Archive for the 'Malware' Category

Jul 29 2014

You’ve been reported … by an ad

Published by under Government,Malware,Risk

This looks like an interesting experiment; the City of London police have started placing ads on sites for pirated music warning that the visit to the site has been recorded and reported.  Called “Operation Creative”, this is an effort by the Police Intellectual Property Crime Unit (PIPCU) to educate people visiting sites that offer pirated music and videos that it’s illegal and could result in prosecution.  As if anyone who visits a pirate site didn’t already know exactly what they were doing and what the potential consequences are.  The City of London police call it education, though intimidation might be a better word for what they’re actually doing.

The folks over at TorrentFreak are concerned with the fact that they couldn’t get the actual banners to show up.  They created a story out of what they could get to, ads for music sites that have reached agreements with the RIAA and music labels.  While this is interesting, I’m more concerned with what the results of this type of ‘education’ will be.

Let’s be honest in saying that anyone who’s using a pirate site has a pretty good idea of what they’re doing.  So the police banners aren’t going to be educational, they’re attempts to make users believe that their IP addresses has been logged for future prosecution.  While they don’t come out directly with the threat, it is implied using the word “reported”.  And who’s to say that the ad network they’re using to supply the ads isn’t using a cookie to gather IP addresses as well as various other information as well.  This definitely sounds more like a threat than most forms of education I’m familiar with.

The problem I have with this PIPCU exercise isn’t the intimidation, but rather the unintended consequences of it.  Scary warnings that the user is doing something illegal aren’t new and in fact have been used by malware authors for a long, long time.  Scareware saying the FBI is going to come knocking at your door for visiting illegal websites is a common tactic, it’s just whether they’re telling you you’ve been to porn sites with underage models or pirate sites to download music that change.  I’m certain the same groups who send these notifications already have fake ads telling users to “pay a fine of $500 or we’re coming to your house”.  If they aren’t in the ad networks, they definitely send out spam to users with the same messages, often using the same exact graphics and messages as official police web sites.  

Rather than discouraging the average pirate site user from visiting the site, this police effort is likely to create the illusion that such scareware ads might be legitimate in the eyes of the user.  In other words, while there might be some impact on the number of people using pirate sites, it’s more likely this will increase the amount of fraud perpetrated against those same users, since it’ll be hard to tell if the warning is really the police or not.  The music companies are probably perfectly happy with this as an outcome, but I doubt the police will enjoy being used as a method for increasing fraud against anyone.

My second concern is less about the fraud and more about the futility of the exercise.  Brian Krebs recently wrote about services that allow an organization to click on banner ads in order to drain the money spent on those ads.  In other words, you pay a service to click on your competitor’s ads without giving them anything of value, using up the money they paid for those ads as quickly as possible, with little or no return.  I see no reason some of the more technically savvy users of pirate site wouldn’t create scripts to do exactly the same to the police.  How hard would it be to use VPN’s or Tor in order disguise IP addresses and hit the same ads again and again?  In theory there are likely to be defenses in place to stop this type of targeted ad attack, but it’s possible to overcome any defense if you have a motivated attacker.

I’m purposefully not addressing the ethics of pirating music, nor am I addressing the efficacy of an outdated business model such as the music industry.  I’ll leave it to someone else to argue both sides of that argument.  What I’m concerned with is the how effective the efforts are going to be and what the consequences of those efforts.  Does the PIPCU expect their ad campaign to have a direct effort on piracy or do they realize this is a futile effort?  Have they thought of the negative consequences their efforts will have with regard to fraud?  Or is this simply an effort to be seen as doing *something* by the recording companies and the public, no matter how negligible the positive outcomes might be?  

I’m not sure what would constitute an effective measure to stop piracy.  For the most part I think the ads we’ve seen in the past, both in movie theaters and online, have been heavy handed and annoyed most of the people they were targeted at rather than dissuade anyone.  This effort doesn’t seem much different, but it has the added disadvantage of making it easier for the authors of scareware to intimidate the public into giving up money for no good reason.  And that’s something that should be avoided whenever possible.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on You’ve been reported … by an ad

Feb 19 2013

This week’s ‘must read’: Mandiant APT report

Published by under Government,Hacking,Malware,Risk

If you haven’t already read it, your homework for this week is the Mandiant APT1 Report.  Don’t read someone else’s interpretation until you’ve read the report yourself.  Don’t read the analysis of reporters and consider it good.  Read the entire report yourself and draw your own conclusions, then read what other people have to say.  But in any case, read it.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on This week’s ‘must read’: Mandiant APT report

Jan 10 2013

Morning Reading 011013

Published by under Hacking,Linux,Malware,Risk

It’s been an interesting week and start to the year.  Between the Ruby on Rails vulnerability and the Java zero day released today, we have some serious patching issues on our plates.  And if history is any indicator of future performance, the security technorati are already in the process of patching, which only leaves the other 98% of the population to get patched.  I’ve also had some interesting talks with folks about the idea of honey tokens, honey nets and other detective measures for the network.  On to the stories …

  • I’ve been saying for a couple years now that we need to change the way we think about security from the foundations up.  Apparently Art Coviello agrees and says we need to move to an intelligence-driven security model.  A lot of other professionals believe we need to rethink security architecture as well, according to Tim Wilson over at Dark Reading.  Always challenge the assumptions the leaders of the last generation made, especially in a profession as young as security.
  • The topic of honey tokens and all other things ‘honey’ started in part due to a lot of discussion around ‘offensive security models’.  The Washington Post has an article on salting databases with fake data, which if done right is exactly what a honey token is.  CSO Online says that deception is better than a counterattack; I don’t know if it’s ‘better’ but it’s something that you should be doing whether you’re considering offensive tactics or not.  And a fun new little tool to do some of this has been released, called HoneyDrive.  It’s a collection of tools on a VM, which is always a good toy to play with.
  • Continuing on the them of Monday’s post, Computerworld has an article on how to talk about security to everyone else.  I’m sure we’ll be talking about this again, since it’s one of the basics we seem to have a hard time with.
  • And finally, Cyber attack timelines from the second half of December.  There’s a few errors in the dates here, but I only know that because of my day job.  Let’s just say that there have only been two waves of QCF attacks so far, and that they started a little earlier than is being represented.  But overall, this is good data to keep aware of, especially with the recent rise in attacks.

And finally, for something completely different, a Linux-powered sniper rifle.  I’m sorry, ‘hunting rifle’. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Morning Reading 011013

Nov 20 2012

Network Security Podcast, Episode 297

It’s Rich that’s out this holiday week, so Martin and Zach talk turkey (no pun intended) about Skype SNAFUs, LTE going all a-splode-y, and a Linux rootkit that will make you go “That’s…neat…?”

Happy Thanksgiving!

Network Security Podcast, Episode 297, November 20, 2012

Time:  31:00

Show notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 297

Oct 02 2012

Network Security Podcast, Episode 291

This week’s show went a little long, as all three of us had a lot to say on the stories we covered.  We also spent more than a few minutes at the beginning of the show talking about some of the resources people can use to get mentorship when entering the security field.  We also ramble a little bit and Rich gives us an assessment of one of his co-workers technical skils.

(All three of us made the show this week, and to be honest it was a little wittier than usual, if we do say so ourselves).

Network Security Podcast, Episode 291, October 2, 2012

Time:  38:30

Show notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 291

Jan 25 2012

Kill pcAnywhere right now!

If you haven’t already heard, the code base for Symantec’s pcAnywhere was stolen in 2006, and bad guys are now using that code against the installed base of users in the wild.  This sort of compromise really isn’t anything that new or different.  But what is different is that Symantec is now telling users to flat out disable pcAnywhere until a fix is released.  Which is a good, smart move, but a better move would be to remove pcAnywhere and never, ever start it up again!

I remember the first time I used pcAnywhere; I was working my first helpdesk job and they let me finish part of my shift from home when I was doing mail server work, I could start up the scripts on the server, drive home and finish my work from there.  Being pcAnywhere, every couple of times I’d also have to drive back to work because the program would crash, but hey, an 80% success rate wasn’t too bad at the time.

Fast forward a decade (and more) to when I’m a QSA and pcAnywhere is still out there, and in all too many cases, it’s actually the same version I was using, or nearly the same vintage.  But it’s not me using it to manage a OS/2 Warp mail server (yes, OS/2 Warp), it’s being used to manage Point of Sales (POS) systems all across the US.  You see, mom and pop stores with POS systems don’t have a clue on how to set up a computer, so they find a nice, local service provider who will set up the POS for them, trouble shoot it when they have problems and just generally manage the system for a price.

Herein lies the problem.  If you’re a small, local service provider who makes their living servicing these folks, you have to be able to work quickly and cheaply with clients in a large are if you’re going to make a living.  You need to be able to get on their systems quickly to troubleshot problems and get them back online.  So of course you use a remote desktop client like pcAnywhere and you’re going to leave it directly exposed to the Internet since that’s the easiest way to make sure it’s always available and you don’t have to do a lot of troubleshooting of network equipment.  And you probably use the same password on all your clients, since you don’t want to have to rely on having the right password written down somewhere when the client calls screaming that they’re system is down.  After all, no one would scan for open pcAnywhere servers, nor would they guess the user name is ‘admin’ and the passphrase is “Let me in!” (at least it has complexity).  And you don’t worry about changing passwords when an employee leaves or updating to the latest patch levels.  In other words, a security nightmare.

In 2009, when I worked for Trustwave, one of the things that annual security report dug into was some of the repercussions of this type of remote management of POS systems.  And no surprise, one of the things they discovered was that remote desktop applications like pcAnywhere were one of the leading causes of small business compromises, especially compromises that involved either small chains or a group of geographically close stores.  An attacker would scan for the remote desktop client and then brute force the password and spread out to the other clients of the service provider.  Soon you’d have a whole segment of the local merchant community who’d been compromised and didn’t know how or why it’d happened.  And things have not gotten better since then.

I doubt things will change, I doubt most of the people who actually use pcAnywhere as a tool are going to even notice or read Symantec’s posting.  It’s the only way that the current business model works, not just in the merchant community, but in many other small business communities as well.  The service provider model requires remote tools, otherwise the travel time to and from locations kills any chance of making a profit.  Which means the folks who want compromise systems and steal credit cards are going to continue to have access to the remote desktop solutions. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 09 2012

Open tabs 01/09/12

Still feels a little funny to be putting the ’12’ in the year column, doesn’t it?  I’m sure the feeling will go away by March or April.  And it’s getting started as an interesting year already, with Symantec’s source code and courts approving warrantless GPS monitoring.  I bet neither of those were captured in the “Top 11 Predictions for 2012” so many pundits and bloggers put out at the end of the year.

Personally, I’m starting the new year with a ton of writing to do.  Despite my best efforts, I didn’t blog as much as I would have liked to in the last few months, but I know that has to change.  I have to start writing for the Akamai blog, I’ve got information for the Security Bloggers Meetup to post and I get several offers a month to write for other publications.  Then there’s the internal projects that are in motion, at least one of which is requiring me to think in new and interesting ways in order to get concepts on a page properly.  Plus I’ve got lots of interesting toys at work to play with; what questions would you be looking for answers for if you had access to the logs for a significant portion of the Internet?  That’s actually a serious question I have to blog about some day soon.  I’d like to hear what people want to see in a report.

And speaking of the Security Bloggers Meetup, I was nominated for two Social Security Awards last week.  Rich Mogull, Zach Lanier and I were nominated for the work we do on the Network Security Blog and I was nominated for Best Post for my “Curing the Credit Card Cancer” post.  Rich and I both sit on the committee that puts together the Security Bloggers Meetup, though neither of us works on the Social Security Awards, so before this year, we’d ruled that everyone on the committee was not eligible to be nominated.  Alan Shimel changed the rule this year; he felt that since we had nothing to do with the SSA’s, it was unfair to exclude us.  So, go vote for us. I’d love a chance to beat PauldotCom and the other contenders for Best Security Podcast.  I’ve read the other blog posts, I don’t have much of a chance for the Single Best Post. 

Open Tabs 01/09/12

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Open tabs 01/09/12

Dec 26 2011

Open Tabs 12/26/11

Christmas is over!  I hope yours was good, but I personally find the whole build up and let down stressful and I’m glad when it’s done with.  Especially the part where my kids are home from school for a week and whine every time I tell them to get out of the house for a little while before I have to hurt them.  Not that I’d actually hurt my kids, but it’s sometimes the only threat that will get them moving. 

There have been some interesting stories leading up to Christmas and it’ll be interesting to see what’s been happening behind the scenes while the majority of us have been chomping on candy and ripping open our presents.  I have nothing to support the theory yet, but I strongly suspect most of the bad guys left their tools running while they took some time off, so their might be reports of compromises in the not too distant future.  After all, there were a couple of reports that came out before the weekend, perhaps hoping to get ignored and bypassed in Christmas craziness.

A quick thought on the boycott of GoDaddy over the SOPA legislation.  GoDaddy is such a minor player in this realm and probably signed on to the legislation like a little brother following his older brother, Big Media; they wanted to sound and act cool in the eyes of everyone else without having the faintest idea that what they were doing had real world consequences.  Boycotting GoDaddy is like bullying the little brother when what you really want to do is punch the elder brother in the eye!  It’s ineffective, both in the long run and in the short term, to boycott GoDaddy when what we should really be doing is making the larger players behind SOPA aware this is an evil and unacceptable way to try to regulate the internet.  A crowdsourced version of the list of supporters on the list is available as a Google doc.  If you really want to do something important, boycott some of the big boys on the list and quit going to their movies and buying their products. 

Open Tabs – 12/26/11

  • Chinese computer hackers hit U.S. Chamber of Commerce – I wonder what our hackers are doing to the Chinese behind the scenes.  Not the vocal ones on the con scene, the ones employed by the Three Letter Agencies.  Never mind, we don’t do that, do we.
  • LOIC (Low Orbit Ion Cannon) – DoS attacking tool – The tool is old news, but this is a pretty good writeup.  If you want to know more though, one of my co-workers could tell you a few things more about how it works.
  • The Thought Leader … One year later – Chris Eng’s further harpooning of the information security thought leaders.  I know about half of the video applies to me at least as much as it does anyone else. 
  • How hackers gave Subway a $30 million lesson in point-of-sale security – There’s another meaning for POS, especially when you don’t bother changing default passwords and trust owners to follow procedures.
  • The Dark side of B-Sides – I’m staying out of this fight, since I know all the players.  But I know there’s a lot of truth to both sides of the stories, and the sooner this can be opened up and the aired out, the better for everyone involved.
  • Hackers steal data on millions of Chinese net users – No need for nefarious government hackers when criminals will hack into Chinese sites because they data they hold might be worth something.
  • Insurance against cyber attacks expected to boom – Let’s just insure our systems rather than taking the time to secure them!  Because the insurance companies won’t place caveats on what’s ensured and what constitutes a breach of contract to include poor maintenance control, will they?  “What do you mean our insurance doesn’t cover this?” is a phrase I expect to hear once cyber insurance (I shudder at the name) becomes common place.
  • Congress calls on Twitter to block Taliban – Oh yeah, because it takes so much to set up another account and tell everyone to go there instead.  And because censorship should always be one of the first tools used by a free, democratic system.  These people spend too much time thinking in hyperbole and too little time thinking in reality.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Open Tabs 12/26/11

Dec 18 2011

Open tabs 12/18/11

Published by under Family,Government,Hacking,Malware

Long night last night.  We went to something called a pirate gift party; sort of like a white elephant gift (cheap, person A can take a gift from the table or steal from person B) except most of the gifts were wrapped in tinfoil cleverly disguised to hide their true nature.  Two minor variations from a normal white elephant gift is that there is no limit to the number of times gifts can be stolen per turn and no one gets to open the gifts until the last gift is chosen from the table.  This led to an interesting ‘defense’ strategy; since there was a gift that was wrapped to look like Thor’s Hammer that my Spawn wanted, they worked together to make sure they kept it at all cost.  Basically, when person A stole the hammer from whoever was holding it, that Spawn would steal his brother’s gift, and that Spawn would steal the hammer back.  This was a pretty good strategy, until Spawn1 lost concentration at one point and went after a different shiny object.  It all ended up good in the end, though another pair challenged the Spawn to a game of endurance to see who wanted the hammer the most.  It ended up being a 15 minute round robin of gifts being stolen and restolen that left everyone laughing.  Oh, and “Thor’s Hammer” ended up being a cleverly disguised box with chocolate and money in it, with a broom handle that was acting as the handle.

Oh, and very importantly, It’s that time of the year! Security Bloggers Meetup invites have gone out.

Open Tabs 12/18/11:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Open tabs 12/18/11

Dec 06 2011

Network Security Podcast, Episode 261

When Rich isn’t around to take up most of the time, Zach can actually
be pulled out of his shell to talk for a little while.  Or maybe it’s
just when there are two hosts on the podcast there’s more time to talk. 
In any case, Martin and Zach went a little long this week as well as
deep into paranoia land.  And there’s so much in the news right now to
push us there.  It’s kind of scary when you start to realize that as
much communication as modern technologies allow, they also allow a lot
of very deep surveillance.  Which we as a society seem to be okay with.

Network Security Podcast, Episode 261, December 6, 2011
Time: 42:13

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 261

Next »