|------------------------------------------| |- Astalavista Group Security Newsletter -| |- Issue 14 09 March 2005 -| |- http://www.astalavista.com/ -| |- security@astalavista.net -| |------------------------------------------| - Table of contents - [01] Introduction [02] Security News - Lawyers form group to aid open source code writers - MSN Belgium to use eID cards for online checking - T-Mobile hacker pleads guilty - SUSE Linux wins Common Criteria certification - Microsoft denies blackmail accusations - AOL man pleads guilty to selling 92m email addies - Symantec hit by large-scale flaw - Complaint dropped against DDoS mafia - Hackers see 3G as prize target - Gartner slams Microsoft's lack of a security strategy [03] Astalavista Recommends - Computer Languages History - Fight Chaos IRC Game - Wiretapping the Internet - Penetration Testing IPsec VPNs - RegistryProt 2.0 - The Art of Computer Virus Research And Defense - fl0w-s33ker.pl - Overflow tracker + debugger - The C Code Analyzer (CCA) - Hold Your Sessions: An Attack on Java Session-id Generation - SpoofStick IE [04] Astalavista.net Advanced Member Portal - Last chance to get a lifetime membership! [05] Site of the month - http://www.linuxlinks.com/ [06] Tool of the month - The "Google Hack" Honeypot [07] Paper of the month - Why Open Source Software / Free Software ? [08] Geeky photo of the month - "Richie Rich" - [09] Free Security Consultation - Correct me if I'm wrong but as far as FireFox is concerned.. - During the last couple of years me as everyone else.. - Did the FBI really.. [10] Astalavista Security Toolbox DVD v2.0 - what's inside? [11] Enterprise Security Issues - Malware and our organization - what are we missing? [12] Home Users Security Issues - 2005 - are we heading straight to 1984? [13] Meet the Security Scene - Interview with Björn Andreasson, http://www.warindustries.com/ [14] Security Sites Review - Bleedingsnort.com - Benedelman.org - Majorgeeks.com - Networksecuritytech.com - Blackhat.be [15] Final Words 01. Introduction ------------- Hi folks, Welcome to Astalavista Security Newsletter - Issue 14. Astalavista.com has attracted quite a lot of attention recently, the Worm.Ahker family restricted access to our site - nice to see it mentioned at the top with the fbi.gov and a couple of others left behind. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AHKER.B&VSect=T# During the month, we extended our affiliates network with websites such as SecurityDocs.com - a security white-paper directory, MegaSecurity.org - one of the few trojans' information databases left online, NovaStream.org - an online radio and WarIndustries.com - a site that's been around since 1998. It is great that someone's still keeping it up. We also added a new "Astalavista Top 20 Featured Papers" section, right next to our "Astalavista Top 20 Featured Tools". These would be updated on a monthly basis with the idea to help you find worthy tools and reading materials. Several more security related and weekly updated sections are to come at Astalavista.com, so stay tuned! In Issue 14, you'll read an interview with Björn Andreasson, the person behind WarIndustries.com. You'll find out what happened around the industry during February, and you can go through our "Malware and our organization - what are we missing?" - an article discussing various malicious software protection measures from an organization's point of view and "2005 - are we heading straight to 1984?" - a privacy-awareness oriented article explaining various issues on the topic. All issues of our newsletter will also be available in both TXT and HTML within the next two weeks. As always, the choice is yours! Enjoy Issue 14, and thanks for staying with us! Astalavista Security Newsletter is mirrored at: http://www.packetstormsecurity.org/groups/astalavista/ http://www.securitydocs.com/astalavista_newsletter/ If you want to know more about Astalavista.com, visit the following URL: http://www.astalavista.com/index.php?page=55 Previous issues of Astalavista Security Newsletter can be found at: http://www.astalavista.com/index.php?section=newsletter Yours truly, Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net 02. Security News -------------- The Security World is a complex one. Every day a new vulnerability is found, new tools are released, new measures are made up and implemented etc. In such a sophisticated Scene we have decided to provide you with the most striking and up-to-date Security News during the month, a centralized section that contains our personal comments on the issues discussed. Your comments and suggestions about this section are welcome at security@astalavista.net ------------- [ LAWYERS FORM GROUP TO AID OPEN SOURCE CODE WRITERS ] A non-profit group of lawyers have formed the Software Freedom Law Center to provide legal services to the open source community. The SFLC, formed with more than $4 million donated by Open Source Development Labs, will provide legal services to non-profit open source software projects and developers, giving advice and litigation support on issues such as licenses, patents, copyrights, and intellectual property law. Eben Moglen, an expert on international software copyright law and founder of the center, says he expects as much as $12 million in additional support within the next five years from sellers and large open source software customers, and anticipates the center growing to a staff of 15 attorneys. More information can be found at : http://technews.orb6.com/stories/sv/20050201/lawyersformgrouptoaidopensourcecodewriters.php Astalavista's comments: Nice one, given last month's trial in France, where the French company Tegam was suing Guillaume Tena for releasing proof of concept code to highlight security bypass and worm evasion flaws in Viguard - the company's antivirus product. But take into account the following - the researcher didn't have malicious intentions. He could have kept his anonymity prior to the release of the code and he could have caused much serious damage to the company, which took it personally, an action condemned by the majority of respected sites and security reseachers, with a reason. Is it a good idea to find security holes anyway? Check out the following paper as it has very good insights on the topic : http://www.astalavista.com/media/files/rescorla.pdf [ MSN BELGIUM TO USE EID CARDS FOR ONLINE CHECKING ] Microsoft's Bill Gates and Belgian State Secretary for e-government Peter Vanvelthoven announced February 1, 2005 that they are working together to ensure support for the Electronic Identity Card (e-ID) standard. The e-ID cards contain an electronic chip and will replace the existing ID card system in Belgium, with over 3 million to be distributed by the end of 2005. Microsoft plans to combine the eID Card with its MSN Messenger chatrooms to improve safety, as users would have a trustworthy way of identifying themselves online, allowing the Belgian Federal Computer Crime Unit (FCCU) to limit access for young children. More information can be found at : http://www.theregister.co.uk/2005/02/01/msn_belgium_id_cards/ Astalavista's comments: "Working together" doesn't necessarily mean "soon to be implemented". Imagine yourself in a situation with an e-ID card for MSN when it comes to your privacy. Certain governments who recently started evolving and placing E in front of government are still unaware of many of the practical and social implications that their actions might cause. Don't fall victim of the thought to be part of socially oriented campaigns where the ultimate goal is to know who's who on MSN in the most convinient way ever. Meanwhile, young childer will always find ways to bypass these protections the way they bypass the "SafeSearch" feature by being the fist-comer of a public or someone else's computer. [ T-MOBILE HACKER PLEADS GUILTY ] A sophisticated computer hacker who penetrated servers at wireless giant T-Mobile pleaded guilty Tuesday to a single felony charge of intentionally accessing a protected computer and recklessly causing damage. Nicolas Jacobsen, 22, entered the guilty plea as part of a sealed plea agreement with the government, says prosecutor Wesley Hsu, who declined to provide details. The prosecution, first reported by SecurityFocus last month, has been handled with unusual secrecy from the start, and a source close to the case said in January that the government was courting Jacobsen as a potential undercover informant. Before his arrest last October, Jacobsen used his access to a T-Mobile database to obtain customer passwords and Social Security numbers, and to monitor a U.S. Secret Service cyber crime agent's e-mail, according to government court filings in the case. Sources say the hacker was also able to download candid photos taken by Sidekick users, including Hollywood celebrities, which were shared within the hacking community. More information can be found at : http://www.securityfocus.com/news/10516 http://www.securityfocus.com/news/10271 Astalavista's comments: The T-Mobile hacker rocks my world this month, bearing in mind that the candid photos "shared within the hacking community" are now publicly available over the Internet, and some are a way too personal and...naked of course. What is to highlight in this case is his age, the fact that he had been under cover for one year by the time he started advertising the services available; and, as always, it would be just a couple of people (no, not the prosecutors) knowing how much sensitive information has actually been intercepted. T-Mobile definitely have a PR disaster on its way, let's not mention the lack of confidence in their ability to provide reliable but secure services. [ SUSE LINUX WINS COMMON CRITERIA CERTIFICATION ] Novell's SuSE Linux Enterprise Server 9 running on IBM's eServer has won CAPP/EAL4+ (Controlled Access Protection Profile, Evaluation Assuarance Level) under the Common Criteria. It is the first time a Linux distribution has won a Level 4 evaluation. RedHat Linus is currently undergoig testing for Level 4, while Microsoft's Windows 2000 won Level 4 in 2002. More information can be found at : http://www.gcn.com/vol1_no1/daily-updates/35119-1.html Astalavista's comments : I especially enjoy the way Novell started catching up in the latest years, especially with their new open-source philosophy, even with an emphasis on security. I'm more than impatient to see what new is to come. Listen to the following 30MB mp3 directly from Novell's point of view : http://www.astalavista.com/?section=dir&act=dnd&id=3695 [ MICROSOFT DENIES BLACKMAIL ACCUSATIONS ] Microsoft has denied reports published in a Danish financial newspaper that chairman Bill Gates told Prime Minister Anders Fogh Rasmussen that his company would move 800 jobs from Denmark to the United States if the country did not support the European Union's Computer Implemented Inventions Directive (CIID). This is not the first allegation of technology companies attempting to influence EU policy; in January 2005, the Polish Gazeta Wyborcza reported that subsidiaries of Siemens, Nokia, Philips, Ericsson and Alcatel sent a letter to the Polish prime minister outlining concerns about the patent directive and implying that they would reconsider their investments in the country if Poland continued to oppose the directive. More information can be found at : http://news.zdnet.co.uk/business/legal/0,39020651,39187947,00.htm Astalavista's comments : Just a comment - you want them to confirm?! I wouldn't like to be an MS employee lossing his/her job in an open-source world anyway, and although it's a very sensitive topic, it's all about votes at the bottom line. Imagine a country in a coordinated push by major companies like the ones mentioned. They don't want to lose them as investors in the country, namely people getting fired or not employed at all. Take your time and read the following comprehensive paper if you want to know more on the topic : http://www.astalavista.com/?section=dir&act=dnd&id=3577 [ AOL MAN PLEADS GUILTY TO SELLING 92M EMAIL ADDIES ] An ex-AOL employee has pleaded guilty to stealing 92m customer names and email addresses from the ISP's database. The 24-year old, Jason Smathers, sold the email addresses for $28,000. Smathers sold the names to Sean Dunaway who used the names to promote his offshore gambling site before selling them on to other spammers. More information is available at : http://www.theregister.co.uk/2005/02/07/aol_email_theft/ Astalavista's comments : You don't need spam crawlers anymore but just an average secretary having access to a Fortune 500 companies' client list and contact details in order to be productive. Sounds familiar? For me insiders still represent one of the most serious and unsolved security issues ever. How can 24 years old Johny be productive when you prevent him from doing his job? Simple, who says Johny needs access to such a sensitive database, who says Johny, still 24, probably an intern or who's been with the company since 2003, is a trusted employee, and what is a trusted employee anyway? Quite an open topic! A couple of useful papers discussing the insider issue can be found at : http://www.astalavista.com/?section=dir&act=dnd&id=192 http://www.astalavista.com/?section=dir&act=dnd&id=2704 http://www.astalavista.com/?section=dir&act=dnd&id=3547 http://www.astalavista.com/?section=dir&act=dnd&id=3369 [ SYMANTEC HIT BY LARGE-SCALE FLAW ] According to security rival ISS, which unearthed the vulnerability, the problem lies with the DEC2EXE module in the Symantec Anti-Virus Library, a part of the virus detection engine that makes it possible to detect malware inside executable files compressed using the freeware UPX (Ultimate Packer for eXecuteables) format. More information can be found at : http://www.computerworld.com/securitytopics/security/holes/story/0,10801,99629,00.html Astalavista's comments : No one is invincible, even Symantec - the industry's leading computer and network security provider. Symantec has been on the scene for quite a long time and when it comes to reliability my opinion is that they know what they're up to, proactively. Thankfully, it was security rival ISS to come up with this highly critical vulnerability and not l33th4x0r at hotmail dot com, while this opens up another topic - the one about ethics. Quite a good example that rivals are actively "working" on each other's products. [ COMPLAINT DROPPED AGAINST DDOS MAFIA ] Federal authorities in Los Angeles have dismissed a criminal complaint filed last August against four men accused of performing DDoS attacks for hire. More information can be found at : http://www.oreillynet.com/lpt/a/5609 Astalavista's comments : Do the Federal authorities actually realize the impact of this dismissal as an incentive for other people to perform DDoS for hire? I doubt so, it will take a while before certain laws and their actual enforcement matures enough so it will be actually enforced. As it usually takes quite a lot of resources to prevent, block and, most importantly, trace the people behind these attacks, I'm sure quite a lot of technical experts and law enforcement agents are a bit pissed off at the decision. What about the victim itself? [ HACKERS SEE 3G AS PRIZE TARGET ] Despite more paranoia and stiffer security than ever, IP-based telecommunications servers are fast becoming the new 'holy grail' for the black hat hacking community, with a highly embarrassing intrusion at US based carrier T-Mobile the latest ugly incident. According to evidence tendered before a grand jury in California, Nicholas Jacobsen is alleged to have compromised T-Mobile's internal computer systems in 2003 and gained access to sensitive details on 400 customers including sensitive information from the US Secret Service. More information can be found at : http://www.computerworld.com.au/index.php/id;1170957987;relcomp;1 Astalavista's comments : Although IP based telecommunications servers are indeed a gold mine, crackers see every single networked system out there as a target. But when it comes to major communications providers, even financial institutions, those concerned about espionage government should give a hand, or enforce higher levels of security for systems processing such sensitive information. Anyway, my mailserver processes sensitive information, I might be corresponding with a U.S Secret Service agent in plain-text. We might be even exchanging personal photos(no steganography here), and the whole process goes through yet another mail server out there, again in plain-text. The bigger the traffic load on the server, the higher the chance you'll( sooner or later) spot either a celebrity or an about to be a naked celebrity :) Huge embarrassment for T-Mobile and the people exposed. Actually have you ever thought that something like this could happen to you? Keep on reading : http://www.wired.com/news/privacy/0,1848,66735,00.html [ GARTNER SLAMS MICROSOFT'S LACK OF A SECURITY STRATEGY ] Gartner researcher Neil MacDonald argues that Microsoft's Trustworthy Computing Initiative should focus on strengthening Windows so it no longer needs antivirus rather than competing with established antivirus vendors. Mr. MacDonald also criticizes Microsoft's decision to create Internet Explorer only for Windows XP as an attempt to compel Windows 2000 users to upgrade. More information can be found at : http://www.zdnet.com.au/news/security/0,2000061744,39181686,00.htm Astalavista's comments : Microsoft is actively trying to establish itself as a challenger for the anti-virus industry and the anti-spyware one, not by working on reliable practices on how to improve the overall security of its software, but by directly competing with already established companies. Don't get me wrong, the more competition the better the outcome, but in this situation MS's advantages are the reputation they establish instead of admitting the uncountable number of holes in each of their products and that they don't have a reliable, proactive strategy on these. But the end users' disadvantages start from actually trusting a built-in (watch out and see) recently born anti-virus solution or even a spyware one (detecting Firefox as spyware). That's not to be trusted at all, as always it's a matter of convinience = insecurity. 03. Astalavista Recommends ----------------------- This section is unique with its idea and the information included within. Its purpose is to provide you with direct links to various white papers and tools covering many aspects of Information Security. These white papers are defined as a "must read" for everyone interested in deepening his/her knowledge in the Security field. The section will keep on growing with every new issue. Your comments and suggestions about the section are welcome at security@astalavista.net " COMPUTER LANGUAGES HISTORY " A tree representing the history of computer languages. http://www.astalavista.com/?section=dir&act=dnd&id=3570 " FIGHT CHAOS IRC GAME " Fight Chaos IRC Game is a virtual one-to-one fighting and character improving environment controlled by FCBot in an IRC channel. Nice work OkIDaN! http://www.astalavista.com/?section=dir&act=dnd&id=3595 " WIRETAPPING THE INTERNET " This paper describes the Advanced Packet Vault, a technology for creating such a record by collecting and securely storing all packets observed on a network, with scalable architecture intended to support network speeds in excess of 100 Mbps. http://www.astalavista.com/?section=dir&act=dnd&id=3601 " PENETRATION TESTING IPSEC VPNS " This article discusses a methodology to assess the security posture of an organization's Ipsec based VPN architecture. http://www.astalavista.com/?section=dir&act=dnd&id=3620 " REGISTRYPROT 2.0 " RegistryProt is a 100% free, standalone, compact, low-level realtime registry monitor and protector, that adds another dimension to Windows security and intrusion detection. http://www.astalavista.com/?section=dir&act=dnd&id=3630 " THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE " This chapter discusses the generic (or at least "typical") structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. http://www.astalavista.com/?section=dir&act=dnd&id=3628 " FL0W-S33KER.PL - OVERFLOW TRACKER + DEBUGGER " Simple tool for tracking overflow. It uses GDB calls to get regiters addresses at overflow time. http://www.astalavista.com/?section=dir&act=dnd&id=3587 " THE C CODE ANALYZER (CCA) " The C Code Analyzer (CCA) is a static analysis tool for detecting potential security problems in C source code. http://www.astalavista.com/?section=dir&act=dnd&id=3558 " HOLD YOUR SESSIONS : AN ATTACK ON JAVA SESSION-ID GENERATION " HTTP session-id s take an important role in almost any web site today. This paper presents a cryptanalysis of Java Servlet 128-bit session-id s and an efficient practical prediction algorithm. http://www.astalavista.com/?section=dir&act=dnd&id=3643 " SPOOFSTICK IE " What is SpoofStick? SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. http://www.astalavista.com/?section=dir&act=dnd&id=3653 04. Astalavista.net Advanced Member Portal - Last chance to get a lifetime membership! ------------------------------------------------------------------------ Last chance to get a lifetime membership - until the end of March there will be no longer lifetime memberships available. Get yours and become part of the community, not only for the rest of your life, but also in a cost-effective way. Join us! http://www.astalavista.net/new/join.php What is Astalavista.net all about? Astalavista.net is a global and highly respected Security Portal, offering an enormous database of very well-sorted and categorized Information Security resources - files, tools, white papers, e-books and many more. At your disposal are also thousands of working proxies, wargames servers where you can try your skills and discuss the alternatives with the rest of the members. Most importantly, the daily updates of the portal make it a valuable and up-to-date resource for all of your computer and network security needs. This is a lifetime investment. Among the many other features of the portal are : - Over 3.5 GByte of Security Related data, daily updates and always working links. - Access to thousands of anonymous proxies from all over the world, daily updates - Security Forums Community where thousands of individuals are ready to share their knowledge and answer your questions; replies are always received no matter of the question asked. - Several WarGames servers waiting to be hacked; information between those interested in this activity is shared through the forums or via personal messages; a growing archive of white papers containing info on previous hacks of these servers is available as well. 05. Site of the month ------------------ http://www.linuxlinks.com/ Think Linux! 06. Tool of the month ------------------ The "Google Hack" Honeypot GHH is the reaction to a new type of malicious web traffic: search engine hackers. GHH is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources. GHH implements honeypot theory to provide additional security to your web presence. http://www.astalavista.com/?section=dir&act=dnd&id=3640 07. Paper of the month ------------------- Why Open Source Software / Free Software ? A must read! http://www.astalavista.com/?section=dir&act=dnd&id=3577 08. Geeky photo of the month - "Richie Rich" ----------------------------------------------------- Every month we receive great submissions to our Geeky Photos gallery. In this issue we've decided to start featuring the best ones in terms of uniqueness and IT spirit. "Richie Rich" can be found at: http://www.astalavista.com/images/content/richnerdpc.jpg 09. Free Security Consultation --------------------------- Have you ever had a Security related question but you weren't sure where to direct it to? This is what the "Free Security Consultation" section was created for. Due to the high number of Security-related e-mails we keep getting on a daily basis, we have decided to initiate a service, free of charge. Whenever you have a Security related question, you are advised to direct it to us, and within 48 hours you will receive a qualified response from one of our Security experts. The questions we consider most interesting and useful will be published at the section. Neither your e-mail, nor your name will be disclosed. Direct all of your Security questions to security@astalavista.net Thanks a lot for your interest in this free security service, we are doing our best to respond as soon as possible and provide you with an accurate answer to your questions. --------- Question: Hi, Astalavista folks. Superb newsletter! I wanted to ask you something concerning the recent IE dumping initiatives and the popularity that, at least what the analysts say, FireFox is getting. Correct me if I'm wrong but as far as FireFox is concerned, prior to all these campaigns, I've started seeing --------- Answer: Thanks! At Astalavista we have also been actively involved in these campaigns promoting that you'd better switch to a more secure browser alternative like FireFox than Internet Explorer, but in the short-term. In the long-term, as you've already started seeing, FireFox is also starting to become a target of both malicious attackers and security researchers. There's no simple answer on which one is more secure, but FireFox is a way too reliable compared to IE, reffered as the Swiss Cheese in the software world; and it's because of the fact that it's targeted a lot, some bugs are too weak to be true given the reputation MS is trying to establish. FireFox bugs also get fixed much quicker than IE ones - something that plays an important role. And you wouldn't be actually stuck waiting for mighty MS to release a patch. But in the long-term, I'm sure you'll start using a browser you've never thought you're about to use these days. --------- Question: Hi guys! I've been visting your site since its early days and it has always been a great resource to me. During the last couple of years me and I guess everyone taking a look at statistics, have seen an enormous increase in the levels of (reported) intrusions, as well as the recent years' flood of worms. Is it getting worse on the security front or it's just my impression? --------- Answer: Basically, these are just a few of the effects of globalization. Every year there are millions of people in different countries joining the Internet. Then everything begins from the very beginning - people get interested in hacking. Some start to enjoy it and decide to practise it for the rest of their lifes, while others start emphasizing on security. Take a look at the great number of vulnerabilities reported - we've seen various contributions from software vulnerability researchers from all over the world. More and more people start realizing that, indeed, their programming skills can also be used for software vulnerabilities discovery. Another aspect I can mention is the increased bandwidth a single end user has at his/her disposal these days. With such a high speed it takes less than a couple of hundred zombie PCs to shut down a small network, and although end users can't live with their high-speed connections, they should, at least, start securing them for the sake of not being part of another worldwide DDoS attack. ---------- Question: I hate feeling that I'm watched. I was recently reading a couple of news stories and I was wondering what do you think - did the FBI really shut down their Carnivore system, and why, so they can start using Google? ---------- Answer: Some may call you a "privacy extremist", but I'll call you a concerned citizen asking the right questions, especially about Google. We get privacy related questions all the time, and we've started getting them prior to building awareness about the issue in terms of documents and tools on how to react on the problem at Astalavista's web site. I believe that the FBI indeed retired their Carnivore program simply because it wasn't suitable enough to handle the enormous loads of traffic I've mentioned in the answer above, plus the increased use of VoIP technologies, which is something the U.S government (and others of course) are actively trying to get their hands on these days. Total Information Awareness and other programs whose names we'll find out in the years to come are definitely on the look for potential terrorists, and whatever the people behind the program define as a potentially dangerous individual. Google is still keeping it pretty quiet, but isn't that what intelligence is all about? 10. Astalavista Security Toolbox DVD v2.0 - what's inside? ------------------------------------------------------- Astalavista's Security Toolbox DVD v2.0 is considered the largest and most comprehensive Information Security archive available offline. As always, we are committed to providing you with a suitable resource for all your security and hacking interests in an interactive way! The content of the Security Toolbox DVD has been carefully selected, so that you will only browse through quality information and tools. No matter whether you are a computer enthusiast, a computer geek, a newbie looking for information on "how to hack", or an IT Security professional looking for quality and up to date information for offline use or just for convenience, we are sure that you will be satisfied, even delighted by the DVD! More information about the DVD is available at: http://www.astalavista.com/index.php?page=3 11. Enterprise Security Issues --------------------------- In today's world of high speed communications, of companies completely relying on the Internet for conducting business and increasing profitability, we have decided that there should be a special section for corporate security, where advanced and highly interesting topics will be discussed in order to provide that audience with what they are looking for - knowledge! - Malware and our organization - what are we missing? - Malware that used to be script kiddies' or newbies' best friends a couple of years ago are now fast-spreading, vulnerability exploiting or mass mailing worms, scanning each and every computer out there with the ultimate goal to get it infected and keep disseminating themselves. The purpose of this article is to briefly summarize various issues related to an organization's response to the growing and changing trends on the malware scene. Hopefully, it would give more insights of the managerial teams behind it, where the ultimate goal would be meeting tight budgets and significantly limiting the malware entering the organization's network. --- How do organizations fight malware these days? Naturally, server and desktop anti-virus solutions are concerned, while the more adaptive companies go beyond and even implement IDSs or innovative managerial strategies to deal with the problem. Where are you as an organization or business entity in this process? Anti-Virus scanners are indeed a must-have both for a multibilion organization and for the average Internet user who wants to take advantage of Internet downloads and visiting web sites. However, there's a common myth that's obviously not actively advertised, namely that server or desktop anti-virus scanners need to be regularly updated and that they cannot detect the malware I just came up a couple of hours ago, targeting especially your organization's structure or the vulnerable part of the - your staff members, the several unpatched machines left around, or everyone somehow connecting to your network to do their job. Even major Fortune 100 companies suffer from virus attacks, data disruption and business processes delays, which can be pretty costly sometimes. There's something else to point out here - it's the productivity of your work force, the so called mobile users, your B2B partners, and everyone somehow having access to your external/internal network. That productivity leads to many and various potential malware infections, dissemination techniques and often underestimated entry points in your organization. Businesses don't care about different anti-virus evasion techniques. They care about the continuity of the business process while taking advantage of the latest IT and E-business innovations. Namely they want a clear ROI, something that cannot be really measured although there've been quite a lot of ROSI(Return on Security Investment) researches lately. On the other hand, security staff professionals are having hard time trying to justify yet another complicated security budget, using desperate stategies such as cyberterrorism (terribly wrong) in order to persuade the management. That is why the majority of organizations go for companies that provide 100% security(you wish!), making it even worse, simply because you cannot achieve 100%, no matter what. Live with that and try to achive the ultimate 99%! The 1% left is the uncertainty you work with while making each of your investments. So what to do about it? Make sure your security professionals have or at least gain basic knowledge of today's business processes, so that they would try to be more adaptive before recommending the next couple of thousands commercial IDS solutions. When it comes to creativity and enterprise wide malware protection, they're the ones you should be asking about advice, and not a company's sales representative. Basically, they're your consultants, aren't they? A reliable security strategy consists of both technical and human related security measures that are reviewed every month to ensure they meet today's changing malware and security trends. Although your organization is still in between kids experiementing and launching worms in the wild, the majority of serious malware is dominated by today's crime rings both offline and online. Rethink your strategies starting with the following : Who's our weakest link? Don't think that end users' education reffers to everyone. The way there're different types of malware, there are also different types of individuals, joining the company at different times, having varying levels of computer and security knowledge. What is to note is that they will probably get e newly created mailbox, yet another entry point. You might have Denise, an active Internet user for the past 5/6 years. She's seen a lot,she has experienced several HDD crashes, virus infections;she has even had her Internet connection upgraded a couple of times. On the other hand, you have Johny, who's nothing more than an active chatter and Googler. Namely he's used to taking advantage of ADSL, streaming media and the rest of the goodies, while he still takes every email (spam,malware,phishing) he receives personally. He doesn't use SSL so he can login as fast as possible and still think "I have nothing of value to hackers". The differences in these individuals require different approaches for their education. The "new-comer" is usually exposed to the entire multitude of today's worms, while the old user would definitely spot the most obvious ones. A newly created mailbox caught by a malware or a spammer is going to be "treated" in a very different way compared to these they already have somewhere in their databases. Age-old malware techniques still find ways to target especially the fresh mailboxes. Password-protected zip files represent a threat to any organization, why? Because they cannot be scanned. I especially "enjoyed" a recent password protected 0-day malware I got and the fact that the author made sure the password is secure enough to be bruteforced even for a .zip archive. Know who's aware and who's not, measure, implement and then evaluate and make changes to you educational approach. A great deal of recent and past viruse screenshots can be found at the following URL courtesy of F-Secure. These could be very handy when presenting different types of malware in your security awareness course and aiming to show some real-life images of a specific malware : http://www.astalavista.com/?section=dir&act=dnd&id=3748 Early Warning Systems EWSs doesn't have to mean purchasing a worms' catching or vulnerabilities' updated databases. These might actually be regularly updated by some of the product vendors for your current solutions. The best EWS happens to be again your security professionals. Waiting for a patch to be released and having even a couple of systems unpatched, combined with today's ultra fast spreading malware, will result in the worms finding them by the time you manage to scan your entire infrastructure. Don't let yourself be stuck by the time your vendor updates signatures or vulnerabilities database and don't get fooled by services offering you such services. It's all a matter of vigilance, and if well motivated and financially supported, your workforce could implement a very handy in-house EWS. Do you want to know who's attacking you? Although this might seems a bit of an obvious question, it should be noted that attackers definitely don't use their own hosts to dirrectly attack yours. Namely, all you'll end up having is information and whose network out there is most insecure and has worms infected pcs, and which country is most actively contributing to the dissemination of malware. Consider Microsoft's recent confirmation that the patch released two months ago addressing Windows Media Player's .wmp files files vulnerability to spread malware is NOT working. http://www.eweek.com/article2/0,1759,1771220,00.asp?kc=EWRSS03129TX1K0000614 There're often situations where a very practical non patch and not commercial solution is just around the corner. Using freeware tools, Internet communities' distributed IDSs and spyware monitoring web sites, plus a couple of file types extensions tweaks and in-house spam filtering techniques will reduce, if not completely eliminate, 98% of all known malware. The rest should be dealt with by looking for patterns, and responding to an ongoing threat on a network-wide basis. Namely assure that every pc connected to the network is secure by default. Internal trends analysis Knowing how your users use your network, which are the most visited web sites, most received and sent file types will definitely assist you when working out the network(firewalls, ACLs) and human-based security measures to be implemented. Based on the information known, static, both host and ip based lists of trusted web sites like cnn.com, finance.yahoo.com etc could be build up, while blocking Active Content on the majority of unknown or considered untrusted web sites. Although this topic is out of reach for the purpose of this article, we always assume that cnn.com and finance.yahoo.com could never spread malicious content, but that Geocities and other non-resolvable web sites represent a threat to the company, as well as that our DNS infrastructure is working perfectly fine. The more you know about your work force's habits, the easier it would be for you to tailor the company's malware policy towards them. This article briefly provided a company's management with various insights on how to improve their current malware strategies. Hopefully, it will be taken into account while making security investments, approving security budgets and providing security staff members with incentives, which do not necessarily have to be monetary. In future issues of Astalavista Security Newsletter, we'll be covering the threats possed by the mobile workforce. 12. Home Users' Security Issues ---------------------------- Due to the high number of e-mails we keep getting from novice users, we have decided that it would be a very good idea to provide them with their very special section, discussing various aspects of Information Security in an easily understandable way, while, on the other hand, improve their current level of knowledge. - 2005 - are we heading straight to 1984? - It is somehow ironic how back in 1949 George Orwell envisioned the total surveillance society in 1984, and while it partly happened in a number of communist ruled countries, today's Internet, ADSL connections, mobile phones video streaming and pictures sharing etc. is KGB's dream comes true! After the 9/11 attacks the intelligence community(both big players and local governments) shifted - now they have the excuse and most of all the public support we all directly or indirectly provided them with, starting with the idea to feel safe from future terrorist attacks - what were we thinking? Why should you care? Whenever using a cash-machine, you do your best to ensure your privacy, when you're in a dressing room, or when chatting or sending sensitive information like personal or company documents, pictures and other multimedia, this is where the main problem is - the Internet is thought to be an anonymous method of communication where you could hide behind a nickname or an email address, while the truth is that it isn't. The same goes about your mobile phone conversations, even worse - your VoiP ones, too. These days there's too much personal data collected. Doesn't it bother you to know that Google keeps track of each of your searches(associated with your old or new cookie) up to 2038? Doesn't it bother you to know that even though emails are deleted from Gmail, they're actually retained for unknown period of time (reading Gmails Privacy Policies)? Huge companies storing large amounts of personal data like ChoicePoint are often victims of attacks. Can you trust them to handle it properly? Right now, over the Internet and over any telecommunications network there are huge efforts for the interception of what is believed to be traffic of interest, or the entire traffic flow based on certain criteria. Don't accept the feeling of security when it actually threatens your privacy, because privacy shouldn't be sacrificed for security, and just because you aren't doing anything illegal (which is a pretty contradictive statement in today's globalized world) doesn't mean you shouldn't care how your personal information is treated. We're all members of our society when our society takes care of us, or we're in favour of its (thought to be) socially oriented activities. But all disregard or start having concerns about it when it doesn't meet our expectations, then we feel somehow abused and hopefully want to make a change, while not turning into a privacy paranoid. Anyway, healthy scepticism is always your best friend. What to do about it? Encrypt, encrypt, encrypt, avoid plain-text communications, know how the local government is "taking care" of your security with respect to your privacy, spread the word! It's pretty simple - the more you know about technology, the more you care about privacy; the more you know about databases, advertising and intelligence, the more motivated to make other people aware. Read privacy policies, educate yourself, cookies that expire in 2038 are definitely not your friends when you live at Google. And never forget that there's never "free lunch"! If yes, where's my lunch? Further privacy oriented papers and tools can be located at : http://www.astalavista.com/?section=dir&cmd=file&id=3677 http://www.astalavista.com/index.php?section=dir&cmd=file&id=2323 http://www.astalavista.com/index.php?section=dir&cmd=file&id=1509 http://www.astalavista.com/index.php?section=dir&cmd=file&id=2891 http://www.astalavista.com/index.php?page=96 http://www.astalavista.com/index.php?section=dir&cmd=file&id=1376 http://www.astalavista.com/?section=dir&cmd=file&id=3723 http://www.astalavista.com/index.php?section=dir&cmd=file&id=3692 http://www.eff.org/ http://www.epic.org/ Educate yourself, don't be naive, know who you can really trust, speak for yourself and support free speech or turn yourslef into yet "Another Brick in The Wall" where BigBrother is at both sides of the wall. 13. Meet the Security Scene ------------------------ In this section you are going to meet famous people, security experts and all personalities who in some way contribute to the growth of the community. We hope that you will enjoy these interviews and that you will learn a great deal of useful information through this section. In this issue we have interviewed Björn Andreasson from http://www.warindustries.com/ Your comments are welcome at security@astalavista.net ------------------------------------------------ Interview with Björn Andreasson, http://www.warindustries.com/ Astalavista : Hi Björn, would you please introducte yourself and share some more information about your background in the security world? Björn : My name is Björn "phonic" Andreasson and I live in Sweden, I'm turning 22 this year. I've been a part of the so called "underground" since the age of 14 which gives a total of 8 years. I got my first computer at the age of 13 and I quickly got involved in Warez as my uncle showed me some basic stuff about the internet. After a while I realised Warez websites was "uncool" because of all the popups, porn ads, only trying to get as many clicks on your ads as possible to earn enough money to cover your phone bill. So, there I was viewing the Fringe of the web (www.webfringe.com) and I found all those wonderful h/p/v/c/a websites, which caught my eye. I knew I could do better than most of these guys as I had a lot of experience from the Warez scene - I knew how to attract visitors quickly. The first version of War Industries I belive was a total ripoff from Warforge.com as I didn't know better at the age of 15/16, I quickly understood this wasn't the way to do it so I made my first version of the War Industries and I might add it looked VERY ugly as I recall it:) From there I have had several designers making new versions, trying to improve it and I belive we've acheived that goal now. It should be mentioned that during 2000 and 2003 War Industries was put on ice as I couldn't cover the expenses so it was only me and a friend keeping the name alive until 2003 when I relaunched the website and turned it into what it is today (Badass). I've also been a part of the Progenic.com crew as well. As Blackcode.com crew, it was practicly my work that made BC famous because I sent a shitload of hits to it back in '99 when WarIndustries received 4,000 unique hits on a daily basis. I also owned www.icqwar.com which held only ICQ war tools, some of my own creation, very basic but handy. The site had 3,000 unique hits on a daily basis after only one week online. After four weeks I got a letter from AOL to give me the domain name or being sued. What could I do? 16 years old, of course, I gave it away! Well that's pretty much my story. Astalavista : WarIndustries.com has been around since 1998, nice to see that it's still alive. What is the site's mission, is it hacking or security oriented? Shall we expect some quality stuff to be released in the future, too? Björn : WarIndustries can't really be placed anywhere. It's either black, gray or white hat. I'd say we're a mix with a touch of them all. Our focus is to enlighten people in the means of programming, getting them to know google as their best friend. We've released a couple of video tutorials wich are very popular because they make things so easy. We're going to release a couple of new ones soon, as soon as we get around to it as most of us got jobs and other stuff to attend to. Don't miss out on our brand new T-shirts coming up in a month! If you're something, you've got to have one of those! Astalavista : What do you think has changed during all these years? Give a comparison between the scene back in 1998 as you knew it and today's global security industry, and is there a scene to talk about? Björn : I'd say people are a way more enlightened today. Back in '98 you could pretty much do anything you liked without getting caught. Today you can't even download Warez without getting problems. I'd say there's a scene but very different from the oldschool I know. I am trying not to get involved and I have my own way. Maybe that's why WarIndustries is so popular. Astalavista : Is Google evil, or let's put it this way, how can Google be evil? Why would Google want to be evil and what can we do about it if it starts getting too evil? Björn : Google is not evil, Google is your best friend! Astalavista : Give your comments on Microsoft's security ambitions given the fact that they've recently started competing in the anti-virus industry. They even introduced anti-spyware application - all this comming from MS? Björn : If it wasn't for Microsoft, there wouldn't be viruses so I'm blaiming them for writing crap software. Why do they always leave a project unfinished and start another one? I mean Windows XP is working fine, why Longhorn? Why can't they make XP totally secure, like OpenBSD, there hasn't been a remote root exploit for many years as of what I've heard? That's security! If I didn't know better, I'd say MS is writing low-quality software so they can get into the Anti-virus scene and make even more profits! Astalavista : Recently, the EU has been actively debating software patents. Share your thoughts on this and the future of open-source software? Björn : I can't make up my mind when it comes to Open/Closed source.There's benefits from both sides. Open source is fixed much quicker but also discovered way more often than closed. This is my opinion. Astalavista : In conclusion, I would really appreciate if you share your comments about the Astalavista.com site and, particularly, about our security newsletter? Björn : Actually, I haven't checked out Astalavista that much. I have known it for many years but I never got around. I promise I'll check it out! Astalavista : Thanks for your time Björn! 14. Security Sites Review ---------------------- The idea of this section is to provide you with reviews of various highly interesting and useful security or general IT related web sites. Before we recommend a site, we make sure that it provides its visitors with quality and a unique content. - Bleedingsnort.com - http://www.Bleedingsnort.com/ Bleeding snort is a regularly updated web site providing various Snort related Rulesets, recommended! - Benedelman.org - http://www.Benedelman.org/ Benjamin Edelman's web site, outstanding research on spyware and Internet filtering efforts by governments worldwide, plus many more. - Majorgeeks.com - http://www.Majorgeeks.com/ "Major Geeks.com- Feel the Geek.. BE the Geek!" - Networksecuritytech.com - http://www.Networksecuritytech.com Network Security Forums - What do you want to know today? - Blackhat.be - http://www.Blackhat.be/ Crewl underground madness (cum) is a belgian group of computer enthousiasts specialized in network (in)security, hacking, coding and phreaking. 15. Final Words ------------ Dear readers, Thank you for the invaluable feedback, for all the great comments as well as for the remarks, and,of course,for spreading the word for our newsletter. We're actively working on a couple of new weekly updated sections at Astalavista.com They will be online within the next several weeks with the idea to provide you with qualified security content. Until then, keep on exploring because knowledge means power! Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net