December 29, 2009

Another Win for the Good Guys: Bye Bye Mega-D Botnet

I just read this great piece of news over at the Sunbelt Software Blog about a top 10 botnet. The botnet, called Mega-D, was said to have 250,000 bots which has been responsible for nearly 12 percent of the world spam. Wow, this is a great win.

The takedown was coordinated by a researcher at FireEye who working with others in the industry and Internet Service Providers, provided U.S. law enforcement with the information needed for the shut down.

Kudos to the FireEye team and others involved on this win! Keep fighting the good fight.

Check out the Sunbelt Blog entry here.

December 18, 2009

Satellite Sniffing Software Used to Monitor Drone Video

According to the New York Times, insurgents in Iraq are using cheap satellite sniffing software to monitor the video feed coming from Drone fighter airplanes. This was discovered when laptops from captured insurgents were analyzed. The software they used is called Sky Grabber and costs only $26. It was designed to download music and movies off of satellite transmissions.

What's very disappointing with all this is that the Drones are not using encryption to secure the video feed. I've heard some reports that they aren't equipped to use encryption which if that's the case it's shameful. I don't see any good reason why we would want the insurgents to see the video data showing what the Drones are seeing. C'mon encrypt the data people!

Article here:

October 28, 2009

Local northeast Ohio security conference: Summit

It's been a long while since I've posted to my blog, it's been super busy lately. Apologies to my 3 readers - I promise to post more frequently.

This week I'll be at the 7th annual Information Security Summit. This is a 2-day conference held in northeast Ohio, this year it's in Warrensville Heights at Corporate College East, and features over 30 speakers from around the US covering security topics in the areas of governance/risk/compliance (GRC), threats, application security, incident response, network security monitoring, malware, wireless, open source tools, forensics, contingency planning, BCP, phyiscal security, etc. A long list indeed. See complete agenda here.

My role at the Summit is along with several others we help organize, plan, and run the event. I will also be working the NEO Info Sec Forum booth. This is a group I founded 4 1/2 years ago. If you are at the Summit stop by our booth (in room 124 off the atrium) and say hi. Try your hand at a crypto challenge where you can win some cool prizes.

Hope to see you at the Summit.

Side Note: For those of you who can't make it check out the live stream of the conference that Security Justice Podcast is providing!

August 27, 2009

Banks Receive Fake Training CDs from NCUA...oh wait...

As reported by the SANS Internet Storm Center, some banks reported receiving what appeared to be letters and training materials from the National Credit Union Administration (NCUA). The training materials consisted CDs.

Then you hear this over the PA system:
This was a test of the emergency broadcast system. This was only a test.
Closer inspection reveals that the letters were fake and the CDs contained malware. Pretty interesting scam involving physical world and computer security.

Ha. So Brent Huston from Microsolved contacts the SANS folks letting them know that he sent those as part of a penetration test his company was performing. Wow, good test and probably was successful. I bet some people put those CDs in their computers.

This was a great awareness event for training our users. I fully expect to see the criminals start using this technique more. :(

July 27, 2009

Advertising on social media site raises privacy concerns

Quick post about an interesting story I just read...

One day a married man (important to mention) logged into his Facebook account to check his messages. While on his page he was presented with an ad that entised him to visit a singles site. The ad said "Hey Peter. Hot singles are waiting for you!!" So what you ask? Well it just happens that along with the ad was a picture of a woman, that woman happened to be his wife. See below:

As it turns out, a 3rd party advertiser scraped her picture and others off Facebook profiles and used them in their ads. The victim, Cheryl Smith, talks about the incident on her blog.

According to Facebook officials this violates their policy and they have removed this advertiser. They even kicked off two whole advertiser networks for terms-of-service violations (not necessarily related to this particular case).

At first this story gave me a great laugh, but that quickly turned to shock and concern. Shock that an advertiser would use such a tactic, well I guess I've seen worse but still shocked. Concern regarding privacy on social media websites.

The folks at DownloadSquad have a writeup about this incident here and Sunbelt Software talks about it as well.

Want to protect yourself from the scrapers? Read Tom Eston's Facebook Privacy & Security Guide.

July 13, 2009

More Blackhat SEO, Pelosi is Target

The blackhats continue to push their rogue security programs via Search Engine Optimization techniques. This time I ran across a site using US Congress House Speaker Nancy Pelosi's name. It appears to be all sorts of headlines and keywords such as:

pelosi says surge did not work

And there's also some not so flattering phrases:

pelosi insane
pelosi is an idiot
pelosi is a communist

Some well worded SEO there bound to attract search engine hits.

The site contains some Javascript code in it (well not anymore but it was there) which after traveling through a couple redirect sites ultimately takes the visitor to some rogue security software sites. One of which uses drive-by fake scanning tactics. The redirect sites contain quite sophisticated Javascript code to hide their purpose. They also appear to redirect you based on where you came from.

The two rogue websites by the way are:

  • ( Germany)
  • ( Netherlands)
This is in no way "new news" as reported by me earlier this year Ford was a target of these fraudsters and Panda Security has numerous siteings. This surely will continue for as long as they have the ability to operate the sites.

June 18, 2009

Various interesting news and posts

The Web's most dangerous keywords to search for
I've long known that some 75% of all screensavers found on the Internet via Google search contain malware but thought that some of these words were interesting: free games, work from home, iphone, barack obama. Something else interesting is the finding that when searching for lyrics keywords or phrases with the word 'free' in them one of four sites contain malicious code. Talk about blackhat SEO.

Building an Automated Behavioral Malware Analysis Environment using Open Source Software by Jim Clausing
Looks very promising. On my reading list.

Ex-DOS and Microsoft Exec Heading Up DHS Cyber Post
Earlier this month Secretary Napolitano of the U.S. Department of Homeland Security named Philip Reitinger as Director of the National Cyber Security Center in DHS. This is a newly formed office in DHS. Previously Philip had held positions in DOD Cyber Crime Center and was leading the Trustworthy Computing initiative at Microsoft. Philip replaces Rod Beckstrom who vacated the post earlier this year citing lack of funding and internal support. I wish Philip all the best and hope he's able to get what he needs to get things done there.

June 6, 2009

ICANN grilled by Congressional subcommittee

Oversight of the Internet Corporation for Assigned Names and Numbers (ICANN)
Hearings - Subcommittee on Communications, Technology, and the Internet
June 04, 2009
The Subcommittee on Communications, Technology, and the Internet held a hearing titled, "Oversight of the Internet Corporation for Assigned Names and Numbers (ICANN)" on Thursday, June 4, 2009, in 2123 Rayburn House Office Building. The hearing examined issues related to ICANN, including the expiring Joint Project Agreement between the Department of Commerce and ICANN, as well as ICANN's proposed introduction of new generic Top Level Domains (gTLDs).

I found this event very interesting. It is a hearing to discuss the renewal of the Joint Project Agreement (JPA) between the US Dept of Commerce and ICANN. Among other things the JPA provides the US Govt (through NTIA) oversight of ICANN's operations. This agreement expires in September this year.

There were several people testifying during this event including the President of ICANN, GoDaddy's General Council, representative from Verizon, representative from NTIA, and a couple others who I missed their names.

There were several concerns put on the table: accountability, transparency, efficacy, stability and security. Many had sharp criticism of ICANN's progress toward a safe and stable Internet domain name governance system. They along with the Congressional subcommittee were not satisified with ICANNs response to shutdown malicious domains and questioned why they aren't taking more action against domain Registrars who violate their policies and agreements with ICANN. ICANNs President did not seem to have good answers which led the hearing chair to ask for written proof of the actions they have taken. I suspect this will lead to more probing by the subcommitte because it's my opinion, as well, that ICANN is not doing their job here! As I continue to see bad Registrars allowing new malicious domain names to operate.

Concerns over the additional gTLD (global Top Level Domain) proposal were expressed. If you aren't aware, ICANN is proposing to allow new long gTLDs be created and sold. For example .MOVIE, .LEGAL, etc. The main concern had to do with trademark protection.

All panelists who testified, with the exception of the ICANN President, wants to see Congress renew the JPA. The overridding concern if it isn't was the lack of transparancy and security of the system. Several stated a concern that a nation who is not friendly with the US might take over of ICANN and threaten the US' national security. I share this concern.

If you are involved in fighting malicious websites or spam or curious about ICANN's operations I recommend watching the videos of the hearings. You'll find downloadable files here:

Let's hope this helps drive ICANN to take the necessary measures to dramatically improve their measures when fighting malicious domains. In other words, do what they should be doing anyway!!!

May 20, 2009

Criminals force Google to change algorithms

According to reports Google is about to or has already changed their search algorithms as a response to the increased exploitation by criminals using black hat search engine optimization attacks. See article here.

That's great news, assuming they are successful, as I've been discovering and reading about so many black hat SEO attacks that I'm starting to worry about non-security users utilizing Google for search. I'm not satisfied with Google's response to these attacks because in my opinion they have been much too slow and in some cases don't tag the offending searches as a security risk.

Based on the typical information security cycle (or arms race) this won't be the last time they will have to change their algorithm but let's hope this makes it extremely difficult for the criminals to continue using Google as an attack platform.

May 11, 2009

New information security bill to replace FISMA

There's yet another cyber security bill introduced in the US Senate; this one is called the 2009 U.S. Information and Communications Enhancement Act. While the others affect both government and private industry this one aims to strengthen information security within government offices.

It's an update to FISMA which has long been criticized for the lack of requiring agencies to demonstrate compliance. This bill focuses more on measuring actual security rather than on report writing, which is FISMAs focus. It requires the Commerce Department to establish standards for securing government systems. It will take away information security management away from the DOD and NSA and limits DHS' role to incident response and defenses provided by US CERT. I'm not sure I agree with that as there are some talented folks at DHS and US CERT.

You can read the whole bill here

April 30, 2009

Microsoft to disable Autorun feature - YEAH

Microsoft plans to disable the Autorun feature in Windows 7 and release a patch to disable it in older supported version of Windows. It won't affect CD or DVD players, they will still autorun, but will disable USB ports. This is great news! There is so much malware out running around infecting USB drives that this had to be done.

Microsoft talks about this topic:

Kudos to Microsoft for taking this measure.

April 21, 2009

Low post volume

Hi everyone. Sorry this blog has been getting quieter, I've been busy battling the rogues and other Internet fun. I promise I will try to update this blog more often than once a week.

My recent Targeted Blackhat SEO Attack against Ford Motor Co. - link to Panda blog

Speaking of rogue security software, Microsoft's recently released security intelligence report talks about the dramatic rise in rogue security software they saw on Windows machines during 2nd half of 2008. They saw a 15% rise over the course of 2008 from 20% of all machines to a full 35%! I would estimate that number is even higher today given the unbelievable increase in websites and "brands" of this scumware.

You can see Microsoft's report here. It's a pretty good report, worth a read.

April 7, 2009

New Cybersecurity Bill Gives Commerce Dept and President Obama Cyber and Internet Authority

On April 1, 2009 a bill, a.k.a. "Cybersecurity Act of 2009" to ensure the free flow of commerce within the United States has been introduced in the US Senate. (See PDF draft here) It's important that our nation gets working on this critical issue now so I reviewed the working draft and thought I'd summarize it and note some interesting passages.

Summary points...
- Cybersecurity oversight of government networks, the Internet, cybersecurity research would fall under the Secretary of Commerce;
- Roles and responsibilities involve other agencies such as ODNI, NIST, FCC, and NSF.
- Three years of funding, then after a review/evaluation a potential for continued funding;
- Establishes state and regional cybersecurity centers tasking them with securing small- and medium-sized businesses;
- Requires providing security for the FCC's national broadband initiative;
- Establishes a private-public sector clearinghouse for vulnerability information;
- Conducts the feasibility of cybersecurity insurance;
- Taps NIST as the standards body for all cybersecurity related standards;
- Provides the President with the power to disconnect the Internet in a cybersecurity emergency or in the interest of national security;

Various interesting passages...

Section 3 - Cybersecurity Advisory Panel.
DUTIES.—The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess—
(1) trends and developments in cybersecurity science research and development;
(2) progress made in implementing the strategy;
(3) the need to revise the strategy;
(4) the balance among the components of the national strategy, including funding for program components;
(5) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity;
(6) the management, coordination, implementation, and activities of the strategy; and
(7) whether societal and civil liberty concerns are adequately addressed.
REPORTS.—The panel shall report, not less frequently than once every 2 years, to the President on its assessments under subsection (c) and its recommendations for ways to improve the strategy.
I have a problem with that frequency; at a minimum it needs to be twice a year.

Section 4 - Real-time Cybersecurity Dashboard.
The Secretary of Commerce shall— (1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, realtime cybersecurity status and vulnerability information of all Federal government information systems and networks managed by the Department of Commerce; and (2) implement the plan within 1 year after the date of enactment of this Act.
Wow is this aggressive for this large of an undertaking.

Section 5 - State and Regional Cybersecurity Enhancement Program.
The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards.
The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States...
What do they mean by "enhance"? To what extent will these new regional centers assist SMBs with their security?
ACTIVITIES.—The [Regional Cybersecurity] Centers shall—
(1) disseminate cybersecurity technologies, standard, and processes based on research by the Institute for the purpose of demonstrations and technology transfer;
(2) actively transfer and disseminate cybersecurity strategies, best practices, standards, and technologies...
Where's NIST? Are they going to be folded into this new center? Ah later in the document, section 6, NIST is mentioned...

Section 6 - NIST standards development and compliance.
National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal government, government contractor, or grantee critical infrastructure information systems and networks...
Does NIST not already do this? Maybe this is giving them teeth - which is a great thing.
The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks.
This will touch the private sector is a very big way since something like 75% of all of the critical infrastructure is run by that sector.
...[NIST] shall be responsible for United States representation in all international standards development related to cybersecurity...
(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.

(e) FCC National Broadband Plan...shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks...
So what exactly does that mean? Maybe requiring firewalls and other controls, which would help mitigate some of the network worms.
FCC NATIONAL BROADBAND PLAN.—In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.
Section 9 - Secure domain name addressing system.
...develop a strategy to implement a secure domain name addressing system.
Section 10 - Promoting cybersecurity awareness.
...develop and implement a national cybersecurity awareness campaign...
Good good.

Section 11 - Federal cybersecurity research and development.
(b) Secure Coding Research...
(c) Assessment of Secure Coding Education in Colleges and Universities

Section 14 - Public-private clearinghouse.
...The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to the Federal government and private sector owned critical infrastructure information systems and networks.
Section 15 - Cybersecurity risk management report.

In section 15 they talk about conducting a feasibility study of creating a market of cybersecurity management including civil liability and insurance.

Section 18 - Cybersecurity responsibilities and authority.

This is the section that has got several people concerned and upset about. It essentially provides for the President to declare a cybersecurity emergency and shutdown the Internet. There's also a provision which allows him to disconnect any system or network in the interest of national security. This authority extends to Internet connections into Federal offices as well as any US critical infrastructure information system or network. This is intriguing because a majority of the infrastructure defined "critical" by the US Government is owned and operated by the private sector. This bill would grant the President the power to shut down private sector systems and networks.

This section also requires mapping of Federal systems and networks. Good idea, wonder how long it will take though.

Section 30 - Joint intelligence threat assessment.

This section requires the Director of National Intelligence and the Secretary of Commerce to submit to Congress an annual assessment on cybersecurity threats.

What's interesting in all this is that neither DHS nor NSA are mentioned in this bill. Just recently the Director of National Intelligence testified in front of Congress that the NSA should be in charge of cybersecurity. And a few weeks ago director of DHS's NCSD resigned over concerns about the move of cybersecurity from DHS to under the NSA.

What will hapen to all the initiatives currently underway by DHS and NSA? Will they be folded into this new organization or directed by this organization yet still reside in respective agencies? What about DOD's cybersecurity efforts?

All I want is for them to get it right organization-wise and start working to address the country's cybersecurity shortcomings - ASAP.

March 31, 2009

Will April 1st be Conficker's D-Day that Blows Up the Internet? NO!


Contrary to popular belief by the mass of non-security Internet citizens the Internet will not turn into Armageddon on April 1st, 2009. It's not going to turn into anarchy where zombie computers spew their venom through the billions of miles of cables that make up the Internet - that's just not going to happen. At least that's the belief of most of us in the security industry. Could it be a hoax? Sure. Could there be a large influx of newly infected PCs? Sure. Maybe the already infected PCs start doing something different like a DDOS attack or something else. Who knows, we don't...only the criminals behind the infections/attacks do.

I've heard from many of my non-technical friends and coworkers asking about this "new" worm that is set to "explode", as they put it, at midnight on April 1st. I've even seen people say to unplug their computers, like turning them off, from March 31st and then plug them back in on April 2nd. No really, that's what they are saying. Take a look at an email I received earlier today that's making the rounds of non-technical users:
Subject: unplug computer Mar 31, replug April 2

Unplug your computers from the internet on March 31 and don't reconnect them until April 2. Then it won't have access to the web to "activate" the worm if you have it (that's how the article says this worm works). Hopefully by April 2 they will have a "fix" for it and you can get back on your machine.

While I appreciate all the awareness they are providing acting like this is some huge tital wave that will wash your home away is just ridiculous. If your Windows computer is fully patched, including this one from October, you have some sort of antivirus and firewall than you are safe from this worm.

No, the Internet is NOT going to explode tomorrow! See you online.

March 19, 2009

Basic Measures Would Prevent Most Breaches?

We just finished our March meeting of the Northeast Ohio Information Security Forum and there's one talk in particular that got me thinking about basic security measures. The talk was called "The Top 10 Breaches of 2008" by Tom Eston who is a lead security assessment professional working at a Fortune 500 company. I along with many others in the audience were amazed at the lack of basic security measures in many of the incidents reviewed that if implemented could have prevent some of them.

During the talk there was a fair amount on discussion and comments from the audience. We were pretty harsh and quick to judge the security, or lack thereof, practices of the organizations who suffered the breach. While these folks may deserve the criticism one thing that we all probably didn't think hard about is the fact that they are just like many of us in that they are overworked having too much security work that needs done and not enough time or money to complete it.

That said, the common cause of these breaches appears to be the lack of focus and execution of some basic security measures. We all need to heed the lessons from these breaches and DO THE BASICS:
  • Egress Filtering Rules. Keep that data from escaping your network.
  • Practice the "need to know" principle in access control. Why do they have access to that data when they don't need it for their job?
  • Monitoring of Access. Who's watching the logs showing when someone used their access?
  • Monitoring Outbound Activity Initiated by Servers. Why is that server FTPing out to an IP on the Internet when it normally doesn't?
  • Tighter Access Control on Servers
  • PCI Certified != You're Secure
  • Encrypt the Backup Tapes. Okay, this might be a little more than basic but c'mon - most backup software can do this.
Tom's talk was very good and I recommend you check out the presentation (download from here PDF) as well as his blog

March 15, 2009

Message to US Adversaries: You Have Plenty of Time to Launch Cyber Attack

This is basically what the US government is telegraphing to those who want to attack our infrastructures. This conclusion of mine for the most part was confirmed today when I read the ThreatChaos post about the National Cybersecurity Center director (Rod Beckstrom) resigning, after only a year in office and little accomplished - not due to his lack of trying I might add.

Read his resignation letter, which is posted here. It's very telling of the issues in the agency. His two main complaints and reasons for leaving are power fights with NSA (re.; no power or authority to do the job he was given), and lack of funding. It sounded like this new center was doomed from the start.

He said he had only 3 people on his staff and 5 weeks of funding. What? No wonder couldn't get much completed. This office's mission was to address the lack of cyber security within the US Federal government and it's expected to accomplish this with 3 people and no funding?

The other main issue has to do with fighting with the NSA over the program. The NCSC is in DHS yet the NSA wants this role and according to Beckstrom's letter some in DHS were putting up roadblocks in his way. To make matters more difficult the Director of National Intelligence is putting his support behind the NSA.

Now another year has gone by and cyber security is still not a priority for the US Federal government and the mess still exists. Many Federal agencies are doing cyber security work that overlaps with each other and a central coordinating agency still does not exist.

One idea I'm hearing is the creation of a new armed forces branch to be in charge of cyber security and I think that's a great idea. A decision needs to be made soon and we need to get moving with improving our nations cyber security from both a defensive and offensive standpoint. Our adversaries aren't waiting, they continue to attack and breach our defenses.

There is one piece of good news however: on February 9th, 2009 President Obama issued a directive to conduct an immediate cyber security review of all plans, programs, and activities underway throughout the government dedicated to cyber security. They have 60 days to complete it. Press release here. I'm glad they are trying but I'm not holding my breath that decisions will be made soon (re.; weeks) after this review is completed and it's entirely possible we'll still be waiting by the next election cycle this November.

My plea to the policy makers in the US Federal government: stop advertising our confusion and uncertainty, make the decisions that need to be made, execute on those decisions, and start showing our adversaries we are serious about cyber security before it's too late. Oh and by the way, there are plenty of good people in the private industry that are willing to help you.

March 1, 2009

Malware Remover Affiliates Using Deceptive Advertising

So I was trolling around the Internet looking for rogue security software and found a site that has *free* in the name which made me want to take a closer look. The site is When visiting the site you'll see the phrase "Free Malware Removal" all throughout the site. When looking through the HTML code you'll also see references to "free malware removal" and "free" in the meta tags. No big deal, right?

Well the gotcha is when you attempt to download the software you are given a PayPal page requiring you to pay $24.99 for the download - what happened to FREE?

I started suspecting that this was a website advertising fake or rogue security software but when I looked closer and found a claim stating they are an affiliate of Malwarebytes. I assume they mean which is a legitimate software company. The graphic of their product even shows Malwarebytes but they could have ripped that off the legitimate site or even designed it themselves. I couldn't seem to find any other links or references to the Malwarebytes folks - all I find is "Las Vegas Computer Repar" at the bottom of the main page. If this really is a Malwarebytes affiliate than the Malwarebytes folks should have a conversation with this affiliates about their practices. If this is not affiliate than it's likely a rogue security application.

Now I know this is a tame example of using deceptive advertising compared with the techniques being used by the thousands of fake security programs out there but this is just another example of how legitimate software companies need to manage their affiliates better because it can reflect poorly on them directly.

The poor practices by this affiliate are:
* Using the word *free* in their domain name when they are not offering any sort of free product
* Using the phrase "free malwaral removal" all throughout the site when that's not true

I recommend staying away from this website.

February 21, 2009

Adobe 0-day being exploited

There are multiple reports circulating the Internet about current attacks exploiting an unpatched (0-day) vulnerability in Adobe products that is currently being actively exploited. It affects just about all recent versions of Acrobat Reader and Adobe Acrobat including v7, v8, and v9 and the issue appears to be a buffer overflow in the PDF Javascript processor. Javascript is allowed and enabled by default. The remediation/workaround is to disable the Javascript functionality in the Adobe products.

Additional reports are coming out that this exploit that was discovered may have been around as long ago as December 2008.

Adobe has released a bulletin and reports that they will have a patch released around March 11. I would recommend applying the workaround of disabling Javascript until the patch is released.

* Change Registry value "bEnableJS" to "0":
HKCU\Software\Adobe\Acrobat Reader\8.0\JSPrefs
HKCU\Software\Adobe\Adobe Reader\8.0\JSPrefs

February 12, 2009

APWG Phishing Education Landing Page

The Anti-Phishing Working Group (APWG) and Carnegie Mellon CyLab is asking that instead of disabling phishing sites you redirect the users to their Phishing Education Landing Page. I think this is a great way to educate your users about phishing. The more they know how phishing works the better they can protect themselves.

Here's how the program works: when a phishing site is shut down by officials (e.g. ISP, registrar, Web hosting company), we ask if the official would redirect the URL of the phishing site to an education landing page.

For more information about this program see

January 27, 2009

Malicious links on President Obama's website

First it's fake Barack Obama websites spreading malware now the REAL website is responsible for pushing the stuff. To be clear, it's not President Obama's people pushing it, it's a registered user of their site. Attackers are using one of the sites features called Community Blogs to place malicious links on the site.

A recent attack that I looked at featured what appears to be a embedded video but when you click it you are redirected through a couple different sites finally to a site selling rogue/fraudulent security software and trojans.

Another unfortunate example of the dangers of Web 2.0 and while this technique of using blogs to spread malware is not new (Google dev site, Twitter, 2005, German Wikipedia) I expect to see it grow in popularity due to how effective it's proving. Oh joy.


January 19, 2009

Fake US Presidential Inauguration and Obama Websites

Fake Barack Obama blogs and websites are being used to infect computers with a worm called Waledac. This worm appears to be from the same makers of the Storm worm according to several in the security community including Jose at Arbor Networks.

An example is hxxp://
(WARNING: Malicious site).

When visiting the site visitors see graphics and blog entries that look real and while they read the entries silently a drive-by install is placing malicious code on their system. All the links on the website point to a malicious EXE download as well. This site, by the way, is using "fast flux" DNS to avoid takedown and appears to be hosted on a botnet as some of the IPs appear to be home DSL/cable modem customers.

With the US presidential inauguration tomorrow I expect to continue to see a rise in this type of attack and recommend you check your web proxy logs for any domains with the following words in them:


January 12, 2009

Guide to Protecting Yourself on Facebook

There is a great guide about how to protect yourself on Facebook written by a friend and security colleague of mine, Tom Eston. Tom has alot of experience researching social networking and has some really great tips that could be applied to Facebook or any social networking site.

Highly recommend you check this guide out and send it to your friends and family. Get it from his blog here: