys and recover them without putting user's data at risk. Great question and the answer requires an understanding of IceLock's dual layer, multi factor key system.

In software encryption systems there are typically two approaches to keys. The first one is very direct. You enter a password, that word is hashed into a longer string mathematically and that string is used as the key. This is direct, relatively easy to implement and requires long complex passwords to avoid dictionary attacks.

The second approach is to generate a set of keys from random numbers. This obviously requires more work to generate and requires very careful attention to one important detail. The key, this number, must be cached locally on the computer so it is available to decrypt the data. Few of us will remember a key like E49DAG43C5, which is what one of these keys might look like. So the key must be protected! How to protect it? A password of course!

To provide sufficient protection for the key you have to have a password like $0n3yd03sN'Tgr0w0NTr33$, just like you would have for a direct password key.

IceLock takes a different approach. We use a randomly generated number as the basis for our crypto keys. The trick is how we protect that key on the computer.

To protect the crypto key we use a temporary or ephemeral key. This key, created automatically during every login, unlocks access to the crypto key which then allows access to the protected data. Think of the crypto key as the combination to a data safe. To protect the combination we hide it in a lockbox that can only be unlocked if every piece of the ephemeral key (there are 8 discrete elements to the ephemeral key) is present. And the IceLock password is kept in yet another lockbox with another security around it! So we have a safe with its combination in a lockbox. Access to that lockbox depends on a variety of elements being correct, one of which is the decoding of a password stored in a third lockbox!

All protection by the IceLock system involves destroying pieces of the ephemeral key. If IceLock's protection is mistakenly invoked by a user, the IT Administrator can login to our website and re-enable access. The user restarts IceLock on their computer and they are automatically enabled again.

Since the ephemeral key is completely abstracted from the crypto key, IceLock is never close to a user's data.

Blog Moved! [/dev/random] [Belgian Security Blognetwork]

Posted: 11 Jul 2008 12:56 AM CDT

Maintenance

After several issues (here or here), this blog finally moved to a new server and new location. The site should have a high availability and better response time now. Enjoy!

hacked/inserted new-employment.eu jobsite [belsec] [Belgian Security Blognetwork]

Posted: 10 Jul 2008 05:46 PM CDT

1_48

but the hackers could insert this (now maybe next time it is a fake job)

1_49

NIST publications: Bluetooth Security & Application Hash Algorithms & Firewalls (Policy) [Security4all] [Belgian Security Blognetwork]

Posted: 10 Jul 2008 05:41 PM CDT

It are only drafts for the moment but interesting to read. You can help and contribute to these documents. Look below for more information; Draft SP 800-121, Guide to Bluetooth Security, describes...

problems with dns resolution after the patch and future security problems [belsec] [Belgian Security Blognetwork]

Posted: 10 Jul 2008 05:36 PM CDT

some friends are having problems with surfing the web now and than. First I thought oh it is their dns that is having problems because it wants to be the dns of the whole world instead of being content with just being it for its own domain. but no

the problem is that in many networks the security rule is that all dns traffic can only use port 53 and sometimes that will be between or to very specific dns (relay) servers. As the patch introduces many more ports a dns server can use so his cryptokey takes longer time to be broken, some traffic will not pass or come through because the dns server is using another port (than 53) and traffic is dropped.

so what do you have to do. Well let dns traffic go through on any port even if it is between 2 very specific servers ? No problem for people who have read nothing about dns-tunneling and misuse of dns traffic to enter networks. It is very difficult to repar a situation in which the dns server or service is used as an attack tool because it is so crucial and intensively used that you can't impose any change without having some consequences.

Oh, I like this one. Give her a raise! [Vitalsecurity.org - A Revolution is the Solution]

Posted: 10 Jul 2008 12:14 PM CDT

"While I have sympathy for the rights of intellectual property holders,
businesses should not rely on the surveillance of consumers to protect their
copyright interests. It is not acceptable to allow copyright enforcement to
come at the expense of users' privacy."

More.

Foto del Giorno. [varie // eventuali // sicurezza informatica]

Posted: 10 Jul 2008 12:01 PM CDT

Dopo la versione da piscina e quella invernale, non poteva mancare la versione da campeggio (grazie Alessio). Se avete segnalazioni/testimonianze saró lieto di continuare la serie.

Sulla sicurezza fisica, invece, ecco un impianto antincendio a regola d'arte (grazie Davide):

Truecrypt 6.0 [varie // eventuali // sicurezza informatica]

Posted: 10 Jul 2008 11:45 AM CDT

E' stato rilasciato Truecrypt 6.0. La lista delle novitá é qui.

Are Security Devices Making Us Lazy? : Part 1 : Introduction [Security Karma]

Posted: 10 Jul 2008 10:30 AM CDT

Let me clarify before I begin... by "us" I mean IT as a community, not information security specifically. Now that I have that out of the way let's discuss how our reliance on network firewalls, application firewalls, VPNs, encryption, etc. have caused system administrators, architects, programmers, and yes, even us security-type-folk lazy. Let me explain a bit.

Let's pretend for a moment that we didn't have AV, network firewalls, SSL, IDS, or any other security-specific solutions available to us. How would we design our information systems? How would we protect resources? How could we possibly defend our networks against attack? These are the questions I like to ask myself when I have to design a new security architecture, review a proposed design, or audit an existing system.

I am not saying we should design all of our systems with these questions in mind. I understand the fact that we have these wonderful network and system security tools at our disposal. Thus, we can adapt our architectures, designs, and programs to include these solutions. The problem I see is an over-reliance on these tools. As an industry we have moved away from pushing most of the security work to the system administrators and programmers. We have told them (implicitly) "Don't worry about it... we've got it covered."

So how do we fix it? How do IT professionals stop relying on "things" and start building security from the ground-up? How do we do this while increasing functionality, ease-of-use, and speed? In future installments of this series I will attempt to look at where IT professionals can focus their energies to begin "spreading the gospel" to the developers and administrators and have them buy into the idea of secure system from the start.

VMWare vulnerability [Security Balance]

Posted: 10 Jul 2008 09:48 AM CDT

Today I read about this VMWare vulnerability on Beaker’s blog. It is related to the possibility of a non-admin user on the host OS to execute code on the guest OS. I read the details of the vulnerability and I understand why VMWare is saying that the described behavior is by design, and can also see why this could be a security issue. However, issues like this just confirm my point of view that it’s not feasible to try to protect the Guest OS from the Host. It’s a matter of layers, the guest OS is just a simple application on the host OS. We will see that the challenges on doing that are quite similar to those from the AV industry.

IMHO, there are just a way to (partially) address those concerns. A single purpose Host OS, that will run only Guest OSes and no other software. Then a Guest OS under that can run the VM environment management tools, communicating with the other Guest Oses through regular (although virtualized) networking. A regular client server application with all the proper AAA and encryption controls can be used over that network (why not IPSEC communication?). Even exclusive virtual network adapters can be used on the Guest OSes to host the traffic of the management application. The client would be installed like a regular application on the Guest OSes (like VMWare Tools) and be subject to all the OS controls.

That won’t help against malicious code running on the Host OS, but will reduce the possibility of that code being executed there, just by reducing the roles of the Host.

A Second Little Poll [Didier Stevens] [Belgian Security Blognetwork]

Posted: 10 Jul 2008 01:51 AM CDT

The answer to the question I asked yesterday is: SafeBoot.zip. Excellent deduction work Matthew.

And now a second question: what are the most popular search term variations (two or more words) that land people on my blog https://blog.DidierStevens.com (according to WordPress.com)?

agribusiness

Saturday, July 12, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

No comments:

Blog Archive

About Me