|------------------------------------------| |- Astalavista Group Security Newsletter -| |- Issue 10 31 October 2004 -| |- http://www.astalavista.com -| |- security@astalavista.net -| |------------------------------------------| - Table of contents - [01] Introduction [02] Security News - Google acts to cover up phishing hole - California reports massive data breach - U.S. Air Traffic Control Found Vulnerable - New Google Search Tool Sparks Privacy Concerns - US gov targets spyware outfit [03] Astalavista Recommends - Pascal Tutorial for Newbie Programmers - RKDetect - Behaviour Based Rootkit Detection Utility - ExPat - email extensions blocking tester - Introduction to Shellcode - How to exploit buffer overflows - ByteShelter [04] Site of the month - ProcessLibrary.com [05] Tool of the month - Spybot - Search&Destroy [06] Paper of the month - The Sleekest Link Algorithm [07] Free Security Consultation - I'm sure you get this question all the time but.. - Is it true that.. - I manage the IT infrastructure of a small business.. [08] Enterprise Security Issues - Passwords - Common Attacks and Possible Solutions [09] Home Users Security Issues - Passwords - Common Attacks and Possible Solutions [10] Meet the Security Scene - Interview with Anthony Aykut, Frame4.com [11] Security Sites Review - Fred's Security Vortex - Blog - Anti Phishing Working Group - CGI Resources - Planet Source Code - Spyware Warrior [12] Astalavista needs YOU! [13] Astalavista.net Advanced Member Portal [14] Astalavista Feedback Contest - 2004 [15] Final Words 01. Introduction ------------ Dear Subscribers, Issue 10 of Astalavista's Security Newsletter is out! In this issue you're going to read an informative and practical article on passwords - how to create and memorize them in a secure way, as well as an interview with Anthony Aykut from Frame4 Security Systems. Enjoy your time! Astalavista's Security Newsletter is mirrored at: http://packetstormsecurity.org/groups/astalavista/ If you want to know more about Astalavista.com, visit the following URL: http://astalavista.com/index.php?page=55 Previous Issues of Astalavista's Security Newsletter can be found at: http://astalavista.com/index.php?section=newsletter Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net 02. Security News ------------- The Security World is a complex one. Every day a new vulnerability is found, new tools are released, new measures are made up and implemented etc. In such a sophisticated Scene we have decided to provide you with the most striking and up-to-date Security News during the month, a centralized section that contains our personal comments on the issue discussed. Your comments and suggestions about this section are welcome at security@astalavista.net ------------- [ GOOGLE ACTS TO COVER UP PHISHING HOLE ] A flaw that might have put users of Google's Web site and desktop search tool at risk, particularly those who do so in conjunction with Internet Explorer, has been closed. On Thursday,the search giant,Google, fixed a security flaw in its Web search service that could have allowed malicious hackers to modify its pages. More information can be found at: http://news.zdnet.co.uk/internet/security/0,39020375,39170858,00.htm http://jibbering.com/2004/10/google.html Astalavista's comments: Phishing is perhaps that last thing that came to my mind when I first came across the story. The implications of abusing the world's most popular search engine by hijacking pages are endless. Something interesting to note is the fact that this was reported over two years ago, and has been active till now. [ CALIFORNIA REPORTS MASSIVE DATA BREACH ] The FBI is investigating the penetration of a university research system that housed sensitive personal data on a staggering 1.4 million Californians who participated in a state social program, officials said on Tuesday. More information can be found at: http://www.securityfocus.com/news/9758 Astalavista's comments: It is somehow unbelievable how they even managed to get access to such a database at the first place, when they were not in compliance with the security rules the state set out for research access to sensitive data, which is obvious by their unability to know exactly whether the database was actually accessesed, modified or downloaded. [ U.S AIR TRAFFIC CONTROL FOUND VULNERABLE ] Auditors found that the FAA hadn't adequately secured computers running at the 20 "en route centers" that direct high-altitude traffic nationwide. "While having limited exposure to the general public, en route center computer systems need to be better protected," reads the report, dated October 1st. More information can be found at: http://www.securityfocus.com/news/9729 Astalavista's comment: It's obvious that air traffic control centers don't have a systematic approach on securing both servers and end users' desktops,given the fact that in 2002 hackers penetrated an administrative FAA system and obtained sensitive data. Something else to consider is that certain air traffic control centers might be using a very outdated version of Windows. [ NEW GOOGLE SEARCH TOOL SPARKS PRIVACY CONCERNS ] Richard Smith, a privacy-and-security consultant in Cambridge, Massachusetts, told the E-Commerce Times that Google's new Desktop Search software has a good side and a darker alter ego. "Google Desktop is a great organizer for finding information on your hard drive," he said. "But it's really a spying program. If it's installed on your computer and somebody else starts poking around, they can learn a lot about you." More information can be found at: http://ecommercetimes.com/story/37442.html Astalavista's comment: Google's search technology and the majority of end users' usage of plain text communication and storage of sensitive data in an unencrypted form make the situation even worse. The emphasize of how useful, yet secure it is, is on the fact that you're searching your computer and not sharing your results with anyone, which is untrue and even Google's content can be modified as we've seen with the recent Desktop's exploit. At the end it might all have to do with the physical security of your computer. [ US GOV TARGETS SPYWARE OUTFIT ] A company which makes software that infiltrates users' computers and demands to be removed has been targeted by US authorities. The US Federal Trade Commission (FTC) has asked the Federal court to shut down the operations of Seismic Entertainment Productions and SmartBot.Net. The FTC action was initiated after it received a complaint from a Washington consumer group, the Center of Democracy and Technology. This is the first time that the FTC has taken action against a company that produces so-called "spyware" More information can be found at: http://www.theregister.co.uk/2004/10/11/ftc_targets_spyware/ Astalavista's comment: I wonder what will happen if all complaints were actually prosecuted? The end of spyware? I doubt so, since in the game of a cat and a mouse the spyware vendors are far away from getting caught. Anyway, this action might scare some spyware start-ups. 03. Astalavista Recommends ---------------------- This section is unique with its idea and the information included within. Its purpose is to provide you with direct links to various white papers covering many aspects of Information Security. These white papers are defined as a "must read" for everyone interested in deepening his/her knowledge in the Security field. The section will keep on growing with every new issue. Your comments and suggestions about the section are welcome at security@astalavista.net " PASCAL TUTORIAL FOR NEWBIE PROGRAMMERS " The full guide to pascal programming, everything you will ever need to know. http://www.astalavista.com/?section=dir&cmd=file&id=3046 " RKDetect - BEHAVIOUR BASED ROOTKIT DETECTION UTILITY " Rkdetect is a little anomaly detection tool, which can find services hidden by generic Windows rootkits like Hacker Defender. It enumerates services on remote computers through WMI (user level) and Services Control Manager (kernel level), compares the results and displays the difference. http://www.astalavista.com/?section=dir&cmd=file&id=2752 " ExPat - EMAIL EXTENSIONS BLOCKING TESTER " A Perl script that sends an email with many attachments. This can be used in an infrastructure where the mailserver blocks attachments based on extensions (such as .exe, .vbs, etc.). http://www.astalavista.com/?section=dir&cmd=file&id=3021 " INTRODUCTION TO SHELLCODE - HOW TO EXPLOIT BUFFER OVERFLOWS " A very thorough and well written paper on how it all works. A good read for anyone curious and even those who already think they know it all. It includes step by step examples from vulnerability discovery to a finished exploit. The paper focuses on x86 Intel syntax assembly under Linux. http://www.astalavista.com/?section=dir&cmd=file&id=3001 " BYTESHELTER " This steganography tool lets you conceal data in Outlook e-mail messages and .doc files. http://www.astalavista.com/?section=dir&cmd=file&id=3006 04. Site of the month ------------------ http://www.ProcessLibrary.com/ ProcessLibrary is a web based process lookup directory. A very handy, free, service. 05. Tool of the month ------------------ Spybot - Search&Destroy Spybot - Search&Destroy is a freeware anti-spyware/anti-adware application that has a large database of malicious programs, hijackers, etc. You're strongly recommended to use it, as it will definitely give you excellent results. http://www.astalavista.com/?section=dir&act=dnd&id=2548 06. Paper of the month ------------------- The Sleekest Link Algorithm How does Google decide which web sites are important? It uses an ingenious algorithm that exploits the structure of the web and is resistant to hacking. Here, we describe the PageRank algorithm. http://www.astalavista.com/?section=dir&act=dnd&id=2941 07. Free Security Consultation -------------------------- Have you ever had a Security related question but you weren't sure where to direct it to? This is what the "Free Security Consultation" section was created for. Due to the high number of Security-related e-mails we keep getting on a daily basis, we have decided to initiate a service, free of charge. Whenever you have a Security related question, you are advised to direct it to us, and within 48 hours you will receive a qualified response from one of our Security experts. The questions we consider most interesting and useful will be published at the section. Neither your e-mail, nor your name will be present anywhere. Direct all of your Security questions to security@astalavista.net Thanks a lot for your interest in this free security service, we are doing our best to respond as soon as possible and provide you with an accurate answer to your questions. --------- Question: Hi, folks, at Asta! I'm sure you get this question over and over again but ,anyway, here I'm asking you again. I'm and active Internet user since 2002, and I have noticed an increasing level of spam in all my mailboxes during the past two years.And what's worse, the filters I have in place cannot stop it. what should I do - purchase a software? But how can I be sure it's going to work? --------- Answer: Simply, you can't, as there's no perfect solution to fight spam nowadays. We've been getting a lot of questions related to spam, which is what our featured article in Issue 11 is going to be about; namely, how to protect yourself from spam and how to reduce the risk of exposing your e-mail instead of using filtering tips. Anyway, take a look at the following site, it will provide you with a lot of info on the topic: http://spam.abuse.net/userhelp/ --------- Question: I've read recently that it's now possible to infect JPEG files, but how is this possible, I did my best to avoid executible files, should I worry for every JPEG now? --------- Answer: If you haven't applied the required patches about this vulnerability which indeed surprised quite a lot of experts. Here are some useful links where you can download the patch and a free utility that will try to locate "infected" files on your PC. http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx http://www.astalavista.com/?section=dir&cmd=file&id=3085 --------- Question: I have been visiting your site since 2000 and decided to ask for your opinion on a problem I have to solve in the next couple of weeks. I'm responsible for the IT infrastructure of a small business based in the U.S. Our current security measures in place are server based anti-virus protection, firewalls, both server and desktop. The desktop ones are freeware versions due to the limited budget we have and we try to keep up to date with the latest patches when available. However, we've recently experienced a security incident, which in my opinion was just a matter of time, so the management decided to spend more on IT security. I was considering managed security services provider since we now seem to have the financial capabilities to hire one, would this be a wise decision? --------- Answer: In Issue 8 of our newsletter we featured an article concerning the topic. Issue 8 can be found at: http://www.astalavista.com/media/newsletter/issue_8_2004.txt Anyway, I doubt you have any reliable security experts in place, or if you have any, your resources are very limited for what they need to properly secure your company. MSSPs are very reliable in terms of expertise and reliability, and consulting with one about what's best for your security is a wise decision. Another comprehensive guide on Managed Security Services Providers can be found at: http://www.cert.org/security-improvement/modules/omss/omss.pdf 08. Enterprise Security Issues -------------------------- In today's world of high speed communications, of companies completely relying on the Internet for conducting business and increasing profitability, we have decided that there should be a special section for corporate security, where advanced and highly interesting topics will be discussed in order to provide that audience with what they are looking for - knowledge! - Passwords - Common Attacks and Possible Solutions - by Dancho Danchev dancho.danchev[at]astalavista.net Overview Making sure authorized users have access to either sensitive company information or their personal e-mail can be a dauntning task, given the fact that an average user has to remember at least 4/5 passwords, a couple of which have to be changed on a monthly basis. The majority of users are frustrated when choosing or remembering a password, and are highly unaware of the consequences of their actions while handling accounting data. This article will provide you with an overview of how important, yet fragile, passwords security really is; you will be acquainted with different techniques for creating and maintaining passwords, and possible alternative methods for authentication, namely Passphrases, Biometrics and Public Key Infrastructure(PKI). Dangers posed by passwords While the majority of organizations and almost 99% of the home users still rely heavily on passwords as a basic form of authentication to sensitive and personal resources, the insecure maintenance, creation, and network transfer could open the front door of any organization or personal asset to a malicious attacker. Management staff with outdated mode of thinking still believe that passwords are the most essential, user-friendly way to identify a user on their network or database, while the fact is that users are frustrated with the fact that they need to change their password, that they need to create a "secure" password, or follow instructions on how to keep it as secret as possible. The results are a large number of crackable passwords, the same passwords on multiple systems, and "post it" notes with passwords even including login names. On any given system, certain users have privileges that the others don't and shouldn't even have. By identifying yourself on your computer or any given web site, you are granted with access to your work environment and personal data, data which you define as sensitive and data you wouldn't want to make public, the way a company doesn't want to give a competitor an access to its intranet, for instance. Abusive scenarios posed by exposing accounting data are: - identity theft Identity theft might occur once your accounting data is somehow known to another person using it to impersonate you in order to get hold of you digital identity. This might result in both financial damages, as well as personal ones. - sensitive data exposure The content of your e-mail correspondence, personal projects, documents and photos, could be exposed to a malicious hacker or someone targeting especially you as an individual. - company data exposure Unethical intelligence by getting sensitive confidential internal information through a badly maintained and kept accounting data would have an enormous impact on the company you're working for. I doubt you would like to be the one who exposed the next 6 months' marketing and advertising plans to a competitor. - involvement in criminal activities The use of your account could be used in various criminal activities if not well maintained and kept secret. Remember the trace leads back to your account. The Most Common Password Exposure Scenarios - physical security breach A physical breach of your computer will completely bypass even the most sophisticated authentication methods, even the most secure encryption ones. A keylogger, both software and hardware might be installed, your secret PGP key might as well be exposed, thus all your accounting and encrypted data will be compromised. It doesn't matter how long, or secure your password is as physical security breaches are one of the most critical ones. - unintentionally shared A user might share his/her accounting data without even realizing that by exposing it at the risk of a potential break-in nincreases. A password is usually shared with friends, bosses, family under different circumstances. A "benefit" considered by some users is the convenience for two persons or more, to know certain accounting data in order to gain access to a certain resource. Passwords might also be shared in an informal talk with coworkers discussing the latest company's password policy, or the way they choose their passwords, how they maintain them and in some cases how the management will never find out about their thought to be secret ways of storing the accounting data. One of the most critical and easy to conduct ways of obtaining sensitive data is simply to ask for it, both in a direct or an indirect way, which is what social engineering is all about. - cracked Sometimes in case of a partial break-in, the encrypted password file of a company might be exposed to a malicious attacker. If it happens, the attacker will start password cracking the file, namely trying all the possible combinations with the idea to find the weakest passwords and gain privileges later on. In case the company is aware that its passwords' file has been compromised, it should immediately notify all employees to change their passwords, so even if weak passwords are exposed, they wouldn't be valid ones anymore. However, if the company is not aware of its password file exposure, it should constantly try to crack its password file just like an attacker would do and filter out the weakest passwords. - sniffed Are you aware how many employees are accessing sensitive data through their already breached computer or their friend's one? Having strong password doesn't guarantee its integrity when it's not securely transmitted over the Internet. Don't give your employees the ability to choose between plain text or SSL authentication; instead, enforce all network communications in encrypted mode. Another highly recommended option would be to provide everyone with "last login from.." feature, so that in case they notice an unauthorized login, they would report it right away. - guessed A large number of users are tricking the established password policies by somehow creating a believed to be strong, while weak or common sense password. Although nowadays this method is rarely used compared to the ones we've already discussed above, it should be kept in mind that certain users are still choosing passwords based on objects or brands around their desk. The Most Common Password Maintenance Mistakes - auto fill feature The majority of applications will allow you to remember your passwords and accounting data, but unless you're sure that the computer is reasonably protected from possible physical security breaches, you're strongly advised not to have your passwords remembered in this way. Make sure this option is not used at public access places like netcafes' etc. - "post it" notes Passwords are often written down and even worse, posted next to the monitor or around the desk. This could easily be observed by malicious attackers or insiders, so avoid it. - "the secret place" A lot of people believe they have found the secret place under the keyboard or anywhere around the desk, which is very unacceptable considered the fact that if observed enough, they would reveal their believed to be secret place, get distracted and have their accounting data leaked out. Even so, a large number of people keep certain accounting data on papers, PDAs etc.,so a possible strategy until they remember their accounting data and get rid of the note they keep with them all the time would be the following; have at lest 6/7 different and fake passwords around the real one, you might even cross a couple of them, even the actual one. This would be very beneficial keeping in mind that hopefully two/three false logins will lock the account, and in case your note gets exposed, it would be still a matter of luck for the attacker to use the right one. Although this method provides no guarantees, and is not recommended at all, it is a very short solution to remember your password and get rid of your note right away! How to Choose a Secure Password Choosing secure passwords consists of knowing what their insecurities are, how passwords are cracked and what's behind the "at least 8 characters long, consisting of lower and capital letters, special characters and a number" requirement. Basically, the shorter the password, the more opportunities for observing, guessing and cracking it. A password cracker would try to guess all the possible combinations of letters, numbers and characters until he/she finds the right one. Given the number of letters in the alphabet and the amount of numbers(0/9), the second, namely a numbers' based password, will give the attacker less opportunities to crack. Another commonly used technique is the use of a dictionary file against the encrypted passwords database, so that the weakest and most obvious passwords in terms of words listed in a dictionary will get exposed; this is why a longer password consisting of letters, numbers and characters would make it a little bit time consuming for an attacker attempting to crack the stolen passwords file. Whenever you create a password, consider the following: - make it at least 7 characters long, combination between small and capital letters, at least one number and special character like !@#$%^*()_+ - do not simply use a dictionary word or a logical sequence of characters like aaa555ccc, 1234567890 etc. - try not to use a password you have already used on another system, ignore have the same password on all assets you have access to at any cost A combination of the following strong, yet easy to remember passwords techniques you may use are: - choose a dictionary word like success, then reverse it sseccus - add numbers in front or at the end of it 146sseccus or sseccus953 - consider adding at least one special character like !@#$%^&*()_+ anywhere - the use of at least one capital letter would increase the crackable possibilities even more - replace certain characters with numbers that you associate with them, security would be s3cur1ty where e stands for 3 and i stands for 1 - separate each letter with a number, security would be s1c3u2r4i6t5y How to Remember Passwords Remembering several passwords for different assets is a huge problem for the majority of users.That's why they either ignore remembering, thus writing them down, or create weak, but easy to remember passwords. Whereas, remembering passwords might not be such a difficult task if the majority of users stop thinking of them as a combination of bulk characters, but as a way to identify themselves the way the do when taking money from a cash machine. In this case, it's all their company's and personal data they should try to protect. - associate them Association plays an important role in the memorizing process. Given a certain period of time, someone can teach you Japanese if he/she finds out the way you memorize and, most importantly, associate things. Visualization of the password is another important aspect of memorizing it, and within a short period of time you would be entering it even without thinking what you're entering - a temporary habit, given the fact that the majority of organizations require constant password change. - explain them to yourself For instance the password Y13#tiruceC basically represents the word security backwards, where the first and the last letters are capital, and the first capital letter is followed by your best friend's birth date, plus a special character. Instead of representing a bulk of characters like it used to be, now your password is your own encrypted language. Possible Solutions When enforcing authentication methods on both network and security policy levels, the majority of users proved to be unreliable in storing and creating strong passwords. The service desk is often too busy to handle "forgotten passwords" requests, and unless the company doesn't undertake a passwords awareness initiative, the problem will continue to grow. Passphrases Passphrases were thought with the idea to be easier to remember, but virtually impossible to crack. The majority of encryption softwares require you to use a passphrase for your private key instead of a password. Passphrases are usually something that you always remember, either a quote, favorite sentence and a combination of both numbers and special characters. Although virtually impossible to crack due to their length, both passwords and passphrases can be logged through the use of a keylogger, or sniffed if transmitted over plain text communication channel. Biometrics Biometrics is the next generation of authentication methods. Although it's still in its early implementation period due to the associated costs, and sometimes the number of false results, biometrics will change the way we authenticate ourselves, hopefully with 99% accuracy. Simply, biometrics cannot be stolen, cannot be forgotten, neither can they be given to another person. Biometrics systems may include fingerprint systems, voice recognition systems, Eye/Retina scanner systems, hand geometry systems and handwriting systems. Public Key Infrastructure(PKI) Public Key Infrastructure(PKI) functions give entities, namely employees or servers the ability to communicate, authenticate, sign and verify identities by creating digital certificates, each of which containing private and public keys. The public key is available to anyone wanting to exchange data with the entity and the private key is the only way for the entity to decrypt,or identify itself properly. PKI is very useful when communicating over insecure networks like the Internet and both on the internal servers. Although passwords will continue to represent the most common authentication method for a long time to go, companies and users that have already realized their weaknesses are slowly switching to other possible alternatives. Encryption will be the next big thing for the majority of small and middle size companies as well as the adoption of various biometrics methods. 09. Home Users' Security Issues -------------------------- Due to the high number of e-mails we keep getting from novice users, we have decided that it would be a very good idea to provide them with their very special section, discussing various aspects of Information Security in an easily understandable way, while, on the other hand, improve their current level of knowledge. - Passwords - Common Attacks and Possible Solutions - 10. Meet the Security Scene ----------------------- In this section you are going to meet famous people, security experts and all personalities who in some way contribute to the growth of the community. We hope that you will enjoy these interviews and that you will learn a great deal of useful information through this section. In this issue we have interviewed Anthony Aykut from Frame4 Security Systems. Your comments are welcome at security@astalavista.net ------------------------------------------------ Interview with Anthony Aykut, Frame4 Security Systems, http://www.frame4.com/ Astalavista: Anthony, would you please tell us something more about your experience in the InfoSec industry, and what is Frame4 Security Systems all about? Anthony: Sure. I guess I am what you would primarily call a "security enthusiast", with what I came to see as "a keen sense of security business enthusiasm". Actively following the Trojan/Virus community since my teens in the late-1980's, I have been working in the IT industry since the early 90's, though up until 2002 I have never felt the need to follow the IT security path. Let's just say that a certain chain of events made me "fall" into it :-)) ... and that is when I decided to start Frame4 Security Systems. Frame4 Security Systems is a small IT-Security company based in the Netherlands. We offer the usual "out-of-the-box" professional security services (security audits, pen-testing, etc.), but we especially pride ourselves on our outstanding security awareness programs (seminars and courses), exceptional service, and our upcoming "ProjectX Security Knowledgebase". I really feel that we are on an unique playing-field with Frame4; whereas big (and often expensive) consultancies are primarily focused on big companies/contracts, bottom line figures and dead-lines - often the Security Awareness on a personal (employee) level gets often overlooked. This creates a well-known security gap that gets exploited more and more often, rendering the million-dollar security solution back in the server-room absolutely useless. I have personally seen good examples of this within big companies -- and it is therefore we let the big boys do what they are good at by providing solid, proven solutions, whereas we have the unique opportunity of "fighting the disease from inside-out". Astalavista: "Internet privacy", do these words still exist in your opinion? Anthony: To a large extent (and unfortunately), no. But I guess this was to be expected with millions of people pumping their personal data into online databases and keeping information on their PCs. It is an open field, with little or no control or control structure. Let's face it, (personal) information and data is big business, and people will do absolutely anything from hacking databases to infecting people with spyware/trojans to extract that information. And in some cases, custodians of personal information have just made it way too easy for other (unauthorised) people to gain access to private data. I guess that's when the finger-pointing started :-) But on a more serious note, I have friends who are so paranoid that they only surf the net behind a wall of proxies and anonymizers, under false/assumed names and identities. Me, I am just careful; I think when people have a basic online awareness level, and know what to look out for, it is no more a threat to your information than, say, putting your garbage outside and someone going through it (a.k.a. dumpster diving). Astalavista: We have recently seen a large number of DDoS extortion schemes, whereas certain companies comply behind the curtains, should we consider every E-business site that goes down a victim of extortion schemes? What do you think a company should do in a situation like this? Anthony: I personally think that "head-in-the-sand" ostrich attitude is completely wrong; pay once to one extortionist, and a dozen others will line up to grab that easy cash. I don't think you should comply and give in to any of these demands (I prefer to call them threats) but come out with it in the open and track down the perpetrators if possible. Openness, like some companies have chosen, may possibly dent your corporate identity on a temporary basis, but also takes away the power of the extortionist. We have seen that this approach is the lesser of two evils in general, especially true if your business does not depend on a internet presence per se. Astalavista: In today's world of "yet another worm in the wild", what do you think are the main consequences for this cycle, and what do you think should be done in order to prevent it? Anthony: Well, I am pretty clear on that. As long as publicly/privately available source-code floats around the web, not much can be done - unless the AV vendors come up with better technologies. It really is up to them to come up with better and improved techniques to protect our systems - more and more the current AV technology is showing that it is getting out-dated by being circumvented in many ways. I am more than aware that it is difficult to "protect against the unknown", but I just know there should be more. Maybe AV vendors should float a bit more within the "community" to gain awareness :-) To be honest, with the advent of other malware, such as Trojans, Sniffers, Keyloggers and Spyware to name a few and many interesting technologies such as Firewall-Bypassing, etc. it is getting more and more obvious that we need an "All Comprehensive Malware Solution" than just a pattern based AV system. It just ain't cutting it anymore. Until then, keep up your defences and update those virus patterns on a daily basis! Astalavista: The threat and actual infections with spyware opened up an entire market for anti-spyware related services and products, whereas millions of people out there are still infected, and some are even unaware of it. What is your opinion on the recent government regulations targeting spyware vendors, but allowing "spy agencies" to use spyware? What do you think is going to happen on the spyware scene in the next couple of years? Anthony: Well, as I pointed out in your previous question, I tend to see Spyware almost in the same category as Trojans, Viruses and other malware. Subsequently I think things are going to get (much) worse before they (I hope, eventually) get better, and it is going to take some considerable changes in AV technology for one (along with our ways of thinking) to ensure people will not take advantage of these technologies to the disadvantage of others. Currently things are not looking too good: governments have proven that we cannot trust their ineffective and inevitably slow schemes and until better/additional technologies are invented to bolster our AV defences, we are pretty much sitting duck targets. This has been proven yet again with the recent "hijacking" of 1000's of zombie/drone PCs to perform DDoS attacks, etc. So it is really up to the individuals to get at least some basic security measures up and running, and there are plenty of reputable web-sites out there to provide all the information one needs to secure themselves well. Astalavista: Thanks for your time. Anthony: No problem! 11. Security Sites Review --------------------- The idea of this section is to provide you with reviews of various highly interesting and useful security related web sites. Before we recommend a site, we make sure that it provides its visitors with quality and a unique content. http://radio.weblogs.com/0140770/ Fred's Security Vortex - Blog Quite a lot of interesting comments and articles on various security related topics. http://www.antiphishing.org/ Anti Phishing Working Group Monthly updates on various phishing trends. http://cgi.resourceindex.com/ CGI Resources Very comprehensive site with programs and scripts, articles and books. Planet Source Code http://www.planetsourcecode.com/ Looking for a source code for your favo programming language? Find it all here. Spyware Warrior http://www.netrn.net/spywareblog/ Spyware related blog, informative reading. 12. Astalavista needs YOU! --------------------- We are looking for authors that would be interested in writing security related articles for our newsletter, for people's ideas that we will turn into reality with their help and for anyone who thinks he/she could contribute to Astalavista in any way. Below we have summarized various issues that might concern you. - Write for Astalavista - What topics can I write about? You are encouraged to write on anything related to Security: General Security Security Basics Windows Security Linux Security IDS (Intrusion Detection Systems) Malicious Code Enterprise Security Penetration Testing Wireless Security Secure programming What do I get? Astalavista.com gets more than 200 000 unique visits every day, our Newsletter has more than 22,000 subscribers, so you can imagine what the exposure of your article and you will be, impressive, isn't it! We will make your work and you popular among the community! What are the rules? Your article has to be UNIQUE and written especially for Astalavista, we are not interested in republishing articles that have already been distributed somewhere else. Where can I see a sample of a contributed article? http://www.astalavista.com/media/files/malware.txt Where and how should I send my article? Direct your articles to dancho@astalavista.net and include a link to your article. Once we take a look at it and decide whether is it qualified enough to be published, we will contact you within several days, please be patient. Thanks a lot all of you, our future contributors! 13. Astalavista.net Advanced Member Portal Promotion ------------------------------------------------- Astalavista.net is a world known and highly respected Security Portal offering an enormous database of very well-sorted and categorized Information Security resources, files, tools, white papers, e-books and many more. At your disposal are also thousands of working proxies, wargames servers where all the members try their skills and most importantly - the daily updates of the portal. - Over 3.5 GByte of Security Related data, daily updates and always working links. - Access to thousands of anonymous proxies from all over the world, daily updates - Security Forums Community where thousands of individuals are ready to share their knowledge and answer your questions, replies are always received no matter of the question asked. - Several WarGames servers waiting to be hacked, information between those interested in this activity is shared through the forums or via personal messages, a growing archive of white papers containing info on previous hacks of these servers is available as well. http://www.astalavista.net/ The Advanced Security Member Portal 14. Astalavista Feedback Contest - 2004 ----------------------------------- Don't have an Astalavista.net membership? Are you a fan of Astalavista.com? topic -"Astalavista.com - The beginning, the future and me in between” description - write your own story, how you fist knew about Astalavista.com, how long you have been visiting the site, how it helped you improve your security, or your organization's security, what makes you visit the site over and over again, when we evolved and what has changed. Share a funny or a serious situation related somehow to Astalavista.com - remember what it was when you first visited it and what it turned into. What do we have to improve, how do you see the page in 5 years from now on, what are our strong and weak points, but most of all, share a story that's worth telling! minimum - 4 pages maximum - up to you, the more comprehensive and original the feedback, the higher the chance to win the contest deadline - 22th November, 2004 prize - the most original and inspiring stories will be rewarded with a lifetime Astalavista.net - Advanced Security Member Portal membership More information is available at: http://www.astalavista.com/index.php?page=106 15. Final Words ----------- Dear Subscribers, Thanks for your feedback and thanks to all the participants in our Feedback Contest! Hope you have enjoyed Issue 10. Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net