Recently in Hacking Category

In the below article Microsoft reviews the Waledac Botnet take down, as well as, mentions a number of botnet shutdowns that have recently taken place. The article also mentions sudosecure.net a Waledac tracking site

The article goes on to talk about Operation 49, a Botnet Take Down taskforce, an "innovative application of a tried and true legal strategy"

"On February 22, in response to a complaint filed by Microsoft ("Microsoft Corporation v. John Does 1-27, et. al.", Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot."

"This legal and industry operation against Waledac is the first of its kind, but it won't be the last"

Microsoft Technet on Waledec-takedown

Related articles by Zemanta

• Waledac Botnet TAKEDOWN: Microsoft Wins Court Approval To Topple Botnet Army (huffingtonpost.com)
• Krebs on Security: Microsoft Ambushes Waledac Botnet, Shutters Whistleblower Site (boxofmeat.net)
• Botnet Army To Be Deactivated In Microsoft Takedown (huffingtonpost.com)
• With an unusual legal move, Microsoft disrupts rampant spam botnet Waledac (seattlepi.com)
• With legal nod, Microsoft ambushes Waledac botnet (news.cnet.com)
• Microsoft's Botnet War (robbiz1978.blogspot.com)

As Gordon Smith from Canaudit Inc. pointed out this week "What do hackers want? they want your data." They go through great lengths not only to obtain your data but to correlate that data to make it even more valuable to their clients.

Last year we posted an article published by a German Online News service "wiwo.de" on a sting operation that involved millions of consumers correlated information for sale that may have come partly from well known back doors in customer corporate data.

Today it was published on that Deutsche Telekom found itself in the middle of a scandal accused of giving mobile phone retailer The Phone House access to data on 16 million T-Mobile Germany Customers according to the report published at wiwo.de "Deutsche Telekom: violation of the law, by secret agreements?"

As we have seen through the recent attacks on Google and Intel that no matter how your infrastructure is secured you can be come a target for an attack that they may have been in the planning for sometime or someone waiting for that pre-zero data vulnerability that allows them access to trust relationships.

Who as access to your personnel information and what information is available from their browsers and shares. As Gordon points out in his article it maybe as simple as someone bringing in a laptop that has internet access or wireless scans from your lobby or elevators.

Related articles by Zemanta

• Deutsche Telekom reportedly considering T-Mobile IPO (seattletimes.nwsource.com)
• T-Mobile USA could be spun off or sold (ecombizcenter.blogspot.com)

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

At the Blackhat Conference in Washington D.C., David Litchfield revealed a privilege escalation session and scripts that could be used by anyone with basic session access to gain administrative privilege to a Oracle 11g database and administrative access to the operating system files.

One of the interesting topics in the beginning of the presentation was that of the amount of security vulnerabilities reported by Oracle or other researchers compared to the number reported against Microsoft SQL Server 2005 and 2008. Although I would have expected the complete reverse on the the number of vulnerabilities reported against each product. David used Java calls in Oracle Aurora to gain access.

Oracle and Java Stored Procedures

SOURCE: FORBES.COM

Google recently accused the Chinese government of hacking into the Gmail accounts of certain Chinese citizens unpopular with the communist leadership. Google has retaliated by threatening to cease filtering search results in China at the behest of the Chinese government. Certainly by now this is news to no one.

What's noteworthy about the details of the yet-unpatched IE 6 vulnerability that allowed this exploit is that it isn't really that noteworthy. IE 6 is outdated by 2 versions already. This vulnerability, while serious, doesn't strike me as anything usual for MS products of that vintage. The response has been typical - the exploit is posted publicly, and the vendor is working on a patch.

So the lessons here are exactly what security pros (and plenty of other folks) already know - keep your OS and key applications up to date and configure software to automate this process. If you're still using IE6 for some reason, do you really need to be told "to be highly vigilant until a patch can be developed[?]"

France and Germany have gone a bit further than necessary, warning folks off of IE completely rather than just old versions. While I personally use Firefox and Chrome for features and speed, I wouldn't necessarily tell folks to abandon IE (though I'd recommend version 8 if you are going to use it). I don't believe other browsers are inherently more secure. It's just that non-IE users represent a slightly more tech-savvy attack vector. Perhaps that's reason enough to avoid IE for some.

YC27UCFX9322

Here's an interesting story about the second worm detected for Apple's iPhone platform. While the worm itself seems rather limited in its target audience (Dutch banking customers with a "jailbroken" iPhone running SSH with the default password), there are 2 interesting points here:

The first is that this worm enables the infected devices to act as a botnet. PC-based botnets have long been a problem on the Internet, but I am not aware of any other major platform to support a botnet until now.

The other point is that the popularity of the iPhone is making it a more desirable target for malware. I am not going to use this opportunity to take sides in the quasi-religious debate about the inherent security of Windows v. Mac v. Linux, but it does give some credence to the argument that Windows is not less secure than other operating systems but is simply targeted more due to its ubiquitous deployment.

To what degree does malware follow a platform's popularity? Time will tell.

This document covers the People's Liberation Army conceptual framework for delivering "integrated Network Electronic Warfare". This includes Space and Satellite warfare and EMP attacks. The document also points out the the U.S. Military NIPRET are a high priority of attack. The article mentions that organizations are still not doing enough to use analyzer tools like SIEM products. While the article sites that SIEM products may rely on signature based solutions, nFX One products correlate events beyond IDS/IPS based signature events from a number of disparate Operating Systems, Netflows, and other host and network security devices to alert on abnormal behavior and provides built-in Incident Response Management work flow and integratrion with ITIL uCMDB processes.

The document provides a graphic on the "Timeline of Significant Chinese Related Cyber Events 1999-Present, including pointers to the very public GhostNet cyber espionage events as well as information on the National University of Defense Technology (NUDT)."

Reference:
US-China Economic and Security Review Commission Report on the Capability of the People's Republic of China to Conduct Cyber Warefare and Computer Network Exploitation
National University of Defense Technology

Here's a quick link to a story about anti-WiFi paint. It seems there are some legitimate criticisms, and it may not be all that new in some circles, but it certainly gets one thinking about interesting possibilities.

Neil deGasse Tyson once said, "To a discoverer all data is valuable even bad data." When looking at data individually, you may believe that the data is not valuable and does not tell you anything. But, when combined with other types of information that are within a relevant time frame, the information becomes very valuablle and the more layers of information being presented more useful.

Some of the most valuable data that you get does not even come within the realm of logical data gathering. It is the information from outside of logical analysis of data which brings to mind Sam Walton's expression "I know what I know but tell me what you know." According to Kevin Mitnick, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. In information security, knowing what is of value, where is it located, who has access to it, and what are the trust zones and controls that allow access to it is core to aligning information security with business goals.

Monitoring perimeter scans for known intruders and bogons is information that we all need, but knowing how trust zone can be compromised to gain access to valuable or confidential data is critical. It's the continual discovery process and breaking through the silos of knowledge and control that will help provide additional layers needed in developing an effective information security program.

Why is my executive office printer using https and ftp outbound traffic to a Home ISP DHCP range or using Goto My PC?

A Vietnam based security organization, Bkis Internet Security, is a member of APCERT (Asia Pacific Computer Emergency Response Team) was asked by the Korean CERT Team KrCERT to investigate the recent July 2009 DDOS Botnet attacks. Bkis Internet Security analyzed what it received from KrCERT, located 8 command and control centers, and obtained access to two of the command centers. After analyzing the traffic, Bkis reported that the original estimates of 20,000 to 50,000 infected systems involved in the Botnet was really more in the line of 166,909 zombies from 74 countries.

The U.S. Cert Teams and the Korean Cert Teams continue to investigate these incidents in the hopes of identifying the source of the attacks.

Links:
H-Online DDoS attacks on South Korea and U.S.
Bkis Internet Security - Korea and U.S. DDoS attacks