December 27, 2008

New electronic Christmas gifts may have a special 'present'


As I celebrate this holiday season with my family and friends I'm finding myself busier than ever with security work - and it's not dealing with any infected PCs of my family and friends. You see, this year we have received more electronic devices that can plug into a computer than ever.

What's the big deal you ask? Concerns about malware-infected devices and their software.

Malware-infected devices isn't a new issue: we've had reports of new devices being infected with malware for the past couple years. This year is no different: I know first hand of several such instances where MP3 players or digital video frames come out of the box with this additional 'special gift' that when plugged into a computer drops malicious code onto it used to join botnets, steal Internet website account credentials, or who knows what. Oh, and it's not just the devices themselves, the software that comes with the hardware has had issues. Stories: Best Buy sold infected digital picture frames (Jan 2008) and here, Vuescape frames have infected software (Aug 2008), Samsung ships infected picture frame software CD (Dec 2008).

So while the percentage of these infected devices is still very low I'm still taking the precaution and plugging these things into my security test lab of 'victim' machines and will monitor what they do. Even if you don't have a lab like mine you can still exercise caution when hooking these up to your system. You can run system monitoring tools such as Process Monitor or Process Explorer from the brilliant folks in the Microsoft SysInternals team or a packet sniffer like Wireshark. You might also run something that monitors network connections, such as Windows built in utility NETSTAT (sorry, I don't know a Mac equivalent), while you plug the device in or install the software to see whether your machine visits a site on the Internet during the install and usage of the device and it's bundled software.

I'm raising an eggnog toast to all of us receiving electronic gifts without the special additional 'gift'. Hope your holiday is a malware-free one.

December 24, 2008

CastleCops has closed - this is a sad day




I've just learned that one of the great security communities has closed its doors: CastleCops has pulled the plug as of December 23 this year. The great folks volunteering their time there did some great work in fighting the good fight taking on the criminals and other miscreants on the Internet.

It was founded by Paul and Robin Laudanski many years ago (I don't know exactly when) and over those years they have spent countless hours building and supporting that community. They showed all of what can be done when we band together to fight the good fight.

A big THANK YOU goes out to Paul, Robin, everyone else at CastleCops for everything this did! This community will be missed.

December 21, 2008

White powder letters sent to state governors: dry run or distraction?

The Dallas office of the FBI reports that letters with a suspicious white powder has been sent to the offices of 40 United States state governors as well several overseas US Embassies. Initial field tests indicate no biological agent is present in the white powder so at least we know it's not anthrax used in the attacks against media outlets and the US Congress.

My question is: dry run, distraction, or neither? Was this a dry run preparing for a forthcoming attack? Maybe the purpose is to distract and pull government resources toward this ruse to allow for other nefarious work to occur undetected? Or neither, maybe someone looking for 15 minutes of fame?

For the security and IT professionals out there hopefully this incident reminds you to always look for the motive(s), think about your detection systems, and how you handle post-incident followups.

Motives of Your Attackers
You might consider conducting a review of possible motives of your attackers, consider the scenarious and outcomes, and then determine if your countermeasures are sufficient. If you have a team (IOW there's more than 1 of you) this would be a good candidate for a brainstorming session in a conference room or maybe at offsite location. Oh, and let's not forget about determining what information (re intelligence) your attacker can obtain about your organization without actually atacking, this should be part of any counterintelligence program.

Detection Capabilities
Are you able to detect attack dry runs or rehearsals against your computing and physical systems? Can you detect your adversary profiling your systems? Consider how they would perform this activity and compare it against your detection systems in place, I guarantee you'll find gaps that will cause you to consider additional options.

Incident Followups
One such followup might be to increase monitoring of your systems across the board, not just the systems involved. As mentioned earlier you might also consider your counterintelligence program (or build one if you dont have one already). Also, as part of the incident investigation process you should be to look at any strange or abnormal behaviour of related systems leading up to or around the time of the incident under investigation. This is a normal practice in physical security incidents but sometimes is forgotten during computer-related incidents.

Let's hope that there are no future real attacks relating to this latest incident and that the good people at the FBI find the culprit of this latest scare.

As for your environment, take a moment or two (or three) and consider your capabilities and where to improve them.

December 14, 2008

Rogue security software screenshot collection

The look of rogue/fraudulent security software has evolved to where it's impossible to distinguish between them and the legitimate applications.














Want to see how close - see Sunbelt Software Patrick Jordon's screenshot collection here.

December 3, 2008

Let me Google that for you

Now I've seen everything: there's a website that will do a Google search for you by showing you how to use Google. Huh? The creators say they created it as a way to help the search-engine challenged Internet users that ask you questions they could find the answers to on Google. Quote on their website: "This is for all those people that find it more convenient to bother you with their question rather than google it for themselves."

Screenshot of their website:
Here's how it works:

1. Visit the site http://letmegooglethatforyou.com
2. Enter your search criteria in the box and press the Google Search button
3. It will create a link for you that you can copy and send to that search-engine challenged person you know. Example: http://letmegooglethatforyou.com/?q=screensavers
4. When they click the link they'll see an animated cursor showing them how to submit a Google search and then actually runs the search on Google redirecting them to Google's website for results.

So, the paranoid side of me wonders if these guys are going to track the searches and then sell the data to advertisers. Also, they have Google's graphic/logo on their page...wonder how long until Google tells them to remove it. Then again, why would they? They are generating search traffic for them. ;-)

Ha, here's some irony: the site is indexed on Google.com.







Check it out for yourself:
http://letmegooglethatforyou.com or http://lmgtfy.com

November 26, 2008

Security of food supply in doubt again, this time in America

By now we've all heard about the contaminated Chinese-made baby formula, recently traces of that same dangerous substance, Melamine, has been found in US made baby formula. It's terrible that the health of babies have been put at risk from this contamination. With the continued growth of globalization, unfortunately I suspect this won't be the last incident.

This brings me to my point: food security is the next area where we need to focus on. While there are some checks and balances built into the production and distribution systems, there aren't enough. There aren't enough FDA inspectors or checks in place in US or around the world where we get our food. Interestingly, the FDA recently opened an office in China to coordinate inspections of food shipped to the USA. This is a good first step but much more needs done.

The threat? Disgruntled employee(s) or an international terrorist organization. Now a wide spread contamination might be difficult, but regional one is very possible where thousands of people sicken or killed. And with the globalization of the news media it would likely cause a large uproar and scare that these attacks are designed to achieve.

Note to President-elect Obama: we need to improve the security of our food supply, period.

November 21, 2008

Malware Analysis Challenge Results

The contest that Tyler Hudak and I ran has concluded and the results have been posted. We had a ton of great submissions from some very very talented folks. I want to thank all of the people who submitted and participated in the contest. I also want to thank the sponsors who generously provided all of the great prizes.

Tyler and I plan to have another contest early in 2009 (likely in January) so keep your eyes open for the announcement.

http://www.malwarechallenge.info

Any data leak might be worth something

President-elect Barack Obama's cell phone records were accessed by cell phone company employees. According to the story the account was accessed where they are able to see what phone numbers were called and received and how long - no recording of conversations were done.

The good thing about this is that the telco is monitoring account access by internal employees. The article doesn't say anything about when the access occurred nor how quickly it was discovered but let's hope it was quick. They did say that the phone is no longer used which makes me wonder how quickly they did detect this unauthorized access.

The bad is why didn't the secret service lock this account down. I'm sure they have some arrangement they are able to make to put extra security measures in place for high ranking folks in the government such as President, VP, cabinet members, aids, etc. I would think that they do this now because otherwise we'd hear more stories about this.

The officials from the telco stress that there was no recording of conversations nor access to voice mail. Some folks might think 'no big deal' right? Well it might not be anything, just a curious employee, or it might be something. Being able to see who he called and received calls from, how long he spoke, and how often might give some insight into some of the policy initiatives or who he might tap for various positions in his administration. This data could also be used to determine his people network and ties.

What if this data lands in the hands of lobbyists? Or Republican strategists? How about foreign governments? Data that might otherwise seem useless might actually be worth something to an adversary trying to figure out how to defeat your defenses or how to steal your key employees or customers.

This data might be more valuable than one would think. Something to think about in your organization.

November 17, 2008

Protecting Your Brand Online: Is There Another You on the Internet?

There's a great article by Richard Stiennon over at the ThreatChaos blog about the potential for Twitter being used to attack brands. Washington Post's Brian Krebs also talks about claiming your space on these social networking sites. If you are worried about protecting your company's or YOUR brand go read these articles.

I, for one, have been working on Internet brand protection for the past year or so. From my name to the organizations I help run I've been registering domain names and setting up accounts on various websites; all in an effort to try to protect the brand. It's time consuming and expensive and I still have much work to do.

There are a TON of social networking sites: see this great Wiki page listing various sites along with information such as the focus of the site. And the big problem with this is that they don't validate the creator. I could set up a profile using the name George W Bush with no problem. Well, that is until the Secret Service show up at my house. doh. Worse, sometimes they don't even index on the profile name allowing an evil twin attack to occur. It would take you days to set up profiles on all of these sites and honestly I don't feel you need to do this. Focus in on the popular sites and the sites that are appropriate for your brand. For example if you aren't into or brand doesn't relate to fantasy or sci-fi than you don't need to register on Elftown. However, you might want to consider Yelp.com which is an online city guide where people rate businesses in their neighborhood. Yelp even offers a page for business owners to monitor your business page.

Even though anyone can impersonate you there are some measures you can take to help protect yourself and your brand. So the areas that I recommend you consider in your online protection strategy are:
  • Domain Names
  • Social Networking Sites
  • Email Addresses
Details...

Domain Names
  • Of course!
  • firstnamelastname.com: at a minimum
  • firstnamelastname.name
Social Networking Sites
Email Addresses
  • Gmail
  • Yahoo
There are plenty of other sites that you should create profiles on but use these as a starting point.

November 13, 2008

Rogue and Fraudulent Security Software and Websites a Growing Threat

The line between these two is blurring, but let's try to to define them anyway...
  • Rogue : The primary purpose of this software is to compromise your computer with the intent of giving the attacker access to it, to steal your information, or both. This is done by malicious code inside of the software that is installed or run on your computer without you knowing it. In most cases this software does not live up to advertised functionality. For example an anti-virus software that appears to be security software instead installs a trojan on your computer that records your keystrokes with the intent on stealing your account login credentials.
  • Fraudulent : The primary purpose of this software is to separate you from your money. This software might operate as advertised, but in many cases it doesn't. The software will use fraudulent practices to get you to buy it. Some of the tactics might be to scan your machine and then show you have several dangerous viruses on it or other such scare tactics. I have tested some of these on newly built virus-free systems only to have them report there are some 30 viruses on the machine. Scanning with a reputable product shows that it's clean. I have even seen cases where the fraudulent software places actual viruses on the system. :(
In my opinion the problem of rogue and fraudulent security software is quickly approaching epidemic proportions. I have seen a dramatic rise in the number of fraudulent applications and websites in the past few months to where there isn't a day that goes by where I don't come in contact with one or see one pop up. It used to be maybe once a month or so. And everybody is getting infected: my friends, relatives, co-workers, everyone is falling victim. Trend Micro says that 10 percent of all infections they see are caused by rogue software.

There are few solutions that I can think of currently at our disposal to solve this issue: education of users, law enforcement crackdown, and enforcement of usage policies by ISPs and web hosters.

User Education
It boils down to the basics and examples from the physical world map quite nicely to the cyber world: if it looks or sounds too good to be true, it probably is. You don't (usually don't) get something for nothing. While there are some great free software on the Internet you need to be wary. As a security professional help them by providing them with a list of known good security software and where to get them.

Law Enforcement Crackdown
My theory here goes: if the criminals think they can get away with it, they will. IMO, the deterrence factor is missing. There have been very few prosecutions so the risks of getting caught, unfortunately, are low. If there were no police watching the roadways would you still go the speed limit? Without the deterrence factor things will not get better.

There are many factors causing this problem but let me send a plea out to the folks in control of the budget purse strings: please fund your cyber police better! Provide training to them and hire more. Also tie any funding assistance to other countries to cyber crime cooperation. These topics are big enough for a separate post so I wont get into them here.

ISP Enforcing Usage Policies
I understand that ISPs and resource challenged like many of us and also are in the business to allow and route traffic but things are just out of hand. ISPs need to do several things: 1) enforce your EULAs, 2) stop routing to the bad networks, 3) react quicker to complaints and pressures from industry professionals about rogue elements on your networks, 4) MONITOR your networks for these bad actors and then shut them down and report them to the authorities, 5) react quicker to law enforcement queries. In many ways you, ISP, hold the keys to the cars that the criminals use. A better analogy is that you provide them with the roads they drive on. Put up those toll booths, stock them with machine gun wielding guards and stop them if they are doing bad.

One last note: ICANN please please please do your job of enforcing your domain registration policies with your authorized registrars. For more information see the great folks at Knujon.com who are combating this problem and news articles here from The Industry Standard, eWeek, and Axcess News.

UPDATE: A great win!
McColo hosting center, who had been hosting many websites that propagate malware, rogue security software, and spam has lost its Internet connection. Two Internet providers have stopped routing to this California-based hosting company. See article by Washington Post reporter Brian Krebs here. He also has an update here. The immediate result? IronProt reports spam has dropped by 66 percent. 66 percent! Spamcop.net reports a 75 percent decrease. See graph.

This is a great example of how a community comes together for a good cause and makes a difference. Fight the good fight!

Speaking of McColo, check out a new report released by Hostexploit.com that shows that data and analysis behind the case against McColo. Several security researchers contributed their data and analysis to this article, including me. ;-)

November 5, 2008

Domains Registered with Obama's Name Recently

Well now with the US presidential election being over I thought I'd poke around the Internet domain records to see what names have been registered. I see that around the November 3rd thru 4th time frame no fewer than 312 names have been registered with the word 'obama' in them. Most are parked right now.

Some of the more interesting ones...
.
impeach-president-barack-obama.com
impeachobama2day.org
obama-recall.com
defeatobama2012.com
outwithobama.info
outwithobamain2012.biz

Some scary ones (secret service might want to watch these)...
dontkillobama.org
endofobama.org
keepobamaalive.com

obamahacker.com
This guy is definitely not a fan of Barack. On this site he says that "46% of the country did not vote for Barrack Obama". You know, if he's a Republican I need to remind him that during the 2000 election 48.4% of America did not vote for George W. Bush. As a matter of fact the MAJORITY of Americans voted for the Democrat Al Gore. Short memory there Mr. ObamaHacker.

iblameobama.com
For what? Winning the election?

Must be some of the $250K+/yr folks...
obamaraisedmytaxes.info
obamaraisedmytaxes.org
obamaraisedmytaxes.us
obamataxedmeoutofbusiness.com
obamataxedmeoutofwork.com
obamataxedmybusinesstodeath.com
obamataxedmycompanyaway.com
obamataxedmyjobaway.com

Did John McCain register this one?
obamatookmyjob.com

Interestingly, some of these names are hosted on the same servers where some malware and fake security software reside. This does not mean these sites are bad, just interesting. I personally suspect some might be fake websites used in attacks against unsuspecting victims, but nothing has been detected at this time.

Now onto more non-political items...

November 3, 2008

This Years Summit is Over

Well the Information Security Summit is done and by all accounts the conference was a big success. Have heard nothing but very positive comments from the attendees many saying they learned enjoyed the presentations learning a great deal from the speakers. The topics seemed to be very timely as well.

I was pleased to hear this and pleased with how well the operations went, which was in large part due to the great folks working behind the scenes. These folks are all unpaid volunteers putting in countless hours to ensure things go well. The conference operations rivals larger national conferences in both quality of operations and content.

To recap the Information Security Summit ...

By the numbers:
  • 6th year in existance
  • 2 days
  • 3 keynote sessions
  • 36 breakout sessions
  • 44 speakers
  • 2 Birds-of-a-Feather sessions
  • 12 sponsors
  • 3 participating organizations
  • ~350 attendees
Topics covered:
  • Theme was risk management
  • Measuring and managing risk
  • How your security program is costing you money?
  • It’s 10 PM do you know where your risks are?
  • Information risk vs. information security
  • PCI compliance
  • SOX compliance
  • Security frameworks
  • Threat modeling
  • Web application security myths
  • Application security testing
  • Data encrypting
  • E-discovery
  • File remnants in Windows Vista
  • Data leak prevention
  • Penetration testing with Fast-Track
  • Risks of social networking sites
  • Tiger Team pen-testing
  • Bootable CD/USB environments
  • Malware techniques
  • Illicit spam networks
  • Phishing
  • Identity theft protection
  • Secure building designs
  • Business Continuity Planning
A big THANK YOU goes out to all everyone who helped make this event a success - from the speakers to the sponsors to the volunteers and the attendees who supported it!
See you next year at the Summit.

October 31, 2008

Anthony Reyes Keynote at Summit Conference

Currently listening to Anthony Reyes keynote address at day 2 of the 2008 Information Security Summit in NE Ohio. The talk is really good with great content and is entertaining. He's a former New York City cop from the cybercrimes group and really hits home with the insider attack risks to the company.

He says companies do not do a good job of controlling the information about them and understanding the inside risks. He's recommending employers should manage what their employees say about the company in public such as on Internet postings. He explains that such Internet postings actually pose serious risks to company business. Say's it's everyones job to keep the company safe.

If you ever have a chance to hear Anthony talk I highly recommend you attend.

October 30, 2008

NEO Information Security Summit Underway

We are into the first day of the Information Security Summit and other than a couple technical glitches beyond our control (hotel Internet connection instability for a bit) things have been going great. There are alot of people here, our latest attendance numbers were around 335 - wow!

The talks so far have been good. Gareth Webley moderated the keynote panel with security leaders from around the region talking about best practices for managing risk. They covered topics such as setting up a risk management program, how to *talk* security with business leaders, how to sell security (or more appropriately risk management) to the business, and other topics. Great insight into how to talk with business leaders.

Other great sessions going on but no time to talk about them at the moment. Since I'm helping organize and run the event...I'm a little busy.

Updates later.

October 24, 2008

Domain Registration Mining Turns Up Republican Plans?

So I was doing some mining of recent domain name registrations and discovered some funny things. I was found some Sarah Palin domains but none of them appear to be hers. Now why in the world would a political figure on the national scene like her NOT register her domain name? Going to sarahpalin.com I see a FOR SALE sign.

I see other domains that aren't hers...

votepalinforpresident2012.com
votepalinforpresident2012.us
votesarahforpresident2012.com
votesarahforpresident2012.us
votesarahpalinforpresident2012.com
votesarahpalinforpresident2012.net
votesarahpalinforpresident2012.us
votesarahpalinforpresident2012.org
(all registered on 10/21-10/22/2008)

Are the republicans admitting defeat and preparing for the next election? Currently these domains appear to be parked with nothing on them about Palin. Maybe just opportunistic business person capitalizing on clicks. Turmac Corporation is who is listed as the registrant - dont know if they are working for her or domain squatter.

And then there's Joe the Plumber from Ohio. Oh look, a couple domains (all registered on 10/22/2008)...

joeplumbervotes.com
joeplumbervotes.info
joeplumbervotes.net
joeplumbervotes.org

Looking at these websites it appears that it isn't infamous Ohio plumber but rather someone else who says they aren't a plumber and will be voting democratic.


Lastly, are the democrats getting ahead of themselves?

congratulationsdemocrats.com

No, just another squatter looking for click $$.

So the lesson for all you budding politicians out there: register your domain name. BTW, I have registered GREGFEEZEL.COM but have no interest in going into politics...at least not today. LOL

Malware Challenge

Know how to analyze malware either statically or live? You'll want to check out this cool contest that Tyler Hudak and I are holding...and the best thing: there's cool prizes you could win. We are giving away an iPod, free copy of IDA Pro, a IDA Pro book, a $25 Best Buy gift certificate, Greg Hoglund's Rootkits book, the great book The Art of Computer Virus Research and Defense, and more. Be sure to read the rules page for details.

You dont have to be an expert to try it out. So go on over to http://www.malwarechallenge.info/ but you have to hurray because we stop accepting submissions this Sunday October 26, 2008 at 23:59 EST!

We will be reviewing the submissions at the Information Security Summit being held in Independence Ohio on October 30th and 31st.

Let the blah blah blogging begin!

Welcome to my new blog! Well after much prodding by friends I finally took the plunge and started a blog - boy will the world be sorry. ha ha. ;-)

The origin of the name is from my daughter who describes what I do at work (and hobby) to people as "security blah blah." And since this blog will contain my thoughts on various topics, the name is appropriate. Hopefully you'll find some of the content interesting and maybe even entertaining.

So here goes nothing...blah blah...