|------------------------------------------| |- Astalavista Group Security Newsletter -| |- Issue 6 12 May 2004 -| |- http://www.astalavista.com/ -| |- security@astalavista.net -| |------------------------------------------| - Table of contents - [01] Introduction [02] Security News - TCP Flaw Threatens Net Data Transmissions - Multinational team cracks crypto puzzle - OS X Trojan Horse Is a Nag - DOD decentralizes Wi-Fi - Exploit for Windows SSL Flaw Circulating [03] Astalavista Recommends - Penetration Testing - A Sample Report - Wireless Lan Security in Depth - An Overview of Common Programming Security Vulnerabilities and Possible Solutions - Sebek - a Kernel Based Data Capture Tool - Unix Password Security - Ethical Hacking - Penetration Testing - Network Security Basics - Stealing Passwords Via Browser Refresh [04] Site of the Month - Global Intelligence News Portal - http://mprofaca.cro.net/ [05] Tool of the month - Warez P2P Tool [06] Paper of the month - Internet Worms [07] Free Security Consultation - I wonder if my ISP... - My kids are actively using the Internet and... - Whenever I give out my e-mail... [08] Enterprise Security Issues - The Nature of the Game - Hackers' Attack Strategies and Tactics Part 1 [09] Home Users Security Issues - Protecting from Spyware [10] Meet the Security Scene - Interview with Mr.Yowler, http://www.cyberarmy.com/ [11] Security Sites Review - Dsinet.org - CGISecurity.com - Cryptome.org - eBCVG.com - Dailyrotation.com [12] Astalavista needs YOU! [13] Astalavista.net Advanced Member Portal Promotion [14] Final Words 01. Introduction ------------ Dear Subscribers, Welcome to Issue 6 of Astalavista's Security Newsletter! In this issue of our newsletter you're going to read an interesting article about the nature of hacking/security, get updated with the latest security events worldwide, browse through unique files and security content and read an interview with MrYowler from Cyberarmy.com. Thank you for your interest and all the e-mails we keep receiving. Astalavista's Security Newsletter is mirrored at: http://www.cyberarmy.com/astalavista/ http://packetstormsecurity.org/groups/astalavista/ If you want to know more about Astalavista.com, visit the following URL: http://astalavista.com/index.php?page=55 Previous Issues of Astalavista's Security Newsletter can be found at: http://astalavista.com/index.php?section=newsletter Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net --- Thawte Crypto Challenge V --- Crypto Challenge V Now Live! Pit your wits against the code – be the first to crack it and win an Archos Cinema to Go. Click here to grab the code and get started: http://ad.doubleclick.net/clk;8130672;9115979;t --- Thawte Crypto Challenge V --- 02. Security News ------------- The Security World is a complex one. Every day a new vulnerability is found, new tools are released, new measures are made up and implemented etc. In such a sophisticated Scene we have decided to provide you with the most striking and up-to-date Security News during the month, a centralized section that contains our personal comments on the issue discussed. Your comments and suggestions about this section are welcome at security@astalavista.net ------------- [ TCP FLAW THREATENS NET DATA TRANSMISSIONS ] A flaw in the most popular communications protocol for sending data on the Net could let attackers shut down connections between servers and routers, according to an advisory released Tuesday by Britain's national emergency response team. The center's advisory is based on security research that Watson plans to present at the CanSecWest 2004 conference this week and apparently had been released a day early by the NISCC, according to the conference organizer. Watson, who runs a prohacking blog at Terrorist.net, could not be reached for comment. More information can be found at: http://news.com.com/2100-1002_3-5195909.html http://www.securityfocus.com/advisories/6603 Astalavista's comments: While this attack was discussed a long time ago, it has never been investigated the way it is now. Some ideas are so genious that they're downright obvious. [ MULTINATIONAL TEAM CRACKS CRYPTO PUZZLE ] RSA Security on Tuesday said that over three months of consistent effort helped a team of mathematicians from Europe and North America solve the company's latest encryption puzzle. The multinational team of eight experts used about 100 workstations to crack the code that won them a $10,000 prize. The contestants' task was to determine the two prime numbers that have been used to generate eight "challenge" numbers, which are central to RSA’s 576-bit encryption code. RSA's contest is designed to help test the robustness of the lengthy algorithms used for electronic security. The competition is intended to encourage research into computational number theory and the practical difficulty of factoring large integers. More information can be found at: http://zdnet.com.com/2100-1105-5201037.html Astalavista's comments: To all the brainy readers, participating in a Crypto Challenge is fun, and all you can lose is the chance to show the world how smart you are :) [ OS X TROJAN HORSE IS A NAG ] Security experts on Friday (9th April) slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X. On Thursday, Intego issued a press release saying it had found OS X's first Trojan Horse, a piece of malware called MP3Concept or MP3Virus. Gen that appears to be an MP3 file. If double-clicked and launched in the Finder, the Trojan accesses certain system files, the company claimed. Mac programmers and security experts accused the company of exaggerating the threat to sell its security software. More information can be found at: http://www.wired.com/news/mac/0,2125,63000,00.html?tw=wn_story_top5 Astalavista's comment: Proactive measures are very important, but when a company is alarming the public for something like this, it could be considered as an exaggeration. However, making a profit from a proof-of-concept code that's still not in wild isn't exactly what serious customers are looking forward to. [ DOD DECENTRALIZES WI-FI ] The Defense Department's new wireless fidelity policy seeks help from many of its agencies to ensure their employees and contractors use caution when operating wireless computer devices at military installations. It mandates that military and industry officials do not use wireless devices to store, process and transmit classified information without approval from the various agencies and department officials. Deputy Defense Secretary Paul Wolfowitz issued the directive in an April 14 Defense Department directive titled, "Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense Global Information Grid." More information can be found at: http://www.fcw.com/fcw/articles/2004/0426/web-wifi-04-26-04.asp Astalavista's comment: Trying to keep the sensitive data as secret as possible is the way it should go. The question is "How well will this policy be implemented, and would there be someone watching while someone is not following it?" [ EXPLOIT FOR WINDOWS SSL FLAW CIRCULATING ] Exactly a week after Microsoft announced a SSL vulnerability affecting key Windows products, malicious hackers unveiled exploits that could lead to widespread denial-of-service attacks (define). The exploit code, described in the underground as the "SSL Bomb," could allow specially crafted SSL packets to force the Windows 2000 and Windows XP operating systems to block SSL connections. On Windows Server 2003 machines, the code could cause the system to reboot, security experts warned. More information can be found at: http://www.internetnews.com/dev-news/article.php/3343011 Astalavista's comment: Next is another worm in the wild, hope this doesn't happen, as it will repeat itself over and over again.. 03. Astalavista Recommends ---------------------- This section is unique with its idea and the information included within. Its purpose is to provide you with direct links to various white papers covering many aspects of Information Security. These white papers are defined as a "must read" for everyone interested in deepening his/her knowledge in the Security field. The section will keep on growing with every new issue. Your comments and suggestions about the section are welcome at security@astalavista.net " PENETRATION TESTING A SAMPLE REPORT " One of the most comprehensive penetration testing sample reports we've come across http://www.astalavista.com/media/files/1197.pdf " WIRELESS LAN SECURITY IN DEPTH - BY CISCO SYSTEMS " A detailed approach on building secure Wireless LAN networks http://www.astalavista.com/media/files/safwl_wp.pdf " AN OVERVIEW OF COMMON PROGRAMMING SECURITY VULNERABILITIES AND POSSIBLE SOLUTIONS " A thesis work, quite throughout, includes a lot of examples " SEBEK A KERNEL BASED DATA CAPTURE TOOL " Watch the attacker, without them noticing you, recommended reading http://www.astalavista.com/media/files/sebek.pdf " UNIX PASSWORD SECURITY " Rather old, but it still gives you an insight if you're not aware of how Unix passwords work http://www.astalavista.com/media/files/pwseceng.pdf " ETHICAL HACKING - PENETRATION TESTING " A comprehensive report giving you an insight of what Ethical Hacking and Penetration Testing is http://www.astalavista.com/media/files/ethical_hacking___penetration_tests.pdf " NETWORK SECURITY BASICS " This document will provide with information on everything you ever wanted to know about Network Security http://www.astalavista.com/media/files/network_security_basics.pdf " STEALING PASSWORDS VIA BROWSER REFRESH " Discusses techniques related to passwords stealing via browser refresh, recommended reading http://www.astalavista.com/media/files/stealing_passwords_via_browser_refresh.pdf 04. Site of the month ------------------ Global Intelligence News Portal - Intelligence, espionage, military, government news and resources http://mprofaca.cro.net/ 05. Tool of the month ------------------ Warez P2P v2.0 Warez is a spyware-free file-sharing program. Search for and download your favorite music and video files shared by other users on a free peer-to-peer network. http://client.warez.com/dl 06. Paper of the month ------------------- Internet Worms A paper discussing various simulating and optimising worm propagation algorithms http://www.astalavista.com/media/files/wormpropagation.pdf 07. Free Security Consultation -------------------------- Have you ever had a Security related question but you weren't sure where to direct it to? This is what the "Free Security Consultation" section was created for. Due to the high number of Security concerned e-mails we keep getting on a daily basis, we have decided to initiate a service free of charge and offer it to our subscribers. Whenever you have a Security related question, you are advised to direct it to us, and within 48 hours you will receive a qualified response from one of our Security experts. The questions we consider most interesting and useful will be published at the section. Neither your e-mail, nor your name will be present anywhere. Direct all of your Security questions to security@astalavista.net Thanks a lot for your interest in this free security service, we are doing our best to respond as soon as possible and provide you with an accurate answer to your questions. --------- Question: Hello Astalavista, with all the surveillance stories I keep coming across online, I was wondering to what extent can I be monitored by my ISP, even if I use encryption? Also how can I be sure that they're not monitoring what I do online? --------- Answer: Using encryption will protect the confidentiality of your data, using an encrypted channel when surfing the net(SSL for example)will improve your privacy, however there's always an opportunity for them to monitor your activies even using SSL. You ISP would probably have no intention to do so, in case they don't suspect your abusing the service they're offering you, but to answer your question, the major ISPs keep logs for quite a long time, some do it without a reason, other do it because they want to be able to assist in a possible forensics activities in case your account has been used to commit illegal activities. You can never be 100% sure they're not monitoring you, because with the way the Internet works, it is always possible to be monitored by someone, even the "stealthed" proxy you use might be an object of surveillance, but question yourself, do you really want that level of anonymity and most importantly why? --------- Question: Hi, thanks for your newsletter. I wanted to know how I can protect my kids while using the Internet, something else, sometimes I'm away and I would like to know what they're doing while they're online, I have several content filters on my Internet Explorer, but I want to be sure they're not doing anything wrong. --------- Answer: You're welcome. You'd better consider the following, would you follow your kids each time they go out with the idea to protect them, instead of trying to teach them how to behave, or let's put it, what is good and what's bad? I doubt so, but I think you believe that the same thing can be done in a very convinient way on your computer, and you'll be right. But you can teach them how to behave while using the Internet without snooping on them all the time, anyway here's a software I recommend you if you still intend to use your approach: http://www.keyloggers.com/ -------- Question: I cannot manage to handle all the spam I get every day, I often subscribe myself to newsletters, do you think it's because of that, even when I keep changing my e-mail, I keep getting an enormous amount(compared to my friends)of spam, what can I do about it? Something else I was interested in, is it possible to get infected with a trojan/worm by viewing/opening a spam message? -------- Answer: Spam became such a natural natural part of the Internet, that you will probably never be able to completely eliminate it,I think What you're doing is giving your email to every newsletter you see out there, which is terribly wrong and this is where the problem comes from. You don't need much time to make a difference between a trusted and not trusted site. Moreover, never give your personal email there; instead, create another one, especially for the newsletter. There's a little chance for you to receive a trojan/worm via spam, let's not say almost impossible. However, watch out the kind of mails and attachments you receive. 08. Enterprise Security Issues -------------------------- In today's world of high speed communications, of companies completely relying on the Internet for conducting business and increasing profitability, we have decided that there should be a special section for corporate security, where advanced and highly interesting topics will be discussed in order to provide that audience with what they are looking for - knowledge! The Nature of the Game Part 1 By MrYowler mryowler [at] cyberarmy.com http://www.cyberarmy.com/ This text strives to be a frank and straightforward discussion of hacker attack strategy, tactics. And if I have time, motivations and ethics, this will not be a 'how-to', nor will the focus be placed on implementation; this is a general overview, aimed at describing how and why a hacker targets the various elements of a network. The Target: A network is composed of a great number of parts; many may tend to escape the notice and control of the individual or group responsible for maintaining its security. The basic components of a network include hosts, transmission media, services, communications protocols, data, and users. Each of these components represent potential vulnerabilities, depending upon what the attacker wants, and what the defender focuses on while protecting. Hosts: Networks are built upon trust relationships between hosts. By penetrating an individual host, an attacker can often gain access to otherwise unavailable services on some larger portion of a network. In the following network example, a fairly typical target configuration, it is possible to gain access to unencrypted shell services, for all hosts, merely by penetrating one of them. The firewall effectively blocks access to the telnet service, from hosts outside the LAN; but since hosts inside the LAN are not blocked by the firewall, they can be used to access otherwise unavailable services. A common tactic used to exploit this situation might be to email a suitably configured Trojan Horse program to a user inside the network, who is believed to be likely to run it. (An attacker using this attack would therefore also be targeting the destination user and employing programming, network protocol, and social engineering tactics.) Transmission Media: Networks require transmission paths in order to enable communication between hosts and between users. Sometimes, these take the form of network cable, telephone lines, or wireless media. The type of media has a significant impact upon the specific tactics which are employed against it, but general tactics are frequently media-independent. In addition to standard MIJI tactics, transmission media are also subject to intelligence-gathering tactics. MIJI: MIJI tactics are typically used to perpetrate Denial-of-Service attacks, although the possible scope of tactics includes much more. MIJI is a communications security term referring to Meaconing, Intrusion , Jamming, and Interference - and traditionally it is related to attacks upon communications systems, which might also be characterized as Denial-of-Service. Intelligence-gathering: By inserting himself into the transmission path of the data stream, the attacker can sometimes gather useful intelligence about the target network. Usernames, passwords, and data pass unencrypted or minimally encrypted across parts of a network. Services: Many services are designed with only cursory planning for security. Web, email, and Domain Name Services are among the most popular and most commonly exploited services on the Internet today. A great number of services involve passwords, sensitive data, and trust relationships with little or no authentication. Few services in common usage employ sophisticated encryption techniques, where they employ any encryption at all. As a result, many services can be exploited to capture authentication and other sensitive data. Communications Protocols: Tied closely to services, communications protocols, from the application layer to the hardware layer, can be spoofed or manipulated to allow data to be intercepted, modified, or redirected. This is often where Denial-of-Service attacks, perpetrated using MIJI tactics, are most effectively applied. Data: Data can be acquired through communications protocol exploits, attacks upon services and server processes, examination of logs and databases, dumpster-diving, and by social-engineering users among other methods. Data is often precisely what network and system administrators are most interested in protecting, although sometimes there are operational processes to be protected, as well. (Financial and military operations are some reasonable operational system targets, for example.) Data is often well-protected, until it arrives at a trusted destination. These destinations are frequently the best targets for compromising data. Users, hosts, and databases are often the trusted targets. If the user or host can be compromised, then the data can be exposed. There are also electronic warfare tactics that can be used to expose data, as well as the old hacker standby; digging through garbage - it's truly amazing sometimes what people will throw away. Users: The most unstable and unreliable element of a system is generally the user. This makes the user the most vulnerable point of attack, and the most likely path to intrusion-detection. Most elements of a network or system tend to follow well-documented, readily-understood, and consistent rulesets. Users are the exception; while they can frequently be relied upon to follow logical reasoning paths, the factors which influence user behavior include numerous random, physiological, psychological, and unforseeable elements. A skilled attacker can exploit the unreliability of the user through social engineering tactics, and by applying technical attacks that modify the user's perception of conditions, to change the user's behavior to suit the attacker's need. The Attacker: Attacker tactics vary not only according to the target, but also according to the attacker - in fact, some victims are actually selected entirely at random, or on the basis of opportunity. Hacker attack strategies come in a variety of forms; cryptographic, network protocol exploits, programming, brute-force, denial-of-service, and social engineering, to name a few. An attacker will often specialize in one of more of these areas, and this frequently has a noticeable effect upon the tactics that they will choose to employ, in pursuing a target. Cryptographic: Defenders seek to protect data which they perceive to be valuable. Since the defender is usually involved to some extent in the creation or use of the data, it stands to reason that they would have some knowledge of its importance. One of the most common ways to control access to valuable data is to cipher it, so that only the authorized users can decipher it. Cryptographic attacks rely upon the tendency by defenders to cipher data that they perceive to be valuable - and upon the tendency of the defender to be better equipped to determine what is valuable than the attacker. Common cryptographic attack tactics involve brute-force cryptographic key-searching; while less-common tactics may involve the exploitation of weak cryptographic algorithms, or may be combined with other tactics to find likely cipher keys. While it is reasonable to expect a cryptographic attacker to have a strong mathematical background, generally only the most skilled of such attackers do. Common attackers often rely upon simple or well-known cipher algorithms and systems, or they combine other tactics with cryptography, to achieve results. Network Protocol Exploits: Network protocols are often inherently flawed in a variety of ways. Email and web data are traditionally transmitted with little or no encryption, and users as well as the designers of systems, based upon these protocols, typically do not give such issues much thought when implementing or using these protocols. Sometimes, users will trust a protocol simply because they are not aware of having experienced previous compromises - and they will often trust it with highly sensitive data. Email, and the web, are often used to carry significant financial information, as well as governmental and commercial data, which, if closely examined, might well merit classification for reasons of national security. Examples might include data regarding the schedules of people surrounding highly ranked governmental officials, or military unit members, whose planned activities might represent compromises of operational security when transmitted via email. The variety and types of exploits range as widely as the protocols themselves, and often, where one client or server is immune to a particular exploit, another might not be. Common examples of this include email clients which may or may not be HTML-enabled in various ways, web clients with client-side scripting languages, and chat clients which might be vulnerable to client 'booting' or 'punting', based upon errors in the way in which the client might have been programmed. Network protocol attackers will frequently be skilled system administrators or programmers, and will have spent some measure of time examining the specific target protocol,and/or read protocol documentation in order to expose the flaws which are their points of entry. Programming: This type of attack relies upon the insertion of malicious code, into the processes of the target network. The most common form that this takes is the Trojan Horse program - a program which claims to do one thing but, in fact, does something completely different. While skilled programming attackers will often decry this implementation as beneath their dignity, the buffer-overflow tactics that mark a truly skilled attacker of this type amount to little more than causing a program that was designed to do one thing, to do something else - just like a Trojan Horse. The difference is more a measure of degree than it is one of a principle. An attacker who uses such devices as Trojans will typically need to combine this with some measure of Social Engineering in order to convince the target to accept the software that is used in the attack. A more skilled attacker will look for ways to enter through pre-existing software, which is in fact installed for some other purpose. Such attackers will often be skilled in one or more low-level languages, such as 'C' or Assembly language, and will generally target hosts, although ,on occasion, programming attackers may combine with such tactics as Protocol Engineering to attack other elements of a network. Brute-force: Brute-force tactics generally come in two varieties; 'cracking' and 'known plaintext'. Data cracking usually involves the exhaustive search of an entire keyspace, although more skilled attackers will use various tactics to limit or prioritize the keyspace that they choose to search. Known plaintext attacks typically focus on key discovery by causing a set of known data to be ciphered, and then examining the ciphered data, as compared to the unciphered data (or plaintext), to discern patterns. One relatively simple way to apply the 'known plaintext' tactic is to insert data into a target network by sending email to an SMTP mail server, which utilizes cryptography to protect outgoing message data. By sending such mail to a non-existent recipient, the attacker can cause such mail to 'bounce' and presumably therefore receive the message, returned to sender and ciphered by the mail server. The attacker now possesses both the original 'known plaintext', and a ciphered version of the same in the form of the message returned to the sender. Sometimes 'cracking' tactics are applied remotely in an attempt to gain entry to a remote system; this is usually referred to as 'password cracking', although when an encrypted password file is captured and cracked on the attacker's system, 'data cracking' better describes the activity. To the defender, this often appears to be a denial-of-service attempt; to be successful, a great many attempts must usually be made, often straining the resources of the defending system, and providing the same high profile of visibility that is typical of denial-of-service attacks. Note that it is this type of tactic, that inspires the heated and ongoing discussion about which describes a network attacker best - 'hacker' or 'cracker'. Some argue that a 'hacker' can be more broadly defined as a programmer or even as a writer; others argue that network attacker tactics can extend well beyond 'cracking' tactics. This ongoing argument is covered later. Denial-of-Service: The underlying premise of a great number of defensive measures used in network security is that the attacker wishes to gain unauthorized access to some service. Invalidate this premise, and many of these defensive measures are invalidated with it. Denial-of-service attacks attempt to deny service to authorized users rather than attempting to grant access to unauthorized ones. Often, by denying access to a specific service, other services or network components become more accessible targets. An attacker, who employs denial-of-service tactics, usually does so either out of spite, or as a fall-back position from a frustrated desire to gain access. From that standpoint, a higher frequency of denial-of-service attacks might indicate a more successful security strategy - but then, the users are unlikely to congratulate the defender whose system(s) falls to a denial-of-service attack rather than having their web site defaced. Fortunately, such attacks are generally very high-profile activities on the involved resources, and are generally rapidly identified and responded to. While there are some such attacks that can be particularly dangerous and effective; on the whole, such tactics are easily defeated by an alert defensive staff. Social Engineering: This is perhaps the most insidious form of attack, since it tends to be the area which is most uncontrollable and generally poorly understood in the Network Security arena. Technically-inclined people tend to choose the interest as most people choose their interests because they excel with them. Computer-related skills often imply a sort of detail-oriented logical thinking that is atypical for modern social environments, and often fails to translate easily from the mind into most spoken languages. Computer security is typically perceived as a highly technical area of expertise, and, as a result, it is not surprising to find such people in this area. Consequently, it is not unusual to find 'characters', in this field - people whose personalities do not fit the societal norm. It is also not unusual - given the imprecise nature of most spoken languages, and the highly logical and detail-oriented nature of the work - to find that verbal skills are often mutually exclusive with the technical background that is usually associated with network security. Hackers are often thought of as social outcasts and misfits, and there has traditionally been some reasonable basis for this assessment. The 'characters' involved in this sort of activity are often not socially accepted. Whether this is cause or effect is a matter of debate, but because of the social profile, both network security attackers and defenders are often poorly equipped to deal with tactics related to the social manipulation of users. A skilled social engineer is very much akin to a good con artist. He is able to lie smoothly, and he is able to gain the confidence of his victims. Often, a mixture of truth is used to lend the attacker credibility. Sometimes an attacker will even use boldfaced obvious fabrications to extract passionate responses from the target, and thereby borrow credibility from the reaction of the target, from the perspective of otherwise impartial onlookers. These kinds of attackers are skilled at maintaining their cool in the face of a danger, crisis, or disaster, and have the ability to see a situation from the points of view of many of the people involved. They will often be capable of talking themselves out of a situation, even when caught red-handed by the defender/s. A skilful social engineer is a rare and dangerous bird, and when successfully combined with technical abilities, such an individual is capable of operations on a global scale. To be continued... 09. Home Users Security Issues -------------------------- Due to the high number of e-mails we keep getting from novice users, we have decided that it would be a very good idea to provide them with their very special section, discussing various aspects of Information Security in an easily understandable way, while, on the other hand, improve their current level of knowledge. If you have questions or recommendations for the section, direct them to security@astalavista.net Enjoy yourself! Protecting from Spyware What is Spyware? Your Anti-Virus program won't detect it, your firewall may not completely stop it, someone out there is secretely analyzing all of your online (sometimes offline) activities and is storing them for possible data mining purposes, and all of these because of Spyware. Spyware can be described as software whose purpose is to collect demographic and usage information from your computer, for advertising and marketing purposes. The process is hidden from your eyes, usually spyware is installed within the software you download, or it comes with the package you install. Once started, it will invade your privacy to a very high level, compromising all of your online activities and manipulating your perception of the Internet by hijacking your search results and the web sites you try to enter in. How dangerous is it? While still valuable for advertising and marketing purposes, the information gathered through web sites is limited compared to those that could be gathered by using spyware. Literally, all of your online and offline activities can be reported and summarized to a centralized ad server. Many spyware will download and install other programs on your computer, wasting your resources, slowing down your processes and sometimes acting like a trojan horse, even like a keylogger. Certain spyware programs even have AutoUpdate functions where they can download any software they want to on your computer, again without you knowing it. Quite a lot of people still ask, why should I worry about that? Although it can be argued whether it exists or not, there's still a word called Privacy, something you need to protect at any cost. Why is Spyware used? The biggest advantage of online marketing is the low cost of doing it and the instant access to results, which sometimes are more accurate than the traditional marketing methods used. Imagine a MP3 player product, we've seen it before. Sometimes, the majority of ads that appear on the sites that you visit aren't related to any of your interests, but how about if you start seeing ads that are specifically displayed and match your interests? It's not a coincidence, it's just the fact that you have been identified in some way by the web site/network you have visited. Now imagine this network being a part of another one, consisting of spyware agents;the results are web sites designed specifically for your interests. But this is useful to me, how come? Indeed, it is, if it wasn't stored in a database for data mining purposes, probably forever. How can I check if there's spyware on my computer? You can use these freeware products, which happen to be very useful and regularly updated: Ad-aware - http://www.lavasoftusa.com/ SpyBot Search&Destroy - http://www.safer-networking.org/ Any sites discussing the topic? You can find more information about spyware at? http://www.cexx.org/adware.htm http://www.spywareinfo.com/ http://www.spywareguide.com/ 10. Meet the Security Scene ----------------------- In this section you are going to meet famous people, security experts and all personalities who in some way contribute to the growth of the community. We hope that you will enjoy these interviews and that you will learn a great deal of useful information through this section. In this issue we have interviewed MrYowler from Cyberarmy.com Your comments are appreciated at security@astalavista.net ------------------------------------------------ Interview with Mr.Yowler, http://www.cyberarmy.com/ Astalavista: Mr.Yowler, Cyberarmy.com has been online since 1998, and is a well known community around the net. But there're still people unaware about it, can you please tell us something more about the main idea behind starting the site, and what inspired you the most? MrYowler: Well, I didn't actually start the site; that was Pengo's doing. I actually joined when CyberArmy had about 37,000 members, and I worked my way up the ranks, first by completing the puzzles, and later by participating in the community as one of its leading members. I was first put in charge, back in 2002, and I bought the domain from Pengo, and completely took over, in late 2003. CyberArmy is a community of 'hackers' of various skill levels and ethical colors. We focus primarily upon creating a peer environment in which 'hackers' can share information and ideas, and we accomplish that through our Zebulun puzzle and ranked forums, which serve to stratify discussion groups be comparative technical ability. We tend to focus on 'n00bs', largely because they are the group that has the most difficulty finding peer groups to become involved in, because they are the group that most often needs the technical and ethical guidance that CyberArmy provides, and because they are the group that is most receptive to this guidance. I suppose that what I find most inspiring about the CyberArmy is its tendency to regulate itself. People who are interested in 'hacking hotmail' tend to gravitate together, and not pester people who are not interested in it, and when they don't, the community rapidly takes corrective action on its own. This is a model that I would like to see extend to the rest of the Internet; spammers and kiddie-porn dealers should be possible to identify and remove from the networks without the necessity to monitor *everyone's* email, through some regulatory or enforcement organization that is largely unrepresentative of the users that it is chartered to protect. I like that CyberArmy gives its members a reason to *think* about social ethics, and to decide upon what they should be, rather than to simply accept what is established, without reasoning. I find that to be a fundamental failing of modern society - that we frequently simply accept law, as the determinant of social ethics, instead of requiring law to be guided by them. When people use *judgement*, rather than rely solely upon law, then people are much more likely to treat one another with fairness. Externally imposed rules are for people who lack the judgement skills to figure out how best to behave, without them. And most rules, today, are externally imposed. I believe that when people *think* about social ethics, it usually results in a moral fiber that is founded in an honest *belief* in the moral behavior that they come up with - and that this makes for infinitely better Internet citizens, than rules or laws that are supported only by a deterrent fear of reprisals. I think that such people usually come up with better behavior than the minimum standards that rules and law do, as well. Astalavista: Cyberarmy runs a challenge - Zebulun, which happens to be a very popular one. How many people have already passed the challenge, and what are you trying to achieve with it besides motivating their brain cells? MrYowler: About 200,000 people have participated in the Zebulun challenge, over the years, to one extent or another. Because the challenges are changed, over time (to discourage 'cheating', and to keep them challenging, during changing times), the definition of "passed the challenge" is somewhat variable. Approximately 300-400 people have completed all of the challenges that were available to them, to obtain the highest possible rank that one can reach, by solving the puzzles. That has traditionally been "Kernel" (the misspelling is an intentional pun) or "General", and it is presently "Kernel". At the moment, the Kernel puzzle seems to be too advanced, and will probably have to be changed. There are seven puzzles, and our intended target is that there should always be about a 2:1 ratio of players, from one rank to the next. This guarantees that the puzzles will be challenging to most players, without being discouraging. Of course, we like encouraging people to learn. More importantly, I'm trying to get people to *think*. Anyone can become educated about technical systems; this only requires time and dedication to the task. And while that is an important think to do, it is already heavily stressed in schools, and throughout most societies and cultures. Smart people know a lot of things. But this is not entirely true. Most smart people have come to realize that "knowledge is power" - but it is not the knowledge that makes them smart. As with static electricity, which is expressed only as voltage potential - until it strikes the ground as lightning - knowledge is not expressed as power, until someone *thinks*, and applies that knowledge to some useful purpose. Socrates was effectively an illiterate shoe-salesman (a cobbler), but he is considered a great philospher, because he took the little bit that he knew about the world, and *thought* about it. Not only that, but he convinced other to think about it, as well. Einstein was a mediocre mathematician and generally viewed as a quack, until his thinking was expressed in the form of nuclear energy. *Thought* is what separates the well-educated from the brilliant - and most successful 'hackers' rely much more upon *thought*, than upon an exhaustive understanding of the systems that they target. Not that having such knowledge isn't helpful... :) I am trying to get people to *think* - not only about intrusion tactics, but also about defensive measures, motivations, risks, ethics, and about life in general. Too much of the world around us is taken for granted, and not questioned. Not thought about. I am trying to make the art of questioning and *thinking*, into a larger part of people's lifestyles. Astalavista: How did the infosec industry evolved based on your observations since 1998? Is it getting worse? What are the main reasons behind it? Crappy software or the end users' lack of awareness? MrYowler: In its early years, the infosec industry was largely dominated by the mavericks - as is true with most developing industries. A few people dominated the profession, with their independence - it gave them the freedom to tell the business world how things should be, and to walk away, if the business world was unwilling to comply. Today, we see less of that, and while the industry is still largely dominated by such people, the majority of people whose job is to implement system security, are much more constrained by resource limitations. Essentially, there are two groups of people in the defensive side of this industry; the policy-makers and the implementors. Policy-makers are usually corporate executives, CISOs, legislators, consultants, or otherwise figures of comparative authority, whose job it is to find out what is wrong with system security, and to come up with ideas about how to fix it. Implementors are usually the ones who are tasked with implementing these ideas, and they are usually system or network administrators, programmers, security guards, or otherwise people whose influence on things such as budget and staff allocation, is insignificant. As a rule, the policy-makers make a great deal of money, establishing policies that they have very little part in implementing, and often these policies have a significant impact upon the work loads and environments of implementors. It is all well and good, for example, to decide that there will be no more use of instant messenger software in the workplace. Stopping it from occurring, however... while remotely possible, by employing purely technical measures, it is certainly not desireable or inexpensive. Even monitoring for it can require staff resources which are rarely allocated for the task, and the effect of draconian security measures - or penalties for non-compliance - is usually much more damaging to workplace productivity than the instant messengers ever were. For some reason, policy-makers have abandoned the basic principle of system design; "involve the user" - and have limited themselves to requiring the support of executive management. Security policy is surprisingly cheaper, faster, and easier to achieve compliance with, when is also has the support of the rank-and-file members of an organization - and not the kind of support that is achieved putting a professional gun to their heads, by requiring people to sign compliance agreements. Rather, the support that is achieved by giving the employees a sense of personal investment in the security of the system. User awareness is fairly easy to achieve, although users will tend to disclaim it, when caught in a violation or compromise. Creating accountability documents, such as security policy compliance agreements, may combat these disclaimers; but the most truly effective approach is not to just tell the users and demand compliance - but to give the users a voice in it, and the desire to strive for it. In many cases, the users have excellent ideas about areas where system security falls down - and similarly excellent ideas about how to fix it. Policy-makers have to bridge the gap between themselves and implementors, or security will always be 'that pain-in-the-ass policy' which people are trying to find ways to work around. And instead of the draconian Hand of God, which appears only so that it can smite you down; security needs to become the supportive freind that you can always pick up the phone and talk to, when you have a question or a problem. That having been said, there is another problem with modern security practices, that is worth giving some attention to... Because security has traditionally been sold to organizations, as a way to prevent losses that result from security compromises, these organizations have begun to assign values to these compromises, and these values determine the extent to which these organizations will go, to prevent them. While perfectly reasonable and sensible from a business perspective, these values are determined largely by educated guessing, and the value of a compromise can be highly subjective, depending upon who is making the assessment. Remember - if your credit information gets into the hands of someone who uses it to print checks with your name on them, you could spend years trying to straighten out your credit with the merchants who accept these checks. It can impact your mortgage interest rates, or prevent you from getting a mortgage, at all - and it can force you to carry cash, in amounts that may place you in considerable personal danger. The organization which pulls a credit report on you, to obtain this information, however, stands very little to lose from its compromise, since you are unlikely to ever determine, much less be able to prove, that they were the source of the compromise. So, what motivates them to guarantee that all credit report information is properly protected, destroyed and disposed of? What's to stop them from simply throwing it in the garbage? And what happens to it, if they go out of business, or are bought out by some other company? To what extent do they verify that their employees are trustworthy? *This* is typically where security falls down. Remember; security is the art of protecting *yourself* from harm - not necessarily your customers, your marketing prospects, or anyone else. As a result, most of the effort to secure systems, goes into protecting the interests of the people who *operate* those systems - and not necessarily the users of them, or the data points that they contain information about. In many cases, legal disclaimers and transfers of liability replace actual protective countermeasures, when it comes to protecting things that *you* care about - and in still other cases, a lack accountability suffices to make an organization willing to take a chance with your security, out of a commercial interest in doing so. Marketing entities often openly sell your information, or sell the use of your information to market things to you, and make no bones about doing so - after all, it's not their loss, if your information gets misused - it's yours. This is a fundamental problem in information security, and for many of us it costs our personal freedom. The government needs access to all of our emails, without the requirement to notify us or get a warrant to access the information, because we might be drug dealers or child molestors. And I worry that some child molestor will gain access to the information, through the channels that are made available to government. Amazon.com stores our credit information, in order to make is easier for us to buy books through them, in the future - and I worry that all someone needs is the password to my Amazon.com account, to start ordering books on my credit card. Every time that I fill out an application for employment, I am giving some filing clerk access to all the information required, to assume my identity. That information is worth a great deal, to me - how much is it worth, to them? Enough to pay for a locking cabinet, to put it into? Enough to put it into a locked office? Enough to alarm the door? Enough the get a guard to protect the facility in which it is stored? Enough to arm the guard? Enough to adequately shred and destroy the information, when they dispose of it? Enough to conduct criminal background investigations on anyone that has access to the information? Or do they just get some general corporate liability insurance, and figure that it's an unlikely-enough circumstance, that even if it happens, and I'm able to trace it back to them, and make it stick, in court, that it's worth the risk of a nuisance libility lawsuit? At its core, information security is failing, for at least these two reasons: 1) for all the talk that goes on, very little on the way of actual resources are devoted to information security; and, 2) people and organizations usually show comparatively little interest in anyone's security but their own. Astalavista: Mr.Yowler, lately we've seen an enormous flood of worms in the wild, what do you think is the reason? MrYowler: Firstly, these worms exploit errors in upper-layer protocols of networks and network applications. Because network applications are proliferating at an ever-increasing rate, the possible ways to exploit them are also increasing at this geometric rate - and people who are interested in exploiting them, therefore have more things to work with. Secondly, there is a glut of information technology talent in the United States, perhaps thanks, in part to the collapse of the Internet economy - and also, in part, thanks to the rush to outsource technology jobs to overseas entities. Additionally, third-world countries have been developing technical talent for some years, now, in an effort to become competitive in this rapidly-growing outsourcing market. This has created an evironment where technical talent is plentiful and cheap - and often disenfranchised. In some cases, these worms are written by kids, with nothing better to do - and that has always been a problem, which has grown in a linear way, as more and more advanced technical education has begun to become available to younger and younger students. In other cases, this is the technical equivalent of "going postal", in which a disenfranchised technology worker creates a malicious product, either as a form of vengance, of in the hope of creating a need for his own technical talents, as a researcher of considerable talent, with regard to the worm in question. Surprisingly many people who might otherwise never find work in the technical or security industries, are able to do so, by making a name for themselves through criminal activity or other malicious behavior. While demonstrating questionable ethics, it also demonstrates technical talent, and the noteriety is sometimes more valuable to a company, than the damage that they risk by hiring someone whose ethics are questionable. Many people are employed or sponsored in the lecture circuit, for this reason; they did something that bought them noteriety - good or bad - and their employer/s figure that they can benefit from the noteriety, without risking a lot of possible damage, by putting these people on the lecture circuit. In an increasing number of cases, these disenfranchised technology workers are actually employed for the specific purpose of creating malware, by spyware, adware, and spam organizations, as I will cover in the next question. When one is forced to choose between one's ethics and feeding one's children, ethics are generally viewed as a luxury that one can no longer afford. I, myself, am currently under contract to a spammer, since I am now approximately two weeks from homelessness, and better offers have not been forthcoming. I'm writing an application which will disguise a process which sends out spam, as something benign, in the process listing, on what are presumably compromised *nix hosts. The work will buy me approximately one more week of living indoors, which is really not enough to justify the evil of it, but I am in no position to refuse work, regardless of the employer. And indeed, if I did not accept the contract, and cheaply, then it is quite likely that someone from a third-world country would have done so - and probably much more cheaply than I did. Astalavista: Recently, spammers and spyware creators started using 0-day browser bugs, in order to disseminate themselves in ways we didn't consider serious several months ago. Did they get smarter and finally realize the advantages or a 0-day exploit, compared to those of an outdated and poisoned e-mail databse? MrYowler: As indicated in the previous question, spam, spyware and adware organizations are beginning to leverage the fact that there is now a glut of technical talent available on the world market, and some of it can be had, very cheaply. These organizations have been taking advantage of technical staff that could not find better work for a long time. As more people who possess these talents, find themselves unable to sustain a living in the professional world; they are increasingly likely to turn to the growing professional underground. Employment in the security industry is no longer premised on talent, ability, education, skill, or professional credentials, and there are essentially three markets that are increasingly reachable, for the malware professional world. 1) Third-world nations with strong technical educational programs are simply screaming for more of this sort of comparatively lucrative work to do. 2) Young people who lack the age or credentials to get picked up professionally, by the more respectable organizations, often crave the opportunity to put 'hacking' skills, developed in earlier years, to professional use. 3) Older technology workers, finding it difficult to find work in a market dominated by under-30-year-old people, often have large mortgages to pay, and children to put through college, and are willing to take whatever work they can find - if not to solve their financial problems, then perhaps to tide them over until a better solution presents itself. It's not so much that spam, spyware, and adware marketers have become smarter, as it is that greater technical talent has become available to them The same people who used to develop and use blacklists, and filter spam based upon header information for ISPs that have since gone bankrupt or been bought out, are now writing worms that mine email client databases, to extract names and addresses, and then use this, combined with email client configuration information, to send spam out from the user's host that the addresses were mined from. They are using the user's own name and email address, to spoof the sender - even using the SMTP server provided to the victim, by their ISP, to deliver the mail. This effectively permits them to relay through servers that are not open relays, and distributing the traffic widely enough to stay under the spam-filtering radar of the sending ISPs, and to evade the blacklisting employed by the recieving ISPs. It also permits them to leverage the victim's relationship to the recipients of the spam, in order to get them to open and read it - and sometimes, to get them to open attachments, or otherwise infect themselves with the worm that was used to reach them. The spammers have not previously been able to hire talent of this grade, very often - now, this talent is often not only available, but often desperate for cash, and therefore willing to work cheap. It's a bit like an arms race. In the rush to develop enough technical talent to defend against this sort of thing, we have developed an over-abundance of talent in the area - and that talent is now being hired to work against us. This will presumably force people to work even harder at developing coutnermeasures, and repeat the cycle. Assuming, of course, that the threat is taken seriously enough by the public, to keep the arms race going. After all - once everybody has enough nuclear weapons to destroy all the life on Earth, then there isn't much point in striving to build more. You just have to learn to deal with the constant threat of extinction, and try not to take it too seriously - since there isn't really anything to be done about it, any more. We seem to be rapidly approaching this mentality, with regard to malware. Astalavista: What is your opinion on ISPs that upgrade their customers' Internet connections for free, while not providing them with enhanced security measures in place? To put it in another way, what do you think is going to happen when there're more and more novice ADSL users around the globe, who don't have a clue about what is actually going on? MrYowler: This comes back around to the second point, with regard to the problems of information security, today. People have little interest in anyone's security but their own. The ISPs *could* block all outgoing traffic on port 25, unless it is destined for the ISPs SMTP servers - and then rate-limit delivery of email from each user, based upon login (or in the case of unauthenticated broadband, by IP address). This is a measure that would have effectively prevented both the desktop server and open relay tactics that I described in my paper, "Bulk Email Transmission Tactics", about four years ago, and it would severely constrain the flow of spam from zombie hosts in these user networks. The problem is that they don't care. They only care when the spam is *incoming*, and then they can point fingers about how uncaring someone else is. The same holds true for individual users. It is neither difficult nor expensive to implement a simple broadband router, to block most incoming traffic which would be likely to infect user hardware with malware. It is also not difficult or expensive to implement auto-updating virus protection, spyware/adware detection/removal, and software patching. It could be done even more cheaply, if ISPs were to aggregate the costs, for all of their users, and buy service contracts for this kind of protection, in bulk, for their users, and pass the cost along as part of the 'upgraded' service. Unfortunately, the nominal cost of doing so, would have to be borne by users who do not take the threat seriously, and who only care about the threat, when it has a noticeable impact on them. Since many of the malware packages are designed *not* to have a noticeable impact on the user - using them essentially as a reflection, relay, or low-rate DDoS platform, or quietly extracting data from their systems which will be abused in ways not directly traceable to their computer - these users to not perceive the threat to be real, and are therefore unwilling to invest - even nominally - in protecting themselves from it. ISPs are not willing to absorb these costs, and they are not willing to risk becoming uncompetitive, by passing costs on to their subscribers; so they pay lip service to questions of security and antispam service, and perform only the most minimal tasks, to support their marketing claims. As with most organizations, the security of the organization itself, lies at the focus of their security policies. The security of subscribers, other network providers, or other Internet users in general, is something that they go to some trouble to create the perception that they care about, but when the time comes to put their money where their mouths are, it's just not happening. Astalavista: Thanks for your time. MrYowler: Any time... :-P 11. Security Sites Review --------------------- The idea of this section is to provide you with reviews of various highly interesting and useful security related web sites. Before we recommend a site, we make sure that it provides its visitors with quality and a unique content. http://www.dsinet.org/ DSInet.org provides its visitors with information, files, tools, news items, columns, opinions and an editorial from a Dutch point of view. http://www.cgisecurity.com/ A well known and quality security site, CGI Security resources, intresting files, papers etc. http://www.cryptome.org/ The conspiracy site, freedom of information! http://www.ebcvg.com/ You source for information security, daily updates, viruses and malicious code articles and downloads etc. http://www.dailyrotation.com/ All the news in one page, recommended link if you haven't visited this before. 12. Astalavista needs YOU! --------------------- We are looking for authors that would be interested in writing security related articles for our newsletter, for people's ideas that we will turn into reality with their help and for anyone who thinks he/she could contribute to Astalavista in any way. Below we have summarized various issues that might concern you. - Write for Astalavista - What topics can I write about? You are encouraged to write on anything related to Security: General Security Security Basics Windows Security Linux Security IDS (Intrusion Detection Systems) Malicious Code Enterprise Security Penetration Testing Wireless Security Secure programming What do I get? Astalavista.com gets more than 200 000 unique visits every day, our Newsletter has more than 22,000 subscribers, so you can imagine what the exposure of your article and you will be, impressive, isn't it! We will make your work and you popular among the community! What are the rules? Your article has to be UNIQUE and written especially for Astalavista, we are not interested in republishing articles that have already been distributed somewhere else. Where can I see a sample of a contributed article? http://www.astalavista.com/media/files/malware.txt Where and how should I send my article? Direct your articles to dancho@astalavista.net and include a link to your article. Once we take a look at it and decide whether is it qualified enough to be published, we will contact you within several days, please be patient. Thanks a lot all of you, our future contributors! 13. Astalavista.net Advanced Member Portal Promotion ------------------------------------------------- - May offer Save 10% until 05/30/04 $26 - 6 months Membership - May offer Save 20% until 05/30/04 $79 - PREMIUM (Lifetime) Astalavista.net is a world known and highly respected Security Portal offering an enormous database of very well-sorted and categorized Information Security resources, files, tools, white papers, e-books and many more. At your disposal are also thousands of working proxies, wargames servers where all the members try their skills and most importantly - the daily updates of the portal. - Over 3.5 GByte of Security Related data, daily updates and always working links. - Access to thousands of anonymous proxies from all over the world, daily updates - Security Forums Community where thousands of individuals are ready to share their knowledge and answer your questions, replies are always received no matter of the question asked. - Several WarGames servers waiting to be hacked, information between those interested in this activity is shared through the forums or via personal messages, a growing archive of white papers containing info on previous hacks of these servers is available as well. http://www.Astalavista.net The Advanced Security Member Portal --- Thawte Crypto Challenge V --- Crypto Challenge V Now Live! Pit your wits against the code - be the first to crack it and win an Archos Cinema to Go. Click here to grab the code and get started: http://ad.doubleclick.net/clk;8130672;9115979;t --- Thawte Crypto Challenge V --- 14. Final Words ----------- Dear Subscribers, Once again, we would like to thank to everyone who contacted us, submitted article for future issues, and proposed various ideas for the newsletter. We're doing our best at providing you with the most up-to-date and interactive summary of the month's security events and major threats everyone is facing while online. Issue 7 will be improved with several new and very informative sections, so watch out! Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net